07/10/2024-07/17/2024 Apache HugeGraph-Server RCE Vulnerability, Malicious npm Packages, Malicious Packages on the NuGet Package Manager And More.

1. Apache HugeGraph-Server RCE Vulnerability Under Active Attack

Attackers are exploiting a critical remote code execution (RCE) vulnerability in Apache HugeGraph-Server, tracked as CVE-2024-27348, affecting versions 1.0.0 to 1.3.0. With a severe CVSS score of 9.8, this flaw allows unauthenticated attackers to execute arbitrary OS commands, gaining full control over affected systems. This could lead to data theft, network infiltration, and ransomware deployment. The Shadowserver Foundation reported multiple exploitation attempts targeting the “/gremlin” endpoint with POST requests.

To mitigate this risk, users should:

• Upgrade to version 1.3.0 or later.
• Switch to Java 11 for better security.
• Enable the authentication system.
• Implement the “Whitelist-IP/port” function.

2. Malicious npm Packages Found Using Image Files to Hide Backdoor Code

Cybersecurity researchers have found two malicious packages on the npm package registry that contained backdoor code for executing remote commands. The packages, img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy, were downloaded 190 and 48 times, respectively, before being removed by npm security. Phylum, a software supply chain security firm, revealed that these packages had hidden command and control functionality in image files activated during installation. They impersonated the legitimate aws-s3-object-multipart-copy library but included a modified “index.js” file to run a malicious JavaScript file (“loadformat.js”). The JavaScript file processed three images with corporate logos and extracted malicious content from Microsoft’s logo. It registered the client with a command-and-control server, sending system details and executing commands every five seconds. The results were then sent back to the attacker. Phylum highlighted the increasing sophistication and success of such malicious packages, emphasizing the need for vigilance in using open-source libraries.

3. CISA Warns of GeoServer RCE Vulnerability Under Active Exploitation

CISA has issued an urgent alert about a critical Remote Code Execution (RCE) vulnerability in GeoServer, identified as CVE-2024-36401. This vulnerability is actively being exploited, posing significant risks to affected systems. The flaw originates from the GeoTools library API, which GeoServer uses to evaluate property and attribute names. This unsafe evaluation passes these names to the commons-jxpath library, allowing unauthenticated attackers to execute arbitrary code with specially crafted inputs.

Affected Versions:

• GeoServer: Versions prior to 2.23.6, 2.24.0 to 2.24.3, and 2.25.0 to 2.25.1
• GeoTools: Versions prior to 29.6, 30.0 to 30.3, and 31.0 to 31.1

Exploitation can occur through multiple OGC request parameters, including WFS GetFeature and WMS GetMap. Successful exploitation can lead to data breaches and system compromise.

Mitigation Steps:
1. Update to Latest Versions: Upgrade to GeoServer 2.23.6, 2.24.4, 2.25.2, and GeoTools 29.6, 30.4, 31.2.
2. Apply Security Patches: Available for affected versions from official repositories.
3. Temporary Workaround: Remove the gt-complex-x.y.jar file from GeoServer installation, noting potential disruptions.

4. GitHub Token Leak Exposes Python’s Core Repositories to Potential Attacks

Cybersecurity researchers discovered a leaked GitHub token that could have granted elevated access to the repositories of Python, the Python Package Index (PyPI), and the Python Software Foundation (PSF). JFrog found the GitHub Personal Access Token in a public Docker container on Docker Hub. JFrog warned of severe potential consequences if the token had been misused, including injecting malicious code into PyPI packages or even the Python language itself. The token, found in a compiled Python file (“build.cpython-311.pyc”), was promptly revoked after responsible disclosure on June 28, 2024. There is no evidence it was exploited. PyPI noted the token was issued before March 3, 2023, for GitHub API rate limit testing. It was accidentally included in local files but was never intended to be pushed remotely.

5. 60 New Malicious Packages Uncovered in NuGet Supply Chain Attack

Threat actors have launched a new wave of malicious packages on the NuGet package manager, part of an ongoing campaign since August 2023. ReversingLabs identified around 60 new packages spanning 290 versions, showing a more sophisticated approach compared to the October 2023 set. Attackers have shifted from using NuGet’s MSBuild integrations to inserting obfuscated downloaders into legitimate PE binary files via IL Weaving, a .NET technique. The goal is to deliver the SeroXen RAT. The new packages use IL Weaving to inject malicious code into popular open-source packages like Guna.UI2.WinForms, creating imposters with names like “Gսոa.UI3.Wіnfօrms,” using homoglyphs to mimic legitimate names.This campaign highlights how threat actors constantly evolve tactics to compromise victims, fooling developers and security teams into using malicious packages from open-source managers like NuGet.

6. How to Secure Your Network: Palo Alto Networks Fixes Critical Expedition Tool Flaw

Palo Alto Networks has recently issued important security updates addressing five significant flaws in its products. Among these, a critical vulnerability has been identified that could potentially allow for an authentication bypass.The critical flaw, cataloged as CVE-2024-5910, holds a CVSS score of 9.3. This vulnerability is a case of missing authentication in Palo Alto Network’s Expedition migration tool. If exploited, this flaw could lead to the takeover of an admin account, presenting severe security implications.This vulnerability is particularly concerning because it grants potential attackers the ability to bypass authentication mechanisms. Such a loophole can result in unauthorized access to administrative accounts, giving attackers elevated privileges within the system. This could lead to a range of malicious activities, including data theft, system corruption, and disruption of services.In addition to CVE-2024-5910, four other vulnerabilities have been addressed in the recent update cycle. While details on these additional flaws were not as prominently highlighted, their remediation is equally crucial for maintaining robust security postures. It is always recommended to review the full advisory to understand the scope and impact of each vulnerability.

07/03/2024-07/10/2024 Trojanized jQuery Packages, Flaws Disclosed in Gogs Open-Source Git Service, Remote Code Execution Vulnerability in OpenSSH And More.

1. Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories

Unknown threat actors have been distributing trojanized versions of jQuery on npm, GitHub, and jsDelivr in a complex and persistent supply chain attack. According to Phylum, the malware is hidden in the rarely-used “end” function of jQuery, called internally by the popular “fadeTo” function. The campaign, linked to 68 packages, began on May 26 and continued until June 23, 2024, with names such as cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets. Each package appears to be manually assembled due to the variation in naming conventions, personal files, and the prolonged upload period. The malware exfiltrates website form data to a remote URL. A GitHub repository associated with “indexsc” hosts the trojanized jQuery file and related JavaScript. JsDelivr constructs these URLs automatically, making the source appear more legitimate.

2. Critical Unpatched Flaws Disclosed in Popular Gogs Open-Source Git Service

Four unpatched security flaws, including three critical ones, have been disclosed in the Gogs open-source Git service. These vulnerabilities could allow authenticated attackers to breach instances, steal or wipe source code, and plant backdoors.

The flaws are:

• CVE-2024-39930 (CVSS 9.9) – Argument injection in the built-in SSH server
• CVE-2024-39931 (CVSS 9.9) – Deletion of internal files
• CVE-2024-39932 (CVSS 9.9) – Argument injection during changes preview
• CVE-2024-39933 (CVSS 7.7) – Argument injection when tagging new releases

Exploiting the first three flaws can lead to arbitrary command execution, while the fourth flaw allows reading arbitrary files. All vulnerabilities require authentication and specific conditions for exploitation. Users are advised to disable the built-in SSH server, turn off user registration, or switch to Gitea. SonarSource released a patch, but it hasn’t been extensively tested. Immediate protective measures are recommended.

3. CVE-2024-6409: New Remote Code Execution Vulnerability in OpenSSH

A newly discovered vulnerability in OpenSSH, CVE-2024-6409, exposes systems to potential remote code execution (RCE) due to a race condition in signal handling. This flaw, with a CVSS score of 7.0, affects OpenSSH versions 8.7 and 8.8. It stems from the call to cleanup_exit() from grace_alarm_handler() in the privileged separation (privsep) child process, which may trigger unsafe functions. The issue specifically arises in Red Hat’s OpenSSH package and affects Red Hat Enterprise Linux (RHEL) 9 and Fedora versions 36 and 37. However, Fedora 38 and later versions are not vulnerable.

Administrators should update OpenSSH on affected systems, particularly RHEL 9 and older Fedora releases. Applying the “LoginGraceTime 0” configuration option can mitigate this vulnerability and the related CVE-2024-6387. Immediate action is recommended to reduce the risk of exploitation.

4. Microsoft Uncovers Critical Flaws in Rockwell Automation PanelView Plus

Microsoft has disclosed two security flaws in Rockwell Automation PanelView Plus, allowing remote, unauthenticated attackers to execute arbitrary code and trigger a denial-of-service (DoS) condition.

The vulnerabilities are:

• CVE-2023-2071 (CVSS 9.8) – Improper input validation lets attackers achieve remote code execution via crafted malicious packets.
• CVE-2023-29464 (CVSS 8.2) – Improper input validation lets attackers read memory data and cause a DoS by sending oversized packets.

These flaws impact FactoryTalk View Machine Edition (versions 13.0, 12.0, and prior) and FactoryTalk Linx (versions 6.30, 6.20, and prior). Rockwell Automation released advisories in September and October 2023. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued alerts. Additionally, unknown threat actors are exploiting a critical flaw in HTTP File Server (CVE-2024-23692, CVSS 9.8) to deliver malware like Xeno RAT and Gh0st RAT. This vulnerability allows remote, unauthenticated attackers to execute arbitrary commands via crafted HTTP requests.

5. RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks

Researchers have discovered a vulnerability in the RADIUS network authentication protocol called BlastRADIUS, allowing attackers to conduct Man-in-the-Middle (MitM) attacks and bypass integrity checks. RADIUS, which provides centralized authentication, authorization, and accounting (AAA) management, relies on a hash derived from the MD5 algorithm, known to be cryptographically broken since 2008.

The flaw, CVE-2024-3596 (CVSS 9.0), enables attackers to modify Access-Request packets without detection, potentially forcing user authentication and granting unauthorized access. The vulnerability affects all RADIUS clients and servers, particularly PAP, CHAP, and MS-CHAPv2 authentication methods.

06/26/2024-07/03/2024 New Intel CPU Vulnerability, New OpenSSH Vulnerability, Critical SQLi Vulnerability, Vulnerability in Vanna.AI And More.

1. New Intel CPU Vulnerability ‘Indirector’ Exposes Sensitive Data

Modern Intel CPUs, including Raptor Lake and Alder Lake, are vulnerable to a new side-channel attack called Indirector, discovered by researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen. This attack exploits weaknesses in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB), allowing attackers to bypass defenses and leak sensitive information. The attack, similar to Spectre v2 (CVE-2017–5715), uses a tool called iBranch Locator to find and exploit indirect branches through precise IBP and BTP injections. Intel was notified in February 2024 and has informed other affected vendors. Mitigations include aggressive use of the Indirect Branch Predictor Barrier (IBPB) and hardening the Branch Prediction Unit (BPU).

Separately, Arm CPUs are vulnerable to the TIKTAG speculative execution attack, which exploits the Memory Tagging Extension (MTE) to leak data with over a 95% success rate. Researchers recommend strengthening probabilistic defenses to counter such attacks.

2. New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems

OpenSSH has released updates to fix a critical flaw, CVE-2024-6387, named regreSSHion, which allows unauthenticated remote code execution with root privileges on glibc-based Linux systems. Discovered by Qualys, this vulnerability is a signal handler race condition in sshd, impacting versions 8.5p1 to 9.7p1 and versions prior to 4.4p1 unless patched for CVE-2006-5051 and CVE-2008-4109.

The flaw, reintroduced in October 2020, affects about 14 million OpenSSH servers. Exploiting this vulnerability requires 6-8 hours of continuous connections. While OpenBSD systems are safe, the exploitability on macOS and Windows remains unconfirmed. Users should apply patches and limit SSH access to mitigate potential threats. Although the attack requires specific conditions and is unlikely to be widespread, targeted exploitation remains a concern.

3. GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others

GitLab has released updates to fix 14 security flaws, including a critical vulnerability (CVE-2024-5655, CVSS score: 9.6) that could allow unauthorized CI/CD pipeline execution. The updates apply to GitLab Community Edition (CE) and Enterprise Edition (EE) in versions 17.1.1, 17.0.3, and 16.11.5. The critical flaw impacts versions 17.1 before 17.1.1, 17.0 before 17.0.3, and 15.8 before 16.11.5.

Other significant vulnerabilities addressed include:

• CVE-2024-4901 (CVSS score: 8.7): A stored XSS vulnerability from malicious commit notes
• CVE-2024-4994 (CVSS score: 8.1): A CSRF attack on the GraphQL API
• CVE-2024-6323 (CVSS score: 7.5): An authorization flaw in the global search feature
• CVE-2024-2177 (CVSS score: 6.8): A cross-window forgery vulnerability via OAuth
  Users are advised to apply the patches to protect against potential threats.

4. Critical SQLi Vulnerability Found in Fortra FileCatalyst Workflow Application

A critical security flaw has been disclosed in Fortra FileCatalyst Workflow that, if left unpatched, could allow an attacker to tamper with the application database. Tracked as CVE-2024-5276, the vulnerability carries a CVSS score of 9.8. It impacts FileCatalyst Workflow versions 5.1.6 Build 135 and earlier. It has been addressed in version 5.1.6 build 139. An SQL injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Users who cannot apply the patches immediately can disable the vulnerable servlets – csv_servlet, pdf_servlet, xml_servlet, and json_servlet – in the “web.xml” file located in the Apache Tomcat installation directory as temporary workarounds.

5. Exploit Attempts Recorded Against New MOVEit Transfer Vulnerability – Patch ASAP!

A critical vulnerability (CVE-2024-5806, CVSS score: 9.1) in Progress Software MOVEit Transfer is already being exploited. This authentication bypass flaw affects versions:

• 2023.0.0 before 2023.0.11
• 2023.1.0 before 2023.1.6
• 2024.0.0 before 2024.0.2

An advisory from Progress also addresses another critical issue (CVE-2024-5805, CVSS score: 9.1) in MOVEit Gateway 2024.0.0. Exploiting these flaws allows attackers to bypass SFTP authentication and access systems.

watchTowr Labs, which detailed CVE-2024-5806, notes it can be used to impersonate any server user. The flaw includes vulnerabilities in MOVEit and the IPWorks SSH library. Users are advised to block public inbound RDP access and limit outbound access to trusted endpoints.

Rapid7 notes that exploiting CVE-2024-5806 requires knowledge of an existing username, remote authentication capability, and public SFTP service access. Approximately 2,700 MOVEit Transfer instances are online, mostly in the U.S. and Europe.

6. Analyzing the Remote Code Execution Vulnerability in Vanna.AI Due to Prompt Injection

A critical security flaw (CVE-2024-5565) in Vanna.AI, a library for text-to-SQL interfaces, allows remote code execution (RCE) and stems from the ability to manipulate the context of machine learning models’ predefined instructions. This incident underscores the risks associated with integrating large language models (LLMs) in actionable systems, highlighting the need for robust security measures beyond simple pre-prompting techniques.

Vanna.AI generates and executes Python code dynamically through Plotly visualization. An attacker can exploit this via the ‘ask’ function, injecting malicious prompts to execute arbitrary commands.

This flaw risks database breaches and unauthorized actions. Attacks like Skeleton Key and Crescendo illustrate the dangers of AI jailbreaks, stressing the need for stringent security measures beyond pre-prompting. Developers should implement comprehensive security measures, including input validation, restrictive execution environments, and advanced anomaly detection to monitor suspicious activities. This incident underscores the importance of robust defenses in generative AI systems.