07/24/2024-07/31/2024 Flaw in Telerik, ConfusedFunction Flaw in Google Cloud, Critical Docker Engine Flaw And More.

1. Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk

Progress Software urges users to update their Telerik Report Server instances due to a critical security flaw (CVE-2024-6327) with a CVSS score of 9.9. This vulnerability affects versions 2024 Q2 (10.1.24.514) and earlier and can lead to remote code execution via insecure deserialization. The flaw has been fixed in version 10.1.24.709.
For temporary mitigation, change the user for the Report Server Application Pool to one with limited permissions. Check server vulnerability by logging into the Report Server web UI, opening the Configuration page, and checking the version number under the About tab.

This disclosure follows another critical flaw (CVE-2024-4358) patched nearly two months ago, which CISA added to its Known Exploited Vulnerabilities catalog on June 13.

2. Researchers Uncover ConfusedFunction Flaw in Google Cloud

Tenable researchers discovered a privilege escalation flaw in Google Cloud Platform’s (GCP) Cloud Functions service, named ‘ConfusedFunction’. This vulnerability allows attackers to gain higher privileges to the Default Cloud Build Service Account and access services like Cloud Build, storage, and container registry without authorization.

The exploit enables attackers to move laterally and upgrade privileges, accessing and modifying unauthorized data. Cloud Functions, a serverless environment, attaches a default Cloud Build service account with excessive permissions when a function is created or updated.

After Tenable reported the issue, Google partially fixed it for accounts created after mid-June 2024. However, existing accounts remain vulnerable. Google updated the default behavior for Cloud Build to use a Compute Engine default service account and released additional policies to control default service account usage.

3. Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

Docker warns of a critical flaw (CVE-2024-41110) in certain Docker Engine versions that allows attackers to bypass authorization plugins (AuthZ), carrying a CVSS score of 10.0. The flaw occurs when an API request with Content-Length set to 0 causes the Docker daemon to forward the request without the body to the AuthZ plugin, potentially approving it incorrectly. The issue, originally fixed in 2019, reappeared in later versions and has been resolved in Docker Engine versions 23.0.14 and 27.1.0 as of July 2024.

Affected versions include:

• <= v19.03.15
• <= v20.10.27
• <= v23.0.14
• <= v24.0.9
• <= v25.0.5
• <= v26.0.2
• <= v26.1.4
• <= v27.0.3, and
• <= v27.1.0

Docker Desktop up to version 4.32.0 is also affected, but a fix is expected in version 4.33.

Users should update to the latest version to mitigate potential threats.
 

4. CISA Warns of Exploitable Vulnerabilities in Popular BIND 9 DNS Software

The Internet Systems Consortium (ISC) has released patches for multiple vulnerabilities in the BIND 9 DNS software that could trigger denial-of-service (DoS) attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified four key vulnerabilities:

• CVE-2024-4076 (CVSS 7.5): Logic error in lookups could cause an assertion failure.
• CVE-2024-1975 (CVSS 7.5): Validating DNS messages with SIG(0) can overload CPU.
• CVE-2024-1737 (CVSS 7.5): Excessive resource record types slow down processing.
• CVE-2024-0760 (CVSS 7.5): Malicious queries over TCP can render the server unresponsive.

These flaws can cause unexpected termination, CPU resource depletion, and slow query processing. The issues are fixed in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1. There is no evidence of these vulnerabilities being exploited in the wild.

5. CrowdStrike Software Update Leads to Significant Global Tech Outage

CrowdStrike announced a major global outage caused by a recent update to its Falcon security software, impacting 8.5 million devices. The update, intended to gather telemetry on new threat techniques, inadvertently caused Windows systems to crash on July 19, 2024. The issue primarily affected Windows 10 and later versions, leaving Mac and Linux systems unaffected.

The outage disrupted airlines, banking, and media sectors worldwide. CrowdStrike quickly identified the problem, working with Microsoft to develop and deploy fixes. The recovery involved installing backups, booting into safe mode, and manually deleting files. Full restoration is expected to take several days. CrowdStrike and Microsoft provided recovery tools and support. The financial impact is estimated at $5.4 billion, with minimal insurance coverage. For continuous updates, visit CrowdStrike’s official website.

07/17/2024-07/24/2024 CISA Adds Twilio Authy and IE Flaws to Exploited Vulnerabilities, SocGholish Malware Exploits BOINC Project And More.

1. CISA Adds Twilio Authy and IE Flaws to Exploited Vulnerabilities List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence:

• CVE-2012-4792 (CVSS score: 9.3) – A use-after-free vulnerability in Microsoft Internet Explorer allowing remote code execution via a crafted site.
• CVE-2024-39891 (CVSS score: 5.3) – An information disclosure bug in Twilio Authy that reveals if a phone number is registered with Authy.

Twilio resolved CVE-2024-39891 in recent Android and iOS versions after threat actors exploited it to access Authy account data. CISA warns that such vulnerabilities pose significant risks and mandates Federal Civilian Executive Branch (FCEB) agencies to remediate these by August 13, 2024.

2. SocGholish Malware Exploits BOINC Project for Covert Cyberattacks

The SocGholish malware (FakeUpdates) is now delivering AsyncRAT and the legitimate BOINC project. BOINC, managed by the University of California, uses volunteer computing for distributed tasks and rewards users with Gridcoin cryptocurrency. Researchers noted that these installations connect to malicious domains (“rosettahome[.]cn” or “rosettahome[.]top”), acting as command-and-control servers to collect data and transmit payloads.

As of July 15, over 10,000 clients are connected to these domains. Although no additional activities have been observed, infected hosts might be sold as access vectors for further attacks, including ransomware. SocGholish attacks begin with fake browser updates that lead to AsyncRAT or BOINC installations. BOINC is disguised as “SecurityHealthService.exe” to evade detection. The misuse of BOINC has been tracked since June 26, 2024.

3. SolarWinds Patches 8 Critical Flaws in Access Rights Manager Software

SolarWinds has fixed critical security flaws in its Access Rights Manager (ARM) software that could lead to sensitive data access or arbitrary code execution. Of the 13 vulnerabilities, eight are rated Critical (CVSS score 9.6), and five are rated High (CVSS scores 7.6 and 8.3).
The most severe flaws include:

• CVE-2024-23472: Directory Traversal and Information Disclosure
• CVE-2024-28074: Deserialization Remote Code Execution
• CVE-2024-23469: Dangerous Method Remote Code Execution

Exploitation could allow attackers to read, delete files, and execute code with elevated privileges. These issues were resolved in version 2024.3, released on July 17, 2024, after disclosure through Trend Micro’s Zero Day Initiative.

This follows CISA’s inclusion of a high-severity path traversal flaw in SolarWinds Serv-U (CVE-2024-28995) in its Known Exploited Vulnerabilities catalog due to active exploitation reports.

4. TAG-100: New Threat Actor Uses Open-Source Tools for Widespread Attacks

Threat actors, tracked as TAG-100 by Recorded Future’s Insikt Group, are using open-source tools for cyber espionage against global government and private sector entities. Since February 2024, they have targeted organizations across ten countries. The group uses open-source Go backdoors like Pantegana and Spark RAT, exploiting security flaws in products such as Citrix NetScaler, Microsoft Exchange, and Palo Alto Networks GlobalProtect. Starting April 16, 2024, TAG-100 targeted Palo Alto Networks GlobalProtect appliances, exploiting CVE-2024-3400 (CVSS score: 10.0).

This campaign also involved reconnaissance of internet-facing appliances in fifteen countries, including Cuba, France, and Japan. The use of PoC exploits with open-source tools lowers entry barriers for attackers, complicating detection and attribution. Recorded Future highlights the appeal of targeting internet-facing appliances for their limited security defenses.

07/10/2024-07/17/2024 Apache HugeGraph-Server RCE Vulnerability, Malicious npm Packages, Malicious Packages on the NuGet Package Manager And More.

1. Apache HugeGraph-Server RCE Vulnerability Under Active Attack

Attackers are exploiting a critical remote code execution (RCE) vulnerability in Apache HugeGraph-Server, tracked as CVE-2024-27348, affecting versions 1.0.0 to 1.3.0. With a severe CVSS score of 9.8, this flaw allows unauthenticated attackers to execute arbitrary OS commands, gaining full control over affected systems. This could lead to data theft, network infiltration, and ransomware deployment. The Shadowserver Foundation reported multiple exploitation attempts targeting the “/gremlin” endpoint with POST requests.

To mitigate this risk, users should:

• Upgrade to version 1.3.0 or later.
• Switch to Java 11 for better security.
• Enable the authentication system.
• Implement the “Whitelist-IP/port” function.

2. Malicious npm Packages Found Using Image Files to Hide Backdoor Code

Cybersecurity researchers have found two malicious packages on the npm package registry that contained backdoor code for executing remote commands. The packages, img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy, were downloaded 190 and 48 times, respectively, before being removed by npm security. Phylum, a software supply chain security firm, revealed that these packages had hidden command and control functionality in image files activated during installation. They impersonated the legitimate aws-s3-object-multipart-copy library but included a modified “index.js” file to run a malicious JavaScript file (“loadformat.js”). The JavaScript file processed three images with corporate logos and extracted malicious content from Microsoft’s logo. It registered the client with a command-and-control server, sending system details and executing commands every five seconds. The results were then sent back to the attacker. Phylum highlighted the increasing sophistication and success of such malicious packages, emphasizing the need for vigilance in using open-source libraries.

3. CISA Warns of GeoServer RCE Vulnerability Under Active Exploitation

CISA has issued an urgent alert about a critical Remote Code Execution (RCE) vulnerability in GeoServer, identified as CVE-2024-36401. This vulnerability is actively being exploited, posing significant risks to affected systems. The flaw originates from the GeoTools library API, which GeoServer uses to evaluate property and attribute names. This unsafe evaluation passes these names to the commons-jxpath library, allowing unauthenticated attackers to execute arbitrary code with specially crafted inputs.

Affected Versions:

• GeoServer: Versions prior to 2.23.6, 2.24.0 to 2.24.3, and 2.25.0 to 2.25.1
• GeoTools: Versions prior to 29.6, 30.0 to 30.3, and 31.0 to 31.1

Exploitation can occur through multiple OGC request parameters, including WFS GetFeature and WMS GetMap. Successful exploitation can lead to data breaches and system compromise.

Mitigation Steps:
1. Update to Latest Versions: Upgrade to GeoServer 2.23.6, 2.24.4, 2.25.2, and GeoTools 29.6, 30.4, 31.2.
2. Apply Security Patches: Available for affected versions from official repositories.
3. Temporary Workaround: Remove the gt-complex-x.y.jar file from GeoServer installation, noting potential disruptions.

4. GitHub Token Leak Exposes Python’s Core Repositories to Potential Attacks

Cybersecurity researchers discovered a leaked GitHub token that could have granted elevated access to the repositories of Python, the Python Package Index (PyPI), and the Python Software Foundation (PSF). JFrog found the GitHub Personal Access Token in a public Docker container on Docker Hub. JFrog warned of severe potential consequences if the token had been misused, including injecting malicious code into PyPI packages or even the Python language itself. The token, found in a compiled Python file (“build.cpython-311.pyc”), was promptly revoked after responsible disclosure on June 28, 2024. There is no evidence it was exploited. PyPI noted the token was issued before March 3, 2023, for GitHub API rate limit testing. It was accidentally included in local files but was never intended to be pushed remotely.

5. 60 New Malicious Packages Uncovered in NuGet Supply Chain Attack

Threat actors have launched a new wave of malicious packages on the NuGet package manager, part of an ongoing campaign since August 2023. ReversingLabs identified around 60 new packages spanning 290 versions, showing a more sophisticated approach compared to the October 2023 set. Attackers have shifted from using NuGet’s MSBuild integrations to inserting obfuscated downloaders into legitimate PE binary files via IL Weaving, a .NET technique. The goal is to deliver the SeroXen RAT. The new packages use IL Weaving to inject malicious code into popular open-source packages like Guna.UI2.WinForms, creating imposters with names like “Gսոa.UI3.Wіnfօrms,” using homoglyphs to mimic legitimate names.This campaign highlights how threat actors constantly evolve tactics to compromise victims, fooling developers and security teams into using malicious packages from open-source managers like NuGet.

6. How to Secure Your Network: Palo Alto Networks Fixes Critical Expedition Tool Flaw

Palo Alto Networks has recently issued important security updates addressing five significant flaws in its products. Among these, a critical vulnerability has been identified that could potentially allow for an authentication bypass.The critical flaw, cataloged as CVE-2024-5910, holds a CVSS score of 9.3. This vulnerability is a case of missing authentication in Palo Alto Network’s Expedition migration tool. If exploited, this flaw could lead to the takeover of an admin account, presenting severe security implications.This vulnerability is particularly concerning because it grants potential attackers the ability to bypass authentication mechanisms. Such a loophole can result in unauthorized access to administrative accounts, giving attackers elevated privileges within the system. This could lead to a range of malicious activities, including data theft, system corruption, and disruption of services.In addition to CVE-2024-5910, four other vulnerabilities have been addressed in the recent update cycle. While details on these additional flaws were not as prominently highlighted, their remediation is equally crucial for maintaining robust security postures. It is always recommended to review the full advisory to understand the scope and impact of each vulnerability.