Search This Blog

Showing posts with label Vulnerabilities and Exploits. Show all posts

Exploit Code Released for a Critical Flaw in Linux Kernel eBPF on Ubuntu Machines

 

Cybersecurity researcher Manfred Paul revealed the details of the code for abusing a critical flaw in the Linux eBPF (Extended Berkeley Packet Filter) kernel on Ubuntu devices. Tracked as CVE-2021-3490, this is a high-severity vulnerability that allows local attackers to exploit Ubuntu devices with relative ease. 

eBPF is a kernel technology that allows user-supplied programs to operate without having to alter the kernel source code or adding additional modules. In other words, this is a lightweight virtual machine within the Linux kernel where programmers can run BPF bytecode that takes advantage of specific kernel resources.

The flaw was disclosed in May by Manfred Paul of the RedRocket CTF team and Trend Micro Zero Day Initiative (ZDI). The issue consists of the fact that user-supplied programs do not go through a proper validation process before they’re executed. If properly exploited, a local attacker could get kernel privileges to run arbitrary code on the machine. 

Valentina Palmiotti, a security researcher at Grapl, explained the technical details of this flaw and its exploitation on Ubuntu short-term releases 20.10 (Groovy Gorilla) and 21.04 (Hirsute Hippo). The researcher created a proof-of-concept exploit code for CVE-2021-3490 and published it on GitHub.

Palmiotti published the report this week which covers the specifics for triggering the bug to leverage it for elevated privileges and to create a denial-of-service (DoS) condition on the target system by locking up all available kernel threads.

Earlier this year, Microsoft announced a new open-source job referred to as ebpf-for-windows that allows developers to make use of the eBPF innovation on leading of Windows. This would certainly be actually attained through incorporating a being compatible coating for existing eBPF projects so they may operate as submodules in Windows 10 and also Windows Server. 

Porting eBPF to Windows is still an early job with a lot of development ahead of it. Palmiotti’s research on CVE-2021-3490 was limited to Linux implementation. 

Microsoft designed the PoC for Groovy Gorilla kernels 5.8.0-25.26 through 5.8.0-52.58, and Hirsute Hippo kernel version 5.11.0-16.17. Patches were actually launched for each Ubuntu model.

Node.js Pushes Out Immediate Fixes for the Severe HTTP Bug

 

Node.js has released patches for a high-severity vulnerability that could be used by attackers to corrupt the process and cause unexpected behaviour including application crashes and possibly remote code execution (RCE). The CVE-2021-22930 use-after-free vulnerability affects the way HTTP2 streams are handled in the language. 

Node.js is a back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside of a browser. Node.js allows developers to utilise JavaScript to create command-line tools and server-side scripting, which involves running scripts on the server before sending the page to the user's browser. This week, Node.js released patches for CVE-2021-22930, a high-severity use-after-free vulnerability. 

When a programme tries to access a resource at a memory address that has already been freed and no longer holds the resource, it is called a use-after-free vulnerability. In some situations, this might result in data corruption, unexpected behaviours including programme crashes, or even remote code execution (RCE). The changes were included in the most recent Node.js release 16.6.0, as well as versions 12.22.4 (LTS) and 14.17.4. (LTS). This flaw was discovered by Eran Levin, who is credited with reporting it. 

"We normally like to give advance notice and provide releases in which the only changes are security fixes, but since this vulnerability was already public we felt it was more important to get this fix out fast in releases that were already planned," announced Red Hat principal software engineer and NodeJS Technical Steering Committee (TSC) member Daniel Bevenius. 

When Node.js read incoming RST_STREAM frames with no error code or cancel code, the vulnerability was exploited. In HTTP/2 applications, the RST_STREAM frame is issued by the host when it wants to close a connection. In a client-server architecture, for example, a client programme would send a RST_STREAM frame to the server to terminate the connection. When the server receives the frame, it will stop replying to the client and terminate the connection. The server might then discard any "DATA" frames it was about to send to the client.

When a RST_STREAM frame was received by the server with a "cancel" code (nghttp2_cancel) in vulnerable Node.js versions, the receiver would try to "force purge" any data received. After that, an automatic call-back would perform the "close" function a second time, aiming to free up the memory that had already been freed in the previous phase. 

And, as a result of the double-free error, the application might crash or behave erratically. On June 8th, 2021, Matthew Douglass posted a public thread about this issue, which was previously considered of as a "bug" rather than an exploitable vulnerability.

Severe Shopify Flaw Exposed GitHub Access Token And Source Code Repositories

 

Computer science student Augusto Zanellato has earned a $50,000 payday following the discovery of a publicly available GitHub Personal Access Token (PAT) which gave access to the Shopify source code repositories. 

Zanellato spotted the exposed GitHub token in a .env file while reviewing a public macOS Electron-based app. The vulnerability gave access to both public and private repos and admin privileges, potentially allowing a less ethically-minded individual to tamper with repositories and even plant backdoors. Although Zanellato didn’t realize it at the time, the Electron-based app was developed by a Shopify employee. 

"After finding the GitHub token inside the application I tried to use it against the GitHub API to see what token it was, whom it belongs to, what privileges it had etc. I found out that the user in question was a member of the Shopify organization and that he had push and pull access to all the private Shopify repositories," Zanellato explained.

Upon discovering the flaw, Zanellato reported the issue to Shopify via the HackerOne bug bounty program. After the initial bug report earlier this year, the Shopify team worked on developing a fix. Consequently, the vendors deployed a patch by revoking the GitHub PAT. Nonetheless, given the severe impact of the flaw, they have labeled the bug as “critical” with a severity score of 10.0. 

Shopify headquartered in Ottawa, Ontario was founded in 2006 by Tobias Lütke, Daniel Wenand, and Scott Lake following the trio's failure to find a suitable off-the-shelf e-commerce platform for a planned snowboarding store, Snowdevil. Today the Shopify platform has more than 1.7 million customers across the globe – all of whom could have been impacted by the leaked token, had it been exploited. 

“I think the most important lesson to be learned here for developers is to triple check what you are actually bundling in your release builds. Hackers on the other hand should always check what a token they found provides access to,” Zanellato said. 

“If I haven’t checked it manually with the GitHub API, I would have never discovered that the guy developing that application was a Shopify employee with read/write access to all the repositories, so I wouldn’t have ever found that issue , Zanellato concluded.

Signal Patches Zero-Day Bug in its Android App

 

Signal has patched a critical flaw in its Android app that, in some circumstances, sent random unintended images to contacts without an obvious explanation. 

The flaw was first reported in December 2020 by Rob Connolly on the app's GitHub page. Despite being known for months, Signal has fixed the bug only recently. While the team faced a backlash over this delay, Greyson Parrelli, Signal’s Android developer confirmed fixing the bug recently. As per his response on the same GitHub thread, Signal has patched the flaw with the release of the Signal Android app version 5.17. 

When a user sends an image via the Signal Android app to one of his contacts, the contact would occasionally receive not just the selected image, but additionally a few random, unintended images, that the sender had never sent out, Connolly explained. 

“Standard conversation between two users (let’s call them party A and party B). Party A shares a gif (from built-in gif search). Party B receives the gif, but also some other images, which appear to be from another user (party A has searched their phone and does not remember the images in question). Best case the images are from another contact of B and messages got crossed, worst case they are from an unknown party, who's [sic] data has now been leaked,” Connolly told while describing the flaw. 

At this time, the flaw seems to have only impacted the Android version of the app. Signal Android app users should update to the latest version of the app, available on the Google Play store, researchers advised.

Last year in May 2020, cybersecurity researchers at Tenable discovered a flaw in the secure messaging app Signal which allowed threat actors to track user’s locations. Threat actors can track user’s movements just by calling their Signal number — whether or not the user had his contact information. This could be a big problem for victims of stalking, or for activists and journalists who are trying to avoid government or law enforcement detection to leak information or act in a whistleblower capacity, researcher David Wells wrote.

“That feature is not well advertised, and it’s interesting that someone could disclose your location if they’re your contact. Let’s say I have a burner phone and I just ring your phone, and I do it so quickly that all you see is a missed call from some number. Usually, it’ll be somewhat near you. So, I can force that DNS server [near you] to talk to me. By getting that information, I know what DNS server you’re using and I can determine your general location,” Wells explained.

Wi-Fi Routers with Default Passwords are Vulnerable to Attacks

 

Cybersecurity researchers have advised the users to change the manufacturer’s default access credentials of their Wi-Fi home router to minimize the risk of being compromised. 

One in 16 home Wi-Fi routers still uses the manufacturer’s default administrator passwords, a recent survey conducted by tech website Comparitech revealed. This vulnerability could allow threat actors to carry out all kinds of cyberattacks, including router hijacking and victim eavesdropping. 

“These routers, which number in the tens of thousands, can be remotely found and attacked using publicly available passwords, granting malicious hackers’ access to the victim’s home network,” reads the study. Researchers at Comparitech examined the 12 most popular home Wi-Fi router models sold on Amazon.

To test these devices, the researchers used an automated script to scan the web for these routers and log in to the router’s management dashboard using the manufacturer’s default password. Of the total of 9,927 routers tested, 635 were found to be susceptible to default password attacks. 

The findings of the team’s investigation seemed to indicate that some of the routers could have been more persistent in prompting users to change the manufacturer’s default password upon first setting up the device. 

The AsusRT and MikroTik routers could not be accessed at all despite hundreds of tests, indicating they require users to change their default passwords before an internet connection is allowed through. Meanwhile, other routers didn’t fare as well. 

“On the other end of the spectrum, roughly one in six ZTE ZXV10, XFinity, and NetGear Ethernet Plus Switch routers were found to be vulnerable to default password attacks unless the default admin password is changed,” said Comparitech.

A router with default access credentials can give the threat actor a foothold on your home network and even the devices connected to it. When a cybercriminal steps into the door, he uses access to monitor the behavior of devices connected to the router, the websites he is browsing, and unencrypted data sent over the network. 

In addition, an attacker could use the router as a proxy to download pirated content, visit illicit sites, or access illegal material. You could be suspected of or held liable for these activities. To mitigate the risk users are advised to change the router’s default admin password upon first setting the device.

New Windows and Linux Flaws: Provide Attackers Highest System Privileges

 

Two new vulnerabilities, one in Windows and the other in Linux, were discovered on Tuesday, allowing hackers with a presence in a vulnerable machine to circumvent OS security limits and access critical resources. 

Microsoft's Windows 10 and upcoming Windows 11 versions have been discovered to be vulnerable to a new local privilege escalation vulnerability that allows users with low-level permissions to access Windows system files, permitting them to decrypt private keys and uncover the operating system installation password. The vulnerability has been named "SeriousSAM".

CERT Coordination Center (CERT/CC) stated in a vulnerability note published, "Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files. This can allow for local privilege escalation (LPE)." 

The operating system configuration files in question are as follows - 

c:\Windows\System32\config\sam 
c:\Windows\System32\config\system 
c:\Windows\System32\config\security 

Microsoft acknowledged the vulnerability, which has been assigned the number CVE-2021-36934 but is yet to offer a patch or provide a timeframe for when a fix will be released. 

The Windows makers explained, "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” 

However, successful exploitation of the issue implies that the attacker has already gained a foothold and has the capacity to execute code on the target machine. In the meanwhile, users should restrict entry to sam, system, and security files and erase VSS shadow copies of the system disc, according to the CERT/CC. 

Since the release of Patch Tuesday updates on July 13, this is also the third publicly documented unpatched issue in Windows. Apart from CVE-2021-36934, two other vulnerabilities in the Print Spooler component have been identified, leading Microsoft to advise all users to halt and terminate the service to protect their computers from exploitation. 

"Sequoia" privilege escalation flaw affected Linux distros:

Remediations have been issued for a security shortcoming affecting all Linux kernel versions from 2014 that can be exploited by malicious users and malware already deployed on a system to gain root-level privileges. 

The vulnerability, nicknamed "Sequoia" by Qualys researchers, has been issued the identifier CVE-2021-33909 and affects default Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation installations. The issue also affects Red Hat Enterprise Linux versions 6, 7, and 8. 

The vulnerability is a size t-to-int type conversion flaw in the Linux Kernel's "seq file" file system interface, which allows an unprivileged local intruder to generate, install, and delete a deep directory structure with a total path length of more than 1GB, resulting in a privilege escalation on the vulnerable host. 

According to Qualys, unprivileged attackers could use a stack exhaustion denial-of-service vulnerability in the system (CVE-2021-33910) to corrupt the software suite and induce a kernel panic.

Low-Risk iOS Wi-Fi Naming Issue can Compromise iPhones Remotely

 

According to recent research, the Wi-Fi network name issue that entirely disabled an iPhone's network connectivity had remote code execution capabilities and was discreetly patched by Apple earlier this year. 

On Monday, Apple released iOS 14.7 for iPhones, which includes bug fixes and security improvements as well as a remedy for the Wi-Fi denial-of-service issue. However, the company has not yet provided security information that may suggest whether its vulnerability has been fixed. 

The denial-of-service vulnerability, which was discovered last month, was caused by the way iOS managed string formats associated with the SSID input, causing any up-to-date iPhone to crash when connected to wireless access points with percent symbols in their names, such as "%p%s%s%s%s%n." 

While the problem could be solved by resetting the network settings (Settings > General > Reset > Reset Network Settings), Apple is likely to provide a fix in iOS 14.7, which is currently accessible to developers and public beta testers. 

Researchers from mobile security automation business ZecOps discovered that the same flaw could be abused to accomplish remote code execution (RCE) on targeted devices by simply adding the string pattern " % @" to the Wi-Fi hotspot's name, which may have had far-reaching repercussions. 

The issue was termed "WiFiDemon" by ZecOps. It's also a zero-click vulnerability as it allows a threat actor to infect a device without needing user interaction, however, it does necessitate that the setting to automatically connect Wi-Fi networks is enabled (which it is, by default). 

"As long as the Wi-Fi is turned on this vulnerability can be triggered," the researchers noted. "If the user is connected to an existing Wi-Fi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this zero-click attack." 

"This zero-click vulnerability is powerful: if the malicious access point has password protection and the user never joins the Wi-Fi, nothing will be saved to the disk," the company stated. "

After turning off the malicious access point, the user's Wi-Fi function will be normal. A user could hardly notice if they have been attacked.

The RCE variant was discovered to be exploitable in all iOS versions before iOS 14.3, with Apple "silently" fixing the problem in January 2021 as part of their iOS 14.4 release. The vulnerability was not issued a CVE identifier. 

Given the vulnerability's exploitability, iPhone and iPad owners must update to the most recent iOS version to reduce the risk associated with the flaw.

THORChain Suffers $7.6 Million Loss in Latest DeFi Exploit

 

Popular cross-chain liquidity exchange THORChain got compromised in a new DeFi hack where $7.6 million were stolen, suffering a second security breach in less than a month. 

THORChain announced the security breach on Twitter and initially estimated the loss at about 13,000 ETH (around $25 million). Later, however, this was revised on Twitter, with the project claiming, “At this stage, the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH. More detailed assessment and recovery steps will be announced soon. The users who suffered (LPs) will be made whole in the coming weeks.” 

According to the project team, attackers exploited the vulnerability in the Bifrost protocol which allowed them to redirect ETH tokens to their own accounts. Bifrost is a multi-chain DeFi protocol that enables multichain connectivity by building a bridge between blockchains. Bifrost ETH was recently updated for better composability.

In the THORChain community Telegram channel, administrators have suggested the project has the funds needed to cover users’ stolen assets but articulated a preference for the hacker to return the stolen funds in exchange for a bug bounty. 

“While the treasury has the funds to cover the stolen amount, we request the attacker get in contact with the team to discuss return of funds and a bounty commensurate with the discovery,” a Telegram post stated, adding that user funds “will be available when the issue has been patched & the network resumes.”

As a precautionary measure, THORChain paused its network, with the team assuring users that only liquidity providers were affected. THORChain has since tweeted that its preliminary roadmap to recovery is underway, announcing that after the flaw is patched and the network is restarted, Ether will be donated to liquidity provider pools to reimburse impacted users. Thereon, the team plans to engage security firms to have its contracts audited. 

Today’s attack is not the first time THORChain has been targeted by hackers, during its Chaosnet deployment, it had lost around $140,000 worth of assets over the previous month. At the time, the project had claimed it was “very mature and resilient.”

WooCommerce Patched a Bug that Threatened Databases of Prominent Sites

 

According to researchers, a significant SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin has been exploited as a zero-day flaw. WooCommerce released an emergency remedy for the bug late on Wednesday as a result of the exploitation. Unauthenticated cyber attackers might use the flaw to steal a slew of data from an online store's database, including customer information, payment card information, and employee credentials. 

WooCommerce, a prominent open-source e-commerce platform for WordPress websites, is used by over 5 million websites worldwide. It enables online merchants to establish storefronts with a variety of customisable features, such as accepted payment kinds, shipping options, and sales tax calculations, among others. The WooCommerce Blocks feature, which is installed on over 200,000 sites, is the linked plugin affected by the flaw. It aids retailers in displaying their goods on websites. 

“Our investigation into this vulnerability and whether data has been compromised is ongoing,” Beau Lebens, head of engineering for WooCommerce, said in an advisory. “We will be sharing more information with site owners on how to investigate this security vulnerability on their site. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.” According to Wordfence experts, there is “extremely limited evidence of [exploitation] attempts and it is likely that such attempts were highly targeted.”

However, one user commented in the WooCommerce advisory's comments section that strange activity had been seen. “Just hours before your announcement and email, the site I manage saw a massive spike in network traffic before effectively locking out administrative logins and presenting various bizarre messages,” the user said. “When I SSH’d into the live environment, the console reported that there were 4 failed login attempts since my last login. So far as I could tell there was no apparent vandalism and the failed logins had their IP banned. It seems a little too coincidental.” 

The issue affects WooCommerce plugin versions 3.3 to 5.5, as well as WooCommerce Blocks 2.5 to 5.5. According to Lebens, the company developed a patch remedy “for every impacted version (90+ releases) that was automatically sent to vulnerable stores.” However, because the automatic deployment isn't instantaneous, and users in the advisory's comments section were claiming that they hadn't received the upgrades as of Thursday afternoon, WooCommerce advised that "we're urging everyone to check and manually update if needed just in case."

Chinese Hackers Exploit New SolarWinds Zero-Day in Targeted Attacks

 

Microsoft Threat Intelligence Centre (MSTIC) on Tuesday revealed a zero-day remote code execution exploit, being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. Microsoft revealed that the attacks are linked to a China-based threat group tracked as 'DEV-0322.' 

“MSTIC attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures," Microsoft said in an update on Wednesday.

To carry out the attack, threat actors deployed malware in the Orion software sold by the IT management company SolarWinds. According to the local media outlets, the hackers exploited at least 250 federal agencies and top organizations in the US. 

Tracked as CVE-2021-35211, the RCE vulnerability resides in Serv-U's implementation of the Secure Shell (SSH) protocol. While it was previously revealed that the attacks were limited in scope, SolarWinds said it's unaware of the identity of the potentially affected customers. 

“The vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. We strongly urge all customers to update their instances of Serv-U to the latest available version," Microsoft advised. 

On Tuesday, SolarWinds published a security update for a zero-day vulnerability in Serv-U FTP servers that allow remote code execution when SSH is enabled. According to SolarWinds, this flaw was disclosed by Microsoft, who saw a hacker actively exploiting it to execute commands on vulnerable customer's devices.

"This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure," says a new blog post by the Microsoft Threat Intelligence Center. 

According to Microsoft, the ‘DEV-0322’ hacking group has previously targeted entities in the US Defense Industrial Base Sector and software companies. "The Defense Industrial Base (DIB) Sector is the worldwide industrial complex that enables research and development (R&D), as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements," explains a CISA document describing the DIB sector.

In December 2020, Microsoft revealed that a separate espionage group may have been exploiting the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on compromised systems. The intrusions have since been attributed to a China-linked threat actor called Spiral.

Vulnerability in Less.js Causes Website to Leak AWS Secret Keys

 

Cybersecurity researchers at Canadian firm Software Secured identified a critical flaw in Less.js, a widely used preprocessor language. According to the report published by the firm, the vulnerability could be exploited by threat actors to achieve remote code execution attacks.

Researchers report that Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites. In addition, the Less.js library supports plugins from remote sources using the @plugin syntax; these plugins must be written in JavaScript and will run when the Less code is interpreted.

Attackers can abuse this feature for remote attack deployment: “If less code is processed on the client-side, an inter-site scripting (XSS) attack could result, although its server-side execution can lead to remote code execution (RCE). All versions of Less with support for @plugin syntax are vulnerable to these scenarios. Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites,” says the report published by the firm Software Secured.

The report includes a proof of concept (PoC) and a real-world scenario exploitation demonstration in CodePen.io, a website for creating Less.js code snippets. The operators of this website were notified about this and a solution has already been developed to address this flaw. 

“The vulnerability requires certain conditions to be successful. An example vulnerable scenario might be a feature that accepts custom styling via Less code from a user. Once in a vulnerable configuration, it is straightforward to exploit the application. Buis said as far as he knows, Less has not patched the bug. The backtick behavior has been known for a while and there is configuration to mitigate in recent versions,” Jeremy Buis, writer of the blog post told The Daily Swig. 

“The plugin and @import (inline) behaviour hasn’t been written about before as far as we can tell. We reached out to the maintainers over a year ago where the bugs were acknowledged. Buis advised Less.js users to mitigate the risks by considering the following. Instead of Less code, allow regular CSS use instead. If Less support is required, then transpile the Less code on the client-side to avoid the threat of SSRF and RCE attacks,” Buis added.

Four Critical Flaws Identified in Sage X3 ERP Software

 

Cybersecurity firm Rapid7 announced on Wednesday that it discovered four security flaws in the Sage X3 ERP software, resource, and planning (ERP) supply chain software that if left unpatched, could have allowed attackers to take over the system and run commands. 

The first two were protocol-related issues involving remote administration of Sage X3, and the latter two are web application flaws. Rapid7 recommends that Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required. The company states that this will effectively mitigate all four flaws, but users will need to update according to their regular patch cycle schedule. 

Rapid7 researchers Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal, and William Vu, who identified the flaws (CVE-2020-7387 through -7390), said that the most critical vulnerabilities exist in the remote administrator function of the platform. Companies rely on Sage X3 as an ERP system that’s primarily used for supply chain management in medium to large companies. The product has become quite popular in the UK and other European markets.

Cybersecurity experts found the case concerning because the flaws identified by Rapid7 are linked to an authentication bypass that’s critical in any context, but the fact that the application can execute commands by design makes it a truly serious vulnerability for those with the software installed, said AJ King, CISO at BreachQuest. 

King explained that because the software can execute commands by design, any authentication bypass immediately offers the unauthenticated threat actor the ability to run commands.

“In a typical authentication bypass, the threat actor would not automatically gain the ability to execute programs. The Rapid7 researchers also discovered that the application communicates using a custom encryption protocol. This is such a departure from best practices that security professionals are often heard saying ‘friends don’t let friends roll their own crypto.’ This sort of behavior has no place in enterprise software,” King stated.

Following recent cyberattacks on the Colonial Pipeline and JBL, companies should be extra vigilant with their ERP software. Sage X3 is commonly used in supply chain management for medium and large organizations and can be a target for this particular type of attacker.

15 Philips Vue Vulnerabilities Could Result in Full Takeover of the Devices

 

CISA has released an advisory about several vulnerabilities found in Philips Vue PACS health devices. In the hands of a hacker, the 15 Philips Vue Vulnerabilities found in the Philips Clinical Collaboration Platform Portal might lead to remote code execution attacks. 

The danger that these vulnerabilities pose, according to CISA (the United States Cybersecurity and Infrastructure Security Agency), is as follows: 

Successful exploitation of these vulnerabilities could allow an unauthorized person or process to hear in on conversations, view or alter data, gain system access, execute code, install unauthorized software, or compromise system data integrity, all of which could compromise the system's confidentiality, integrity, or availability. 

The vulnerabilities demand immediate attention and patching since four of the fifteen have a CVSS rating of 9.8. (Common Vulnerability Scoring System). 

The discovered vulnerabilities were characterized as follows in the advisory released for informational purposes, according to the CISA website: 

#1 CVE-2020-1938: 9.8 CVSS scored flaw caused by improper validation of the received data. 

#2 CVE-2018-12326 and CVE-2018-11218: the software that works through a memory buffer cannot read or write to an outside of the buffer area memory location. It can be found on the Redis component. 

#3 CVE-2020-4670: scored with 9.8 CVSS, it’s caused by improper authentication. The Redis Software cannot assert the validity of the threat actor’s given identity claim. 

#4 CVE-2018-8014: the default set by the software is not secure (it’s intended to be modified by the administrator). 

#5 CVE-2021-33020: expired passwords and cryptographic keys the product uses lead to increasing the timing window. 

#6 CVE-2018-10115: it exists in the third-party component 7-Zip. Incorrect initialization of the resource leads to unexpected status. 

#7 CVE-2021-27501: specific development coding rules are not implemented by the software. 

#8 CVE-2021-33018: a damaged algorithm of cryptography might lead to data leakage. 

#9 CVE-2021-27497: the protection mechanism is not properly used by the product. 

#10 CVE-2012-1708: it lies in the third-party Oracle Database component and is related to data integrity. 

#11 CVE-2015-9251: user-controllable input is not correctly neutralized before locating it in output. 

#12 CVE-2021-27493: structured data or messages are not ensured in a proper way. 

#13 CVE-2019-9636: the Unicode encoding from the input is not accurately managed by the software. 

#14 CVE-2021-33024: the method to protect authentication credentials is insecure. 

#15 CVE-2021-33022: the communication channel through which sensitive data is transmitted might be sniffed. 

According to reports, the impacted devices are Vue Speech 12.2 and previous variants, Vue Motion and Philips Vue PACS, MyVue. Some of them have been fixed, while others will not receive security upgrades until 2022.

Safety measures: 

A reasonable strategy, according to SCMagazine, would be to limit the gadgets' network connections. Administrators should be in charge of remote devices and control system networks; they must separate them from the company's network and place them behind firewalls. 

However, if certain appliances with Philips Vue vulnerabilities are to be utilized remotely, it is not suggested to do so without a secure connection, such as an updated VPN.

Dutch Institute Exposes Flaws in Kaseya – VSA Platform

 

In the wake of the recent catastrophic attack on its VSA platform, Kaseya collaborated with scientists to fix a bug that hackers have been using to deliver ransomware to numerous firms. 

A group of researchers at the Dutch Institute of Vulnerability Disclosure published a couple of articles explaining how and when they discovered a series of vulnerabilities in the tools Kaseya provides to managed service providers (MSPs). As per the DIVD, one of the seven problems that the team had discovered in the Kaseya VSA software was the vulnerability known as CVE-2021-30116. 

The bypass authentication vulnerability was one of the two vulnerabilities exploited by cybercriminals when they got into the VSA service and utilized the affected site to distribute consumers a payload of REvil ransomware. The DIVD didn't indicate that attackers were using the second vulnerability. 

According to the report by DIVD, since April it was privately contacted by Kaseya in reporting the seven issues detected in the internet-facing services and apps of the MSP software provider. In April and May, some had already been patched, and others were in the process of fixing the attack on the VSA. 

In addition to CVE-2021-30116, the DIVD says the team has uncovered a SQL injecting flaw CVE-2021-30117 patched in May; CVE-2021-30118, remote code execution flaw patched in April; CVE-2021-30119, which has a patch underway; the CVE-2021-30120 by-pass, to be patched in the upcoming VSA release 9.5.7; a local file included vulnerability CVE-2021-30121, patched in May; and an XML external entity bug, CVE-2021-30201, patched in May. 

"When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands," Breedijk wrote. "After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do. We hypothesized that, in the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA." 

Regrettably, in what Breedijk called the "worst-case scenario," flaws could not be addressed until criminal hackers could identify and use one of them, stated DIVD. The investigators noted that Kaseya responds to their reports and worked extremely hard to solve the problems. 

However, the confidentiality and hard labor ended up not being felt as the criminals launched their ransomware attack in return for the decryption key on July 2, asking for a $70 million cryptocurrency payment. 

The DIVD's recent research suggests that the attack could have resulted from a leak in the privacy process, especially if combined with the attackers' knowledge that specific VSA folders have been free from anti-virus protective measures.

SonicWall Patches Critical CVE-2021-20026 Vulnerability in NSM Product

 

A researcher at Positive Technologies has provided details about the CVE-2021-20026 command injection flaw that exploits SonicWall’s Network Security Manager (NSM) device. The flaw tracked as CVE-2021-20026 is rated with an 8.8 severity score and was patched in May 2021. 

SonicWall advised users to 'immediately' fix a post-authentication vulnerability impacting on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution which can be abused through specially crafted HTTP requests sent to the susceptible application. An attacker could exploit the flaw to execute arbitrary commands on the underlying operating system with root privileges.

The security flaw was discovered by Nikita Abramov, a researcher at Russian cybersecurity firm Positive Technologies, who explains that the flaw exists due to improper validation of input data which is directly passed to the operating system for processing.

Abramov explained that an attacker with authorization in NSM with a minimum level of privileges could potentially exploit the flaw to compromise the product. Threat actors can exploit this flaw to inject OS commands which will help them in securing access to all the features that the vulnerable on-premises SonicWall NSM platform has to offer, as well as to the entire underlying operating system.

NSM is a firewall management application that provides the ability to monitor and manage all network security services from a single interface, as well as to automate tasks to improve security operations. The product is available for on-premises deployments or as a SaaS offering.

“A successful attack on a vulnerable device requires authorization in NSM with a minimum level of privileges. SonicWall NSM allows centralized management of hundreds of devices. Tampering with this system may negatively impact a company’s ability to work, to the point of full disruption of its protection system and stopping of business processes,” Nikita Abramov, stated. 

The security flaw impacts the 2.2.0-R10 and earlier releases of on-premises SonicWall NSM and it has been addressed with the release of NSM 2.2.1-R6, which SonicWall customers are encouraged to install.

“As with Cisco ASA, successful attackers could disable access to the company’s internal network by blocking VPN connections, or write new network traffic policies thus fully preventing its checks by a firewall.” “Tampering with this system may negatively impact a company's ability to work, to the point of full disruption of its protection system and stopping of business processes,” Abramov added.

Utilizing Exposed NuGet Packages Attackers Target .NET Platform

 

An investigation of the off-shelf packages housed in the NuGet repository indicated that 51 unique software components are susceptible to extreme vulnerabilities that are being exploited actively, again highlighting the danger posed on software development by third-party dependencies. 

ReversingLabs Researcher Karl Zanki noted in a paper that there is still an increasing number of cyber events targeting the software supply chain that such modules urgently need to be assessed for safety risk and the attack surface to be minimized. 

NuGet is a .NET platform supported by Microsoft technology that works as a Package Manager to allow developers to exchange reused code. The framework maintains a single repository of more than 264,000 individual packages that have generated more than 109 billion downloads together. 

Of that kind, code is very often wrapped into 'packages' which include compiled code (such DLLs) and other contents required for projects using these packages. NuGet, which specifies how packages for the .NET function are developed, hosted, consumed, and provides tools for each role, is supported by the Microsoft-built code sharing mechanism. NET (including the.NET core). 

"All identified pre-compiled software components in our research were different versions of 7Zip, WinSCP, and PuTTYgen, programs that provide complex compression and network functionality," Zanki explained. "They are continuously updated to improve their functionality and to address known security vulnerabilities. However, sometimes it happens that other software packages get updated but still keep using several years old dependencies containing known vulnerabilities." 

It was discovered in some instances that 'WinSCPHelper' — a remote server file management library that was installed more than 35,000 times — uses an older and vulnerable 5.11.2, and WinSCP 5.17.10 published earlier this month, addresses the essential arbitrary running defect (CVE-2021-3331) that exposes users of the package to vulnerability. 

The researchers have also found that the susceptible version of the "zlib" data compression library is stationary with over 50,000 software components from NuGet packages. This makes the compressor library risky for several known security problems, such as the CVE- 2016-9840, CVE-2016-9841, CVE-2016-9842, or CVE-2016-9843. 

Some of the packages found to be vulnerable to zlib are "DicomObjects" and "librdkafka.redist" both downloaded at least 50 thousand to 18.2 million times.

"Companies developing software solutions need to become more aware of such risks, and need to become more involved in their handling," Zanki said.

Severe flaw Identified in OWASP ModSecurity Core Rule Set

 

The developers of the OWASP Foundation have admitted the breach in the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set (CRS) project that could allow threat actors to bypass security protections offered by the in-built CRS web application firewall (WAF). 

The flaw – tracked as CVE-2021-35368 has the ability to bypass CRS without being inspected, due to a combination of two bugs in the CRS Drupal rule exclusion package. The flaw has not only affected the CRS Drupal rule exclusion package but is present in every CRS installation that includes these rule exclusions – regardless of whether they are enabled or not.

"If the backend is broken and configured with the correct trailing pathname information setting… then anything is possible. If the backend looks into the trailing path info as it should, then you are on the safe side. The vulnerability has been around for several years. When we did the early rule exclusion packages in 2016 and 2017, we were not really used to the rule-writing techniques that we had to employ,” Christian Folini, co-lead of the volunteer-led Core Rule Set project explained. 

Andrew Howe from Loadbalancer.org identified the vulnerability in the ModSecurity engine last year, Folini said. Howe reported the two flaws in the CRS in June. All known CRS installations that offer the predefined CRS rule exclusion packages are affected. This also applies to end-of-life CRS versions 3.0.x, 3.1.0, 3.1.1, as well as the currently supported versions 3.2.0 and 3.3.0.

Folini pinpointed on a lack of financial support as a key barrier in running a volunteer-led project such as CRS. “Open source is not inherently more secure than closed source – it just means that people can look at the code. Yet the security advantage can only play out when people actually do look at the code, like Andrew Howe did,” he explained.

“If we have these reviews, then the inherent transparency of an open-source project will bring an advantage over traditional software, namely in the security domain where users really want to see what is going deep down in their software.”

“Open-source projects also tend to be more open about their shortcomings so they are often able to build up more trust and confidence with their user base. A commercial project is often tempted to avoid bad press by keeping a problem under the rug, or hiding a fix in the changelog,” Folini concluded.

GitLab Fixes Several Vulnerabilities Reported by Bug Bounty

 

With an update to its software development infrastructure, Gitlab has addressed numerous vulnerabilities — including two high-impact online security flaws. 

GitLab is a web-based DevOps life cycle platform providing an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have designed the program.

In GitLab's GraphQL API, a cross-site request forgery (CSRF) has developed a mechanism for an attacker to call modifications while they are impersonating as their victims. 

Cross-Site Request Forgery (CSRF) is an attack that causes an end-user in a web application to perform undesirable activities wherein he or she is presently authenticated. Users of a web application may be lured towards carrying out activities of an attacker using some social engineering support (such as delivering a link by email or chat). If the target is a regular user, a successful CSRF attack can force the user to make modifications such as money transfers, email addresses, etc. CSRF can compromise the whole web application when the victim is an administration account. 

The Gitlab Webhook feature could be exploited for denial- of service (DoS) attacks because of a second high-level security vulnerability. 

An attack by a Denial-of-Service (DoS) is designed to shut down a user computer system or network, which makes it unreachable to its intended users. DoS attacks achieve this by flooding or delivering information to the target causing a crash.

'Afewgoats' researchers have identified DoS vulnerability and reported it through a HackerOne-operated GitLab bug reward program. 

For both higher intensity vulnerabilities, CVE trackers were requested, although identification is not yet assigned. The Daily Swig was told by Ethical hackers that they had been working on a strategy for attacking webhook services. 

"The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days," afewgoats explained. "It's the only Denial of Service, but it could tie up huge amounts of memory on the victim servers." 

"So far it's been successful against PHP, Ruby, and Java targets," they added. 

Through updating installations to a new version of GitLab, CRSF and DoS issues and a range of minor errors can be rectified. 

As a security advisory from GitLab, the platform upgrade addresses 15 medium severity and two low-impact issues. These add-on vulnerabilities also include a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and the audit log problem of the stored XSS.

Microsoft Alerts of Critical PowerShell 7 Code Execution Vulnerability

 

Microsoft is alerting customers to upgrade their installations of PowerShell 7 as soon as possible to protect themselves against a.NET remote code execution (RCE) vulnerability. 

PowerShell is a configuration management system that features a command-line shell as well as a task automation scripting language. It runs on.NET, which makes use of a text encoding package that was recently fixed against an RCE flaw. It works with structured data such as JSON, CSV, and XML, and REST APIs and object models, and it operates on all major platforms, including Windows, Linux, and macOS. 

The.NET vulnerability was recognized as a major vulnerability with a score of 9.8 and was patched in April. 

According to the firm, there are no mitigation steps available to prevent the exploitation of the security issue identified as CVE-2021-26701. Customers are encouraged to update to PowerShell 7.0.6 and 7.1.3 as soon as possible in order to safeguard their systems from potential threats. 

In addition, Microsoft's initial advisory instructs developers on how to update their programs to eliminate the risk. 

Microsoft explained in April when the security flaw was patched, "The vulnerable package is System.Text.Encodings.Web. Upgrading your package and redeploying your app should be sufficient to address this vulnerability." 

Any.NET 5,.NET Core, or.NET Framework based application that uses a System. Text.Encodings. The version of the web package indicated below is vulnerable to attacks:
1.System.Text.Encodings.Web: Vulnerable Versions 4.0.0 - 4.5.0 ; Secure Version 4.5.1

2.System.Text.Encodings.Web: Vulnerable Versions 4.6.0-4.7.1; Secure Version 4.7.2

3.System.Text.Encodings.Web: Vulnerable Versions 5.0.0; Secure Version 5.0.1 

According to Microsoft's security alert, Visual Studio consists of the binaries for .NET but it is not vulnerable to this flaw. The update includes the.NET files, ensuring that apps built with Visual Studio that use.NET capabilities are safe from this security flaw. 

"If you have questions, ask them in GitHub, where the Microsoft development team and the community of experts are closely monitoring for new issues and will provide answers as soon as possible," Microsoft added. 

Microsoft has recently mentioned that future PowerShell upgrades will be released through the Microsoft Update service, making it easier to keep PowerShell up to date on Windows 10 and Windows Server.

Several Critical Flaws Identified in WordPress Plugin

 

Wordfence researchers warned of multiple flaws in a popular WordPress plugin that allows an attacker to upload arbitrary files to a vulnerable site to achieve remote code execution (RCE). On May 27, researchers discovered four security vulnerabilities, which were all assigned a high CVSS score of 9.8. 

The first issue discovered was a privilege escalation flaw CVE-2021-34621. “During user registration, users could supply arbitrary user metadata that would get updated during the registration process. This included the wp_capabilities user meta that controls a user’s capabilities and role. This made it possible for a user to supply wp_capabilities as an array parameter while registering, which would grant them the supplied capabilities, allowing them to set their role to any role they wanted, including the administrator,” researchers explained.

In addition, there was no check to validate that user registration was enabled on the site, meaning users could register as an administrator even on sites where user registration was disabled. This meant that attackers could completely take charge of a susceptible WordPress site. 

CVE-2021-34622, the second flaw in the user profile update functionality, uses the same technique as above but requires an attacker to have an account on a vulnerable site for the exploit to work. 

“However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration,” according to Wordfence researchers. 

Arbitrary file upload is the third flaw present in the image uploader component (CVE-2021-34623). The image uploader in ProfilePress was insecurely implemented using the exif_imagetype function to determine whether a file was safe or not. An attacker could disguise a malicious file by uploading a spoofed file which would bypass the exif_imagetype check.

CVE-2021-34624, the fourth and the last flaw present in the plugin’s ‘custom fields’ functionality, which also checks for malicious files, could be exploited to achieve RCE.

ProfilePress, formerly known as WP User Avatar, facilitates the uploading of WordPress user profile images and is installed on over 400,000 sites. Its only functionality was to upload photos; however, a recent change saw the plugin augmented with new features including user login and registration. Unfortunately, the new features introduced several security flaws. 

Chloe Chamberland, threat analyst at Wordfence discovered the bug by using a tool called WPDirectory to search the WordPress plugin repository for specific lines of code. “I did a routine search for wp_ajax hooks and found that this plugin had introduced some new AJAX actions that I hadn’t previously noticed before, which led to me further investigating them,” the researcher told.