Microsoft Fixed 3 Critical Flaws in Patch Tuesday

In the most recent Patch Tuesday, on July 10, 2024, Microsoft released fixes for 142 security issues in its product suite and software. Among them are 6 flaws of different severity – CVE-2024-38023, CVE-2024-38060, CVE-2024-38080 and RCE bugs CVE-2024-38074, CVE-2024-38076, and CVE-2024-38077. The latter three have a CVSS score of 9.8 and allow an attacker to send specially crafted network packets that could trigger remote code execution in the Windows Remote Desktop Licensing service. Moreover, the last vulnerability does not require authentication, making it particularly dangerous.

Notably, this is the largest list of fixes in recent months, nearly matching the April patch release where Microsoft fixed 150 vulnerabilities. The patches address vulnerabilities affecting multiple segments of Microsoft products. These include Windows, Office, Azure, .NET, Visual Studio, SQL Server, and Windows Hyper-V. In particular, one of the vulnerabilities is already being actively exploited in real-world attacks.

CVE-2024-38074, 38076, and 38077 Details

Despite all of the RCE flaws being rated at CVSS 9.8, some of them require authenticated access or specific privileges to exploit. For instance, a vulnerability in Microsoft SharePoint Server requires site owner rights to execute arbitrary code. One of the most significant vulnerabilities is an issue in Windows Hyper-V, which allows attackers to gain system privileges. To understand the severity of these vulnerabilities, let’s delve into the details.

CVE-2024-38023 vulnerability allows attackers with site owner rights in Microsoft SharePoint Server to execute arbitrary code on the server. An attacker with the necessary privileges can use specially crafted commands to execute code in the context of SharePoint Server. This vulnerability is particularly dangerous because it can lead to complete control over the server and leakage of confidential information.

Another remote code execution vulnerability (CVE-2024-38060) stems from the flaw in Microsoft Windows codec library. It allows an attacker to upload a specially crafted TIFF file, which, when processed by the system, will trigger arbitrary code execution. However, to exploit this vulnerability, the attacker must have access to the system, making it less dangerous than remote attacks, but still posing a significant risk.

The third vulnerability, CVE-2024-38080, is already actively exploited in real-world attacks. Attackers can use this vulnerability to escalate privileges in Windows Hyper-V, gaining access to system-level privileges. This can lead to complete control over virtualized environments, posing a serious threat to the security and integrity of the systems.

How to Stay Safe?

Vulnerabilities are an inherent part of software — past, present, and future. The only effective method to mitigate their risks is timely patching. To minimize these risks, Microsoft strongly recommends promptly installing the latest updates that address these vulnerabilities. And, well, despite the fact that Redmond tries its best to fix all the known flaws in time, there may be slip-throughs, even ones that exist for over a year.

Another layer of protection against exploitation is a zero-trust anti-malware solution. Not much are available for home users, but vulnerability exploitation typically targets systems from corporate networks to begin with. A sturdy solution that will do a thorough check to every action from any software, which is the essence of zero trust policy, is what has the best efficiency against such attacks.

The post Microsoft Fixes 3 Critical Vulnerabilities in July Patch Tuesday, One Exploited appeared first on Gridinsoft Blog.

GitHub Discloses Enterprise Server Authentication Bypass Vulnerability

Later into May 21, GitHub developers released a note regarding the newly discovered vulnerability in Enterprise Server (GHES). That is a localized development and code managed solution that repeats the functionality of the cloud one. This in fact makes the vulnerability much more dangerous, but more on that later. Searches through ZoomEye search engine reports about over 70 thousand Enterprise Server instances around the world, with most of them being vulnerable.

The new CVE-2024-4985 flaw stems from the weakness in the SAML authentication mechanism, specifically in its optional encrypted assertion feature. It was discovered under GitHub’s Bug Bounty program. By crafting a response message of the SAML system, it is possible to make the system think that the authentication was done successfully, so it lets the adversary get in.

The potential outcomes of a successful attack are rather severe, which definitely makes up for the CVSS score of 10/10. Considering that Enterprise Server suggests a self-hosted instance of a GitHub code repository, getting access to it will also mean getting access to some of the internal network infrastructure. Repository access itself is a perfect ground for a supply chain attack, and by accessing the servers, hackers can deal damage to the company itself.

GitHub Releases Fixes For CVE-2024-4985

One more unfortunate detail about this flaw is that it impacts quite a few versions of GitHub Enterprise Server. The newest 3.13 version of GHES is safe, but all the versions prior to it are vulnerable. The developer released fixes for a selection of versions.

There is also a mitigation option, confirmed by GitHub – disabling the encrypted assertion features. The flawed component is not enabled by default, so the issue is non-existent for those who never enabled it. This mitigation will also be helpful for the users of versions prior to 3.8, which will not receive any updates.

The post GitHub Enterprise Server Auth Bypass Flaw Discovered appeared first on Gridinsoft Blog.

Zabbix SQLi Vulnerability Uncovered

On May 17, 2024, a severe vulnerability in the Zabbix utility was discovered. Back in late February of the same year, Maxim Tyukov, the threat researcher, published a detailed description of a flaw on the support page thread on the developers’ site. Zabbix themselves assigned the CVSS rating of 9.1, while the official ratings from NVD NIST are to come. The report is finalized by the potential damage from the successful vulnerability exploitation.

As it appears from the report, it is really easy to exploit the flaw. All the adversaries need at the start is the low-privileged account and the access to a single host – just to be able to run an exploit script on it. Then, after a short tinkering with the values related to the said account’s login session, the attacker is capable of executing the exploit. It will take some time to start working, as it has a short delay between each action, to avoid triggering the alarm. But after around 10 minutes, the attacker will have access to the entirety of the database.

Due to the nature of Zabbix software kit, the kind of data an SQLi may leak in the process is not of a tremendous value. However, information about servers count, their hardware load and status is a perfect starting point for reconnaissance. Bearing this data, the attacker can make its path towards specific servers or even machines. Also, as the researcher admitted, the successful exploitation can eventually lead to remote code execution. It may possibly require some additional actions, but still – RCEs are considered the most dangerous vulnerabilities for quite a good reason.

Affected Versions

The original research names a whole array of Zabbix versions as being susceptible to the exploitation. CVE-2024-22120 can plague versions since 6.0.0, and even some of the beta versions of the newest 7.0. You can see the table below:

Development of all these fixes are most likely the reason why the info about the flaw took 3 months to publish. Zabbix devs released not just the information, but also patches to all the flawed versions. The obvious step from the client base of the software – which is fairly big – is to install those updates. Publishing of the PoC exploit along with the report should be just another stimulus to do this.

The post Zabbix SQLi Vulnerability Leads to RCE, Latest Versions Affected appeared first on Gridinsoft Blog.

OpenMetadata Vulnerabilities Threats Kubernetes Workloads, Actively Exploited

According to the recent Microsoft security blog, cyber attackers leverage critical vulnerabilities within the OpenMetadata platform to infiltrate Kubernetes workloads. These vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) impact versions preceding 1.3.1. All of these vulnerabilities have different CVSS levels, with the highest being 9.8 and 9.4 (later about them). Successful exploitation allows attackers to bypass authentication and achieve remote code execution (RCE).

OpenMetadata is a discovery, observability, and governance platform with a central metadata repository, in-depth lineage, and team collaboration. It has metadata schemas, a metadata store, APIs, and an ingestion framework. Key features include data discovery. However, subsequently, these compromised workloads become conduits for illicit crypto-mining activities.

Identifying Critical Vulnerabilities

CVE-2024-28255 is a critical vulnerability (CVSS: 9.8) in the OpenMetadata platform, affecting its API authentication mechanism. In brief, the `JwtFilter` handles API authentication by verifying JWT tokens. However, attackers can bypass the authentication mechanism by requesting excluded endpoints using path parameters. However, developers fixed the issue in version 1.2.4.

CVE-2024-28255 is a second vulnerability with 9.4 CVSS that stems from JWT token validation deficiencies in JwtFilter. An authorization check called `authorizer.authorize()` is named after `prepareInternal()`, which gets executed and evaluates the SpEL expression. To exploit this vulnerability, an attacker can send a PUT request to `/api/v1/policies`. The issue can lead to Remote Code Execution and is fixed in version 1.3.1.

How Does The Attack Work?

The following describes the attack sequence observed in instances where Kubernetes workloads of OpenMetadata accessible via the internet have been compromised. Attackers identify vulnerable versions and exploit the vulnerabilities to gain code execution within the container hosting the compromised OpenMetadata image, thereby obtaining initial access.

Post-infiltration, attackers validate their intrusion and gauge control using a publicly accessible service. They utilize ping requests to domains ending with oast[.]me and oast[.]pro—associated with Interactsh—to confirm successful exploitation and validate connectivity before establishing a command-and-control channel and deploying malicious payloads.

Following successful access confirmation, attackers download crypto-mining malware from a remote server for XMR mining, executed with elevated permissions. It is noteworthy that Microsoft identified the attacker’s server location as China. Additionally, other malware targeting both Linux and Windows operating systems was uncovered on the attacker’s server.

Prevention and Mitigation Measures

To reduce the risk of potential vulnerabilities, we highly recommend updating the image version of clusters hosting OpenMetadata workloads to the latest version—specifically version 1.3.1 or newer. Additionally, if you are making OpenMetadata accessible via the Internet, it is crucial to employ strong authentication mechanisms and avoid using default credentials.

The post OpenMetadata Vulnerabilities Exploited to Abuse Kubernetes appeared first on Gridinsoft Blog.

PAN-OS Command Injection Vulnerability Exploited in the Wild

On April 12, 2024, Palo Alto Networks released a report regarding the CVE-2024-3400 – a critical vulnerability in their PAN-OS. This operating system is a basis for the company’s firewall solutions, which is in turn a rather popular option for network protection among companies around the world. By exploiting the flaw, adversaries get the ability to execute arbitrary code with maximum (root) privileges. This explains the extremely high CVSS score, as well as the fact that cybersecurity is set abuzz about it.

The worst part about this flaw is that it is already exploited in real-world attacks. Palo Alto Networks do not mention any specific attack cases, but the fact that the vendor confirms this makes the fact hardly doubtful. The company also specifies that for the successful exploitation, the affected PAN-OS instance should have two things configured: device telemetry feature and the GlobalProtect gateway.

Arbitrary code execution vulnerabilities may be used for both gaining initial access and performing lateral movement. In the case of its residence in the firewall software, the result may lead to misconfiguration of the network protection or its complete disabling. The former is most probable though, as it allows for creating a stealth communication channel(s) with the infected environment.

Affected Versions and Patches

Palo Alto Networks confirms the vulnerability being present in the grand total of 3 PAN-OS versions – 10.2, 11.0 and 11.1. Earlier versions, as well as some of the auxiliary software used together with the firewall are not affected. Problem is – there are no patches available for the flawed versions at the moment.

The company promises to release corresponding fixes for all the vulnerable versions on April 14, 2024. They also offer the possible mitigation of the issue, through disabling the device telemetry feature. This will diminish the potential impact of a successful exploitation. For the subscribers of their Threat Prevention service, the company provides the ability to block the potential exploitation cases.

Protecting Against Vulnerability Exploitation

Any software may contain vulnerabilities, and even the top-notched solutions from worldwide known vendors are not an exclusion. There are no soothsayers among us, so predicting which program will have a vulnerability is rather difficult. For that reason, reactive measures are the best possible way to avoid the attacks that use vulnerability exploitation.

Stay in touch with the latest security news. Whenever a flaw in widely used software becomes public, it hits the titles of all cybersecurity newsletters. Thing is – the vast majority of vulnerability exploitation happens after the information about it becomes public. Rapid reaction to the new discovery and patching the flaw as the instruction says will most definitely secure your environment.

The post Critical PAN-OS Command Injection Flaw Exploited appeared first on Gridinsoft Blog.

Flowmon Command Injection Flaw Threatens Network Security

The recent report from Progress company reveals a severe flaw in Flowmon, their network monitoring utility widely used in corporations. It interconnects all the network-facing assets, allowing for simultaneous monitoring and control over the environment. And, as it turns out, it is possible to surpass the authentication of this solution’s API, and execute whatever command is possible on the affected instance.

Critical vulnerability, coded as CVE-2024-2389, received the highest possible CVSS score of 10. Wide functionality it can grant to the attackers corresponds to this, as the hackers can disrupt the network, change its configuration or obtain sensitive information. Additionally, due to the high trustworthiness of Flowmon and the use of embedded commands it is particularly hard to detect the intrusion.

The issue itself stems from an issue in the mechanism of API commands authentication. A specially crafted command to the network-facing API will be executed no matter what privileges the issue has, if any at all. Deeper analysis shows that the flaw falls under the CWE-78 designation.

Overall, hacking into network infrastructure remains a key attack vector for a lot of cyberattacks. More sophisticated ones try to inject the malicious code under supply chain attack – you may have heard about the recent scandal around the backdoor in XZ Utils. At the same time, the sheer volume of vulnerabilities circulating around make it entirely possible to succeed even without that much effort.

Affected Versions and Mitigations

Progress, the developer of the solution, says that Flowmon versions before 11.1.14 and 12.3.5 are vulnerable. The said versions are the newest updates that contain the fix of this flaw. Earlier versions – 10.x and before – are not susceptible to the exploitation either.

The obvious fix here is to update the program to the latest, non-vulnerable version. Devs do not say about any mitigation – and I cannot suppose one here, except for closing the solution’s API from external access. This, however, may be problematic and will likely disrupt certain functionality.

Good news here is that the vulnerability is not exploited in the wild. Progress does not haste to publish the detailed information about how and why this all works, and no PoC exploits exist so far. Network reconnaissance tools like Shodan say about only 53 vulnerable instances around the world. Though this is barely an accurate measurement, since such network monitoring tools are rarely available from the Web.

Nonetheless, ignoring the flaw because of this is not a good idea. The majority of vulnerability exploitation happens after the public disclosure of the flaw. Sooner or later, attackers will find the way to put it to use – and be sure, you will not like the consequences. The less time you give them to attack, the less likely the attack to happen.

The post Progress Flowmon Command Injection Flaw Discovered appeared first on Gridinsoft Blog.

FritzFrog Botnet is Back, Spreads with Exploitation of Web Vulnerabilities

The research from Akamai Labs uncovers a version of FritzFrog malware, armed with a set of exploitation capabilities. In the report they pay a lot of attention to its Log4Shell vulnerability exploitation, which is performed in a rather unusual manner. Upon the discovery of this flaw, all corporations were concentrated on patching main elements of the network infrastructure. At the same time, all the internal network components based off the Apache’s Log4j were mostly ignored, as they are less likely to be attacked. Well, until now.

By abusing the lack of input sanitization during logging, FritzFrog is able to make the target to execute the arbitrary code. Prior to it, malware scans for the vulnerable network assets by searching on ports 9000, 8090 and 8888. To make the vulnerable app instance execute the malicious code, malware spams it with HTTP requests with the said code injected into the request header. This way, the threat ensures that at least one command will make its way to the logs and will be further executed.

Aside from the Log4Shell flaw, the malware also gained the ability to exploit the PwnKit – a flaw in polkit, the privileges control utility present in the majority of Linux distributions. Abusing this flaw, FritzFrog makes itself run with highest privileges possible, shall it detect less than max privileges level assigned upon execution.

What is FritzFrog?

FritzFrog is a rather old malware sample, which has been traced since March 2020. Being a peer-to-peer botnet tool, it quickly gained a significant number of attacks. Though all this rapid success was only to cease the activity in September 2020. In December of the same year it resurrected with even more violent activity – and appears to be active ever since.

Since its first days, it was using SSH brute forcing for self-propagation. It is actually surprising how many hosts open to Internet connections have weak login credentials even today. After the successful exploitation, FritzFrog was starting to scan thousands of other IP addresses, seeking for other weakly protected servers. Aside from self-propagation, the malware is capable of delivering other malware, providing remote access to the infected environment, and performing DDoS attacks.

Protection Against SSH-Targeting Malware

Besides having a rather unique spreading approach, FritzFrog infection vectors are nothing new. Attacking weakly protected servers through brute forcing is a several-decades-old tactic, and both of the vulnerabilities are from 2021. Patches for both flawed software packages are available – update them, and FritzFrog will have much less chances to get in, along with other software.

Methods to counteract SSH brute force are well known and easy to implement, too. Either set the instances to accept only trusted connections, or make them work on a different port. Strong passwords will add to overall security, but will not solve the server overload due to the enormous amount of login requests during a brute force attack. All security measures should work together – this makes them much more effective.

The post New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit appeared first on Gridinsoft Blog.

2 Citrix RCEs Exploited In The Wild, CISA Urges to Update

Wednesday, January 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding actively exploiting three vulnerabilities. The involved vulnerabilities are CVE-2023-6548 and CVE-2023-6549. The agency immediately added these vulnerabilities to its Known Exploited Vulnerabilities Catalog and demanded that U.S. federal agencies patch it ASAP.

The first has a CVSS score of 5.5 and affects NetScaler ADC and Gateway management interfaces. Its deadline to fix it is January 24. As for the other two vulnerabilities, one of them can cause a denial of service condition on specific configurations. It concerns vulnerable Gateway appliances like VPN, ICA Proxy, CVPN, RDP Proxy services, or AAA virtual servers. This vulnerability has a CVSS score of 8.2, more than the previous one. However, CISA has given three weeks to fix these two vulnerabilities.

So, why would you prioritize fixing vulnerabilities with lower CVSS? When they are easy to exploit, this decision becomes more obvious and demanded. While exploiting some vulnerabilities with maximum CVSS requires certain conditions close to the laboratory, other issues require much less effort. It’s no wonder CISA so strongly recommends that this vulnerability be fixed first and foremost.

Citrix RCE Vulnerability Details

CVE-2023-6548 is a medium-severity (CVSS score of 5.5) Remote Code Execution (RCE) vulnerability that affects Citrix NetScaler ADC and Gateway appliances. It allows an authenticated attacker with low-level privileges to execute code on the management interface of the affected devices via NSIP, SNIP, or CLIP.

Next, the CVE-2023-6549 vulnerability is a Denial of Service (DoS) vulnerability. It was also found in the Citrix NetScaler ADC and has a CVSS score 8.2. Threat actors can exploit it under specific configurations of vulnerable appliances. As mentioned, VPN, ICA Proxy, CVPN, RDP Proxy services, or an AAA virtual server are at risk. The vulnerability can disrupt services by overwhelming the system, leading to a denial of service condition.

Citrix Responds to New Vulnerabilities

Citrix promptly published an advisory and recommended that customers immediately apply updates for affected versions. Customers using Citrix-managed cloud services or Adaptive Authentication are not required to take action. The company suggests separating network traffic to the appliance’s management interface and not exposing it to the internet, as outlined in their secure deployment guide.

In addition, the company strongly recommended that network traffic to the appliance’s management interface be separated, either physically or logically, from regular network traffic. Furthermore, the management interface should not be exposed to the internet, as outlined in their secure deployment guide.

The post 2 Citrix RCE Under Active Exploitation, CISA Notifies appeared first on Gridinsoft Blog.

Analysts Discover Numerous Vulnerabilities in TianoCore EDK II

The extensive research from Quarklabs uncovers the grand total of nine vulnerabilities present in a widely used UEFI implementation from TianoCore, called EDK II. This open-source variant of unified EFI is seeing particularly large applications in various corporations, both in their own machines and in products. Among other functions, it contains a network boot option and a whole bunch of related functionality, which is where all the vulnerabilities are concentrated.

Network boot itself bears on a Preboot Execution Environment (PXE), often shortened to Pixie boot. This place is, eventually, the host to all nine security flaws. Not all vulnerabilities from PixieFail collection are of the utmost severity, but for 3 of them, NIST assigned the CVSS score of 8.3/10.

List of PixieFail Vulnerabilities

As you can see, the list is rather vast, with buffer overflow vulnerabilities rated as the most severe. All this is due to the reason that such flaws can enforce arbitrary code execution. Such an action is useful for both initial access and lateral movement within the environment. And since we are talking about doing all this mess almost on a bare metal, outcomes may be rather bad.

Vendors Offer Patches for PixieFail Vulnerabilities

Upon detecting the vulnerabilities back in early August 2023, Quarkslab contacted a selection of software vendors who use EDK II in their products. Among them are such known names as Arm, Insyde Software, Microsoft, American Megatrends and Phoenix Technologies. Throughout half a year, both vendors, authorities and researchers elaborated on creating a fix without leaking any information before the fixes are implemented.

As a result, on January 16, 2024, when the detailed analysis from Qarkslab was published, all the notified vendors got the issue fixed. So, check out the updates for your firmware – it may contain the patch which fixes PixieFail all at once.

The post 9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II appeared first on Gridinsoft Blog.

Sierra AirLink Routers Have 21 Vulnerabilities

As Forescout Vedere researchers describe in their research, the AirLink lineup of devices contains 21 software vulnerabilities. Among them, only one issue got the CVSS score over 9, which is considered critical. RCE vulnerabilities and a couple of ones that may allow for unauthorized access are rated 8.1 to 8.8. Several other noteworthy issues, particularly ones that cause Denial of Service, are rated at CVSS 7.5.

Researchers did a detailed description of the potential exploitation cases for two of the most critical vulnerabilities. For CVE-2023-41101, a hacker can take over the router by overflowing the buffer in OpenNDS captive portal. Using the lack of length limitation in GET requests, it is possible to make the router execute arbitrary code. By controlling the router, adversaries can disrupt the operations related to the mentioned interface.

#2 in the list, CVE-2023-40463, requires an attacker to possess a router similar to the one it tries to attack. By digging through the device’s software elements and applying some hash cracking magic, it is possible to obtain the diagnostic shell password. Further, using a bit of social engineering, adversaries may connect to the actual router and enter its diagnostic interface using the password they’ve obtained earlier. With such access, it is possible to inject malware to the router, force it to malfunction, or execute your commands remotely.

Available Mitigations

Despite such a worrying amount of exploits, all of them allegedly receive a fix in the latest version of the firmware for AirLink devices. ALEOS 4.17.0 should address all the flaws, and, if some incompatibilities are in the way, customers may stick to version 4.9.9. The latter is not vulnerable to named vulnerabilities except for ones that touch OpenNDS captive portals.

Researchers who found all the issues also offer their own mitigation for the vulnerabilities that allow delaying the patch installation. Though, as it usually happens to all the stopgap solutions, they are not ideal and do not guarantee the effect.

1. Disable unused captive portals and related services, or put them under restricted access. This reduces the attack surface for vulnerabilities that target OpenNDS.
2. Use a web app firewall to filter the requests and block the packets of a suspicious source. This mitigation works against XSS and DoS vulnerabilities.
3. Change the default SSL certificates. Forescout recommends doing this to all the routers, not only to Sierra Wireless ones.
4. Implement an intrusion detection system that monitors IoT/OT devices as well. This allows for controlling both connections from outside the network and ones within it.

What are Sierra AirLink Routers?

Have you ever wondered, how does the Wi-Fi in a public transport function? Or how all the machinery in a huge workshop is connected and centrally managed even though it is not static? Well, Sierra’s devices are the answer. Their routers are industrial-grade wireless connectivity devices that are used in dozens of industries – starting from public transportation and all the way up to aerospace & defense.

What is particularly concerning for this story is the extensive use of AirLink routers in critical infrastructure. Factories, transportation – they are important, though not as continuously demanded as water treatment, emergency services and energy management. And since IoT more and more often attracts hackers’ attention, the actions should be taken immediately. Considering the extensive use of vulnerable AirLink devices in the US, it may be the perfect Achilles’ heel for cyberattacks that target critical infrastructure and even government.

The post Sierra AirLink Vulnerabilities Expose Critical Infrastructure appeared first on Gridinsoft Blog.