Sep 14 2024

How to make Infrastructure as Code secure by default

The article explains how to enhance the security of Infrastructure as Code (IaC) by default. It emphasizes integrating security policies into CI/CD pipelines, automating IaC scanning, and using the application as the source of truth for infrastructure needs. It highlights the risks of manual code handling, such as human error and outdated templates, and discusses the challenges of automated remediation. The solution lies in abstracting IaC using tools that generate infrastructure based on application needs, ensuring secure, compliant infrastructure.

Read more here.

Making Infrastructure as Code (IaC) secure is crucial for maintaining the security of cloud environments and preventing vulnerabilities from being introduced during deployment. Here are some best practices to ensure the security of IaC:

1. Use Secure IaC Tools

  • Trusted Providers: Use reputable IaC tools like Terraform, AWS CloudFormation, or Ansible that have strong security features.
  • Keep Tools Updated: Ensure that your IaC tools and associated libraries are always updated to the latest version to avoid known vulnerabilities.

2. Secure Code Repositories

  • Access Control: Limit access to IaC repositories to authorized personnel only, using principles of least privilege.
  • Use Git Best Practices: Use branch protection rules, mandatory code reviews, and signed commits to ensure that changes to IaC are audited and authorized.
  • Secrets Management: Never hardcode sensitive information (like API keys or passwords) in your IaC files. Use secret management solutions like AWS Secrets Manager, HashiCorp Vault, or environment variables.

3. Enforce Security in Code

  • Static Code Analysis (SAST): Use tools like Checkov, TFLint, or Terraform Sentinel to analyze your IaC for misconfigurations, like open security groups or publicly accessible S3 buckets.
  • Linting and Formatting: Enforce code quality using linters (e.g., tflint for Terraform) that check for potential security misconfigurations early in the development process.

4. Follow Least Privilege for Cloud Resources

  • Role-based Access Control (RBAC): Configure your cloud resources with the minimum permissions needed. Avoid overly permissive IAM roles or policies, such as using wildcard * permissions.
  • Security Groups: Ensure that security groups and firewall rules are configured to limit network access to only what is required.

5. Monitor and Audit IaC Changes

  • Version Control: Use version control systems like Git to track changes to your IaC. This helps maintain audit trails and facilitates rollbacks if needed.
  • Automated Testing: Implement continuous integration (CI) pipelines to automatically test and validate IaC changes before deployment. Include security tests in your pipeline.

6. Secure IaC Execution Environment

  • Control Deployment Access: Limit access to the environment where the IaC code will be executed (e.g., Jenkins, CI/CD pipelines) to authorized personnel.
  • Use Signed IaC Templates: Ensure that your IaC templates or modules are signed to verify their integrity.

7. Encrypt Data

  • Data at Rest and In Transit: Ensure that all sensitive data, such as configuration files, is encrypted using cloud-native encryption solutions (e.g., AWS KMS, Azure Key Vault).
  • Use SSL/TLS: Use SSL/TLS certificates to secure communication between services and prevent man-in-the-middle (MITM) attacks.

8. Regularly Scan for Vulnerabilities

  • Security Scanning: Regularly scan your IaC code for known vulnerabilities and misconfigurations using security scanning tools like Trivy or Snyk IaC.
  • Penetration Testing: Conduct regular penetration testing to identify weaknesses in your IaC configuration that might be exploited by attackers.

9. Leverage Policy as Code

  • Automate Compliance: Use policy-as-code frameworks like Open Policy Agent (OPA) to define and enforce security policies across your IaC deployments automatically.

10. Train and Educate Teams

  • Security Awareness: Ensure that your teams are trained in secure coding practices and are aware of cloud security principles.
  • IaC-Specific Training: Provide training specific to the security risks of IaC, including common misconfigurations and how to avoid them.

By integrating security into your IaC practices from the beginning, you can prevent security vulnerabilities from being introduced during the deployment process and ensure that your cloud infrastructure remains secure.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Secure By Design, Secure Code, Secure Infrastructure


Aug 19 2024

Azure Kubernetes Services Vulnerability Let Attackers Escalate Privileges

Category: Least Privilege,Security vulnerabilitiesdisc7 @ 9:34 pm

The configuration contained transport layer security (TLS) bootstrap tokens that the attacker could extract and use to perform a TLS bootstrap attack. This would grant the attacker the ability to read all secrets within the cluster.

Notably, the attack did not require the compromised Pod to be running with hostNetwork enabled or as the root user. This significantly expanded the attack surface.

The attack involved accessing the undocumented Azure WireServer component at http://168.63.129.16/machine/?comp=goalstate and the HostGAPlugin endpoint at http://168.63.129.16:32526/vmSettings.

The attacker could retrieve a key from the WireServer to decrypt protected settings values. They could then request the JSON document from HostGAPlugin, parse it, and Base64 decode it to obtain the encrypted provisioning script (protected_settings.bin).

Using the WireServer key, the attacker could decrypt protected_settings.bin to access the cluster’s provisioning script (cse_cmd.sh). This script contained several secrets as environment variables, including:

  • KUBELET_CLIENT_CONTENT – Generic Node TLS Key
  • KUBELET_CLIENT_CERT_CONTENT – Generic Node TLS Certificate
  • KUBELET_CA_CRT – Kubernetes CA Certificate
  • TLS_BOOTSTRAP_TOKEN – TLS Bootstrap Authentication Token

Exploiting the Vulnerability

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Azure Kubernetes


Jul 10 2024

Attackers Already Exploiting Flaws in Microsoft’s July Security Update

Category: Cyber Attack,Security vulnerabilitiesdisc7 @ 10:12 am

Microsoft has given administrators plenty of work to do with July’s security update that contains patches for a brutal 139 unique CVEs, including two that attackers are actively exploiting and one that’s publicly known but remains unexploited for the moment.

The July update contains fixes for more vulnerabilities than the previous two monthly releases combined and addresses issues that left unmitigated could enable remote code execution, privilege escalation, data theft, security feature bypass, and other malicious activities. The update included patches for four non-Microsoft CVEs, one of which is a publicly known Intel microprocessor vulnerability.

Lack of Details Heighten Urgency to Fix Zero-Days

One of the zero-day vulnerabilities (CVE-2024-38080) affects Microsoft’s Windows Hyper-V virtualization technology and allows an authenticated attacker to execute code with system-level privileges on affected systems. Though Microsoft has assessed the vulnerability as being easy to exploit and requiring no special privileges or user interaction to exploit, the company has given it only a moderate — or important — severity rating of 6.8 on the 10-point CVSS scale.

As is typical, Microsoft provided scant information on the flaw in its release notes. But the fact that attackers are already actively exploiting the flaw is reason enough to patch now, said Kev Breen, senior director threat research at Immersive Labs, in an emailed comment. “Threat hunters would benefit from additional details, so that they can determine if they have already been compromised by this vulnerability,” he said.

The other zero-day bug, tracked as CVE-2024-38112, affects the Windows MSHTML Platform (aka Trident browser engine) and has a similarly moderate CVSS severity rating of 7.0. Microsoft described the bug as a spoofing vulnerability that an attacker could exploit only by convincing a user to click on a malicious link.

That description left some wondering about the actual nature of the threat it represented. “This bug is listed as ‘spoofing’ for the impact, but it’s not clear exactly what is being spoofed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), wrote in a blog post. “Microsoft has used this wording in the past for NTLM relay attacks, but that seems unlikely here.”

Rob Reeves, principal cybersecurity engineer at Immersive Labs, viewed the vulnerability as likely enabling remote code execution but potentially complex to exploit, based on Microsoft’s sparse description. “Exploitation also likely requires the use of an ‘attack chain’ of exploits or programmatic changes on the target host,” he said in prepared comments. “But without further information from Microsoft or the original reporter … it is difficult to give specific guidance.”

Other High-Priority Bugs

The two bugs that were publicly known prior to Microsoft’s July update — and hence are also technically zero-day flaws — are CVE-2024-35264, a remote code execution vulnerability in .Net and Visual Studio, and CVE-2024-37985, which actually is a third-party (Intel) CVE that Microsoft has integrated into its release.

In all, Microsoft rated just four of the flaws in its enormous update as being of critical severity. Three are of them, each with a near maximum severity rating of 9.8 on 10, affect the Windows Remote Desktop Licensing Service component that manages client access licenses (CALs) for remote desktop services. The vulnerabilities, identified as CVE-2024-38076CVE-2024-38077, and CVE-2024-38089, all enable remote code execution and should be on the top of the list of bugs to prioritize this month. “Exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server,” Child said in his post.

Microsoft wants organizations to disable the Remote Desktop Licensing Service if they are not using it. The company also recommends organizations immediately install the patches for the three vulnerabilities even if they plan to disable the service.

One eyebrow-raising aspect in this month’s Microsoft security update is the number of unique CVEs that affect Microsoft SQL Server — some 39, or more than a quarter of the 139 disclosed vulnerabilities. “Thankfully, none of them are critical based on their CVSS scores and they’re all listed as ‘Exploitation Less Likely,'” saysTyler Reguly, associate director of security R&D at Fortra. “Even with those saving graces, there are still a lot of CVSS 8.8 vulnerabilities that SQL Server customers will be looking to patch,” he noted.

As has been the trend in recent months, there were 20 elevation of privilege (EoP) bugs in this month’s update, slightly outnumbering remote code execution vulnerabilities (18). Though Microsoft and other software vendors often tend to rate EoP bugs overall as being less severe than remote code execution vulnerabilities, security researchers have advocated that security teams pay equal attention to both. That’s because privilege escalation bugs often allow attackers to take complete admin control of affected systems and wreak the same kind of havoc as they would by running arbitrary code on it remotely.

https://www.darkreading.com/application-security/attackers-already-exploiting-flaws-in-microsofts-july-security-update

SOURCE: ANUCHA CHEECHANG VIA SHUTTERSTOCK

Zero Day: Novice No More: Expose Software Vulnerabilities And Eliminate Bugs

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Microsoft's Security Update


Jun 28 2024

Your Phone’s 5G Connection Is Vulnerable to Bypass, DoS Attacks

Category: DDoS,Security vulnerabilities,Smart Phonedisc7 @ 9:33 am

https://www.darkreading.com/mobile-security/your-phone-s-5g-connection-is-exposed-to-bypass-dos-attacks

SOURCE: PETER GALLEGHAN VIA ALAMY STOCK PHOTO

Mobile devices are at risk of wanton data theft and denial of service, thanks to vulnerabilities in 5G technologies.

At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you. From there, spying, phishing, and plenty more are all on the table.

It’s a remarkably accessible form of attack, they say, involving commonly overlooked vulnerabilities and equipment you can buy online for a couple of hundred dollars.

Step 1: Set Up a Fake Base Station

When a device first attempts to connect with a mobile network base station, the two undergo an authentication and key agreement (AKA). The device sends a registration request, and the station replies with requests for authentication and security checks.

Though the station vets the phone, the phone does not initially vet the station. Its legitimacy is essentially accepted as a given.

“Base stations advertise their presence in a particular area by broadcasting ‘sib1’ messages every 20 milliseconds, or 40 milliseconds, and none of those broadcast messages have authentication, or any kind of security mechanisms,” explains Penn State assistant professor Syed Rafiul Hussain. “They’re just plaintext messages. So there’s no way that a phone or a device can check whether it’s coming from a fake tower.”

Setting up a fake tower isn’t as tall a task as it might seem. You just need to mimic a real one using a software-defined radio (SDR). As Kai Tu, another Penn State research assistant points out, “People can purchase them online — they’re easy to get. Then you can get some open source software (OSS) to run on it, and this kind of setup can be used as a fake base station.” Expensive SDRs might cost tens of thousands of dollars, but cheap ones that get the job done are available for only a few hundred.

It might seem counterintuitive that a small contraption could seduce your phone away from an established commercial tower. But a targeted attack with a nearby SDR could provide even greater 5G signal strength than a tower servicing thousands of other people at the same time. “By their nature, devices try to connect to the best possible cell towers — that is, the ones providing the highest signal strength,” Hussain says.

Step 2: Exploit a Vulnerability

Like any security process, AKA can be exploited. In the 5G modem integrated in one popular brand of mobile processor, for example, the researchers found a mishandled security header that an attacker could use to bypass the AKA process entirely.

This processor in question is used in the majority of devices manufactured by two of the world’s biggest smartphone companies. Dark Reading has agreed to keep its name confidential.

After having attracted a targeted device, an attacker could use this AKA bypass to return a maliciously crafted “registration accept” message and initiate a connection. At this point the attacker becomes the victim’s Internet service provider, capable of seeing everything they do on the Web in unencrypted form. They can also engage the victim by, for example, sending a spear phishing SMS message, or redirecting them to malicious sites.

Though AKA bypass was the most severe, the researchers discovered other vulnerabilities that would allow them to determine a device’s location, and perform denial of service (DoS).

How to Secure 5G

The Penn State researchers have reported all the vulnerabilities they discovered to their respective mobile vendors, which have all since deployed patches.

A more permanent solution, however, would have to begin with securing 5G authentication. As Hussain says, “If you want to ensure the authenticity of these broadcast messages, you need to use public key infrastructure (PKI). And deploying PKI is expensive — you need to update all of the cell towers. And there are some non-technical challenges. For example, who will be the root certificate authority of the public keys?”

It’s unlikely that such an overhaul will happen any time soon, as 5G systems were knowingly built to transmit messages in plaintext for specific reasons.

“It’s a matter of incentives. Messages are sent in milliseconds, so if you incorporate some kind of cryptographic mechanism, it will increase the computational overhead for the cell tower and for the user device. Computational overhead is also associated with time, so performance-wise it will be a bit slower,” Hussain explains.

Perhaps the performance incentives outweigh security ones. But whether it be via a fake cell tower, Stingray device, or any other means, “They all exploit this feature — the lack of authentication of the initial broadcast messages from the cell towers.”

“This is the root of all evil,” Hussain adds.

Mastering 5G Network Design, Implementation, and Operations: A comprehensive guide to understanding, designing, deploying, and managing 5G networks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: 5G Connection


Apr 29 2024

PoC Exploit Released For Windows Kernel EoP Vulnerability

Category: Security vulnerabilities,Windows Securitydisc7 @ 7:22 am

Microsoft released multiple product security patches on their April 2024 Patch Tuesday updates.

One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High). 

This vulnerability relates to a TOCTOU (Time-of-Check Time-of-Use)Race Condition that could be exploited.

Successful exploitation of this vulnerability could allow a threat actor to gain SYSTEM privileges.

This vulnerability existed in multiple versions of Windows 10, Windows 11, and Windows Server (2019, 2022). 

However, Microsoft has patched this vulnerability, and users are advised to update their Operating Systems accordingly.

Technical Analysis

proof of concept for this vulnerability has been published in GitHub which consists of a DEF file, a EXP file, a LIB file and an SLN file.

Additionally, another folder was found on the repository, which had a C file, a VCXPROJ file, and a VCXPROJ filters file.

On investigating further, an explanation of this vulnerability was provided by the researcher who discovered this proof of concept.

The explanation suggests that this vulnerability exists due to a double fetch performed by the PspBuildCreateProcessContext function in Windows.

When creating a process, multiple attributes are created and provided to NtCreateUserProcess syscall via PS_ATTRIBUTE_LIST, an array of PS_ATTRIBUTE structures.

This list of attributes will reside in the user mode memory which are then processed by the PspBuildCreateProcessContext function.

As a matter of fact, this function contains a large number of scenarios for handling every attribute type it processes.

On looking deep into it, it was discovered that this PspBuildCreateProcessContext function performs a double-fetch of the Size field when handling the PsAttributeMitigationOptions and PsAttributeMitigationAuditOptions attribute types.

This is where the race condition exists in which the value of the Size field can be changed between the fetches that could potentially result in a stack buffer overflow.

Though this vulnerability has a proof of concept code in GitHub, there is no explanation of exploitation provided.

Windows 23H2 edition code (Source: Exploit for Sale)
Windows 24H2 Edition code (Source: Exploit for Sale)

Affected Products And Fixed In Versions

ProductFixed in Build Number
Windows 10 Version 22H2 for 32-bit Systems10.0.19045.4291
Windows 10 Version 22H2 for ARM64-based Systems10.0.19045.4291
Windows 10 Version 22H2 for x64-based Systems10.0.19045.4291
Windows Server 2022, 23H2 Edition (Server Core installation)10.0.25398.830
Windows 11 Version 23H2 for x64-based Systems10.0.22631.3447
Windows 11 Version 23H2 for ARM64-based Systems10.0.22631.3447
Windows 11 Version 22H2 for x64-based Systems10.0.22621.3447
Windows 11 Version 22H2 for ARM64-based Systems10.0.22621.3447
Windows 10 Version 21H2 for x64-based Systems10.0.19044.4291
Windows 10 Version 21H2 for ARM64-based Systems10.0.19044.4291
Windows 10 Version 21H2 for 32-bit Systems10.0.19044.4291
Windows 11 version 21H2 for ARM64-based Systems10.0.22000.2899
Windows 11 version 21H2 for x64-based Systems10.0.22000.2899
Windows Server 2022 (Server Core installation)10.0.20348.2402
Windows Server 202210.0.20348.2402
Windows Server 2019 (Server Core installation)10.0.17763.5696
Windows Server 201910.0.17763.5696
Windows 10 Version 1809 for ARM64-based Systems10.0.17763.5696
Windows 10 Version 1809 for x64-based Systems10.0.17763.5696
Windows 10 Version 1809 for 32-bit Systems10.0.17763.5696

It is recommended that users of these vulnerable versions upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.

PoC or GTFO

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: PoC Exploit


Apr 24 2024

PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389)

Category: Security vulnerabilitiesdisc7 @ 9:57 am

More details of and a proof-of-concept exploit for an unauthenticated OS command injection vulnerability (CVE-2024-2389) in Flowmon, Progress Software’s network monitoring/analysis and security solution, have been published.

The critical vulnerability has been disclosed and patched by Progress earlier this month. “Currently, we have not received any reports that this vulnerability has been exploited, and we are not aware of any direct impacts on customers,” the company says in an advisory that was last updated on Friday.

According to Progress Software, more than 1,500 organizations from all over the world use Flowmon for network monitoring and anomaly detection. Sega, TDK, and Kia are on the list.

About CVE-2024-2389

CVE-2024-2389 is command injection vulnerability affecting Flowmon versions 11.x and 12.x, but not versions 10.x and lower.

“Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication,” the company explained.

The vulnerability was discovered and reported to Progress by David Yesland, a penetration tester at Rhino Security Labs, who detailed the discovery in a blog post published on Tuesday.

He noted that once the vulnerability is exploited and command execution is achieved, “the application runs as the ‘flowmon’ user so command will be executed as this user. The flowmon user can run several commands with sudo and several of the commands can be abused to obtain a root shell.”

Rhino Security Labs published a PoC exploit and has created a module that will soon be merged into Metasploit.

Firemon customers are advised to upgrade to one of the patched versions – v12.3.5 or 11.1.14 – as soon as possible, and to then upgrade all Flowmon modules.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: CVE-2024-2389, PoC


Mar 19 2024

PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153)

Category: Security vulnerabilitiesdisc7 @ 6:21 pm

Proof-of-concept (PoC) exploit code for a critical RCE vulnerability (CVE-2024-25153) in Fortra FileCatalyst MFT solution has been published.

About CVE-2024-25153

Fortra FileCatalyst is an enterprise managed file transfer (MFT) software solution that includes several components: FileCatalyst Direct, Workflow, and Central.

CVE-2024-25153 is a directory traversal vulnerability in FileCatalyst Workflow’s web portal that could allow a remote authenticated threat actor to execute arbitrary code on vulnerable servers.

“A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells,” the company noted in the advisory.

The vulnerability was first discovered in August 2023 and patched a few days later in the FileCatalyst version 5.1.6 Build 114, but had no CVE identifier at the time.

The identifier was assigned after Fortra became a CVE Numbering Authority (CNA) in December 2023.

The company and Tom Wedgbury, the security researcher that discovered and reported the flaw, planned its coordinated disclosure in March 2024.

CVE-2024-25153 PoC exploit released

Fortra’s security advisory and Wedgbury’s blog post with technical details and the PoC have been published on Wednesday.

There are currently no indications of the vulnerability being exploited in the wild, but organizations are nevertheless advised to apply the available patch (if they haven’t already).

When a PoC for a critical authentication bypass vulnerability (CVE-2024-0204) in Fortra’s GoAnywhere MFT solution was recently made public, exploit attempts began soon after.

In late January 2023, the Cl0p ransomware group leveraged a zero-day vulnerability (CVE-2023-0669) in the same solution, and stole data of over 130 victim organizations.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: PoC exploit code


Feb 03 2024

HACKING DEBIAN, UBUNTU, REDHAT& FEDORA SERVERS USING A SINGLE VULNERABILITY IN 2024

Category: Hacking,Linux Security,Security vulnerabilitiesdisc7 @ 11:47 am

The recent discovery of a significant flaw in the GNU C Library (glibc), a fundamental component of major Linux distributions, has raised serious security concerns. This flaw grants attackers root access, posing a critical threat to the security of Linux systems.

  • Vulnerability in GNU C Library (glibc): The GNU C Library, commonly known as glibc, is an essential part of Linux distributions. It provides the core libraries for the system, including those used for file handling, mathematical computations, and system calls.
  • Root Access Granted: The flaw discovered in glibc allows attackers to gain full root access to Linux machines. Root access means having complete control over the system, enabling an attacker to perform any action, including installing software, accessing all files, and modifying system configurations.

CVE ID: CVE-2023-6246

  • Description: This vulnerability is related to a dynamic memory buffer overflow and is classified as a Local Privilege Escalation (LPE) issue. It was found in glibc’s __vsyslog_internal() function, which is called by the widely-used syslog and vsyslog functions.
  • Impact: The flaw allows unprivileged attackers to gain root access on various major Linux distributions in their default configurations. This level of access can enable attackers to take complete control over the affected system.
  • Severity: Given its potential for granting root access, this vulnerability is considered highly severe.

HOW THE FLAW WORKS

  • Local Privilege Escalation: The vulnerability is a local privilege escalation (LPE) issue. This means that an attacker who already has access to the system (even with limited privileges) can exploit this flaw to gain root-level access.
  • Exploitation Requirements: To exploit this flaw, attackers need a Set-User-ID (SUID) binary. SUID is a special type of file permission that allows users to execute a program with the permissions of the file owner, which in many cases is the root user.

IMPACT AND SEVERITY

  • Widespread Impact: Given the ubiquitous use of glibc in Linux distributions, the impact of this vulnerability is widespread, affecting a vast number of systems and applications.
  • High Severity: The flaw is considered high severity due to its potential to grant attackers complete control over the affected systems.

MITIGATION AND RESPONSE

  • Disabling SUID Binaries: One suggested mitigation is to disable SUID binaries using “no new privileges” mode, which can be implemented with tools like systemd or bwrap.
  • Patch and Update: Users and administrators are urged to apply patches and updates provided by their Linux distribution as soon as they become available. Staying updated is crucial in preventing the exploitation of this vulnerability.

The discovery of the glibc flaw that grants root access to major Linux distributions is a stark reminder of the importance of system security and the need for constant vigilance. Users and administrators must take immediate action to mitigate the risk by applying patches and employing security best practices. As Linux continues to be a backbone for many systems and networks, ensuring its security is paramount for the integrity of countless applications and services.

Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: HACKING DEBIAN, REDHAT& FEDORA, UBUNTU


Dec 19 2023

SSH vulnerability exploitable in Terrapin attacks (CVE-2023-48795)

Category: Security vulnerabilitiesdisc7 @ 8:32 am

Security researchers have discovered a vulnerability (CVE-2023-48795) in the SSH cryptographic network protocol that could allow an attacker to downgrade the connection’s security by truncating the extension negotiation message.

The Terrapin attack

Terrapin is a prefix truncation attack targeting the SSH protocol.

“By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it,” researchers Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk of Ruhr-Universität Bochum have found.

Aside from downgrading the SSH connection’s security by forcing it to use less secure client authentication algorithms, the attack can also be used to exploit vulnerabilites in SSH implementations.

“For example, we found several weaknesses [CVE-2023-46445, CVE-2023-46446] in the AsyncSSH servers’ state machine, allowing an attacker to sign a victim’s client into another account without the victim noticing. Hence, it will enable strong phishing attacks and may grant the attacker Man-in-the-Middle (MitM) capabilities within the encrypted session.”

To pull of a Terrapin attack, though, the attacker must already be able to intercept and modify the data sent from the client or server to the remote peer, they pointed out, making it more feasible to be performed on the local network.

“Besides that, we also require the use of a vulnerable encryption mode. Encrypt-then-MAC and ChaCha20-Poly1305 have been introduced by OpenSSH over 10 years ago. Both have become the default for many years and as such spread across the SSH ecosystem. Our scan indicated that at least 77% of SSH servers on the internet supported at least one mode that can be exploited in practice.”

More details about their findings can be found in their paper and on a dedicated website.

Patches released or incoming

The researchers have contacted nearly 30 providers of various SSH implementations and shared their research so they may provide fixes before publication.

“Many vendors have updated their SSH implementation to support an optional strict key exchange. Strict key exchange is a backwards-incompatible change to the SSH handshake which introduces sequence number resets and takes away an attacker’s capability to inject packets during the initial, unencrypted handshake,” they shared.

But it will take a while for all clients and servers out there to be updated – and both “parties” must be for the connection to be secure against the Terrapin attack.

Vendors/maintainers of affected implementations, applications and Linux distros have been pushing out fixes: AsyncSSHLibSSHOpenSSHPuTTYTransmitSUSE, and others.

Administrators can also use the Terrapin Vulnerability Scanner to determine whether an SSH client or server is vulnerable.

“The scanner connects to your SSH server (or listens for an incoming client connection) to detect whether vulnerable encryption modes are offered and if the strict key exchange countermeasure is supported. It does not perform a fully-fledged handshake, nor does it actually perform the attack,” they explained.

Mastering Linux Security and Hardening: Protect your Linux systems from intruders, malware attacks, and other cyber threats

SSH Mastery: OpenSSH, PuTTY, Tunnels and Keys 

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Terrapin attacks


Dec 08 2023

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Category: Hacking,Security vulnerabilitiesdisc7 @ 11:18 am

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets. 

Outlook vulnerabilities offer:-

  • Access to sensitive emails 
  • Access to sensitive information

WinRAR vulnerabilities provide an entry point to manipulate compressed files, potentially executing malicious code on a victim’s system.

Cybersecurity researchers at Proofpoint recently discovered that the TA422 APT Group is actively exploiting the Outlook and WinRAR vulnerabilities to attack organizations.

Exploiting Of Patched Vulnerabilities

Since March 2023, Proofpoint found Russian APT TA422 using patched vulnerabilities to target Europe and North America. The TA422 APT group is linked to the following groups and tied to the Russian GRU by the US Intelligence Community:-

While engaging in typical targeted actions, TA422 showed an unexpected surge in emails exploiting CVE-2023-23397, a Microsoft Outlook vulnerability, sending over 10,000 emails to diverse sectors. 

Besides this, the operators of the TA422 APT group also exploited a WinRAR vulnerability, CVE-2023-38831, in their campaigns.

TA422 launched massive campaigns in March 2023, exploiting CVE-2023-23397 against targets in:-

  • Europe
  • North America

Earlier, they targeted Ukrainian entities in April 2022 using the same exploit. Proofpoint noticed a significant surge in activity, with over 10,000 attempts to exploit a Microsoft Outlook vulnerability during late summer 2023. 

It’s unclear if this was a mistake or a deliberate effort to gather target credentials. TA422 re-targeted higher education and manufacturing users, suggesting these entities are priority targets. 

In the late summer campaign, TA422 used an appointment attachment with a fake file extension, leading to an SMB listener on a compromised Ubiquiti router. 

This router acted as an NTLM listener, recording inbound credential hashes without extensive network engagement when Outlook processed the attachment.

Late summer 2023 sample of TA422 phishing email. (Source – Proofpoint)

Proofpoint’s tracking of Portugalmail addresses revealed more TA422 activity. In September 2023, TA422 exploited WinRAR vulnerability CVE-2023-32231 in two campaigns, using different Portugalmail addresses and spoofing geopolitical entities. 

Emails with BRICS Summit and European Parliament meeting subjects contained RAR attachments dropping a .cmd file. 

The file modified proxy settings downloaded a lure document, and connected to an IP-literal Responder server. The server, likely a compromised Fortigate FortiOS Firewall, initiated the NTLM credential exchange.

Lure document from the September 1, 2023 campaign. (Source – Proofpoint)

Between September and November 2023, Proofpoint tracked TA422 campaigns using Portugalmail and Mockbin for redirection.

Mockbin campaign lure documents. (Source – Proofpoint)

Targeting government and defense sectors, TA422 employed Mockbin to lead victims to InfinityFree domains. After browser fingerprinting, victims were directed to InfinityFree, initiating a chain of activity.

Despite the exploitation of disclosed vulnerabilities like CVE-2023-23397 and CVE-2023-38831, TA422 persists, likely relying on unpatched systems for continued success.

IOCs

IOCs (Source – Proofpoint)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Outlook Vulnerabilities, WinRAR Vulnerabilities


Nov 02 2023

CVSS 4.0 EXPLAINED: FROM COMPLEXITY TO CLARITY IN VULNERABILITY ASSESSMENT

Category: Security vulnerabilitiesdisc7 @ 4:07 pm

The Common Vulnerability Scoring System (CVSS) has been updated to version 4.0, which has been formally announced by the Forum of Incident Response and Security Teams (FIRST). This update comes eight years after the debut of CVSS v3.0, the previous version of the system. At its 35th annual conference, which took place in June in Montreal, Canada, FIRST presented CVSS 4.0 to the attendees. The Common Vulnerability Scoring System, also known as CVSS, is a standardised framework for evaluating the severity of software vulnerabilities. It does this by assigning numerical scores or qualitative labels (such as low, medium, high, and critical) based on factors such as exploitability, impact on confidentiality, integrity, availability, and required privileges, with higher scores indicating more severe vulnerabilities.

The Common Vulnerability Scoring System, more often referred to as CVSS, is a methodology that provides a framework for evaluating and conveying the severity of software vulnerabilities. It offers a standardised way that organisations and security experts may use to analyse vulnerabilities based on the characteristics of the vulnerabilities, and then prioritise those vulnerabilities. The CVSS ratings provide assistance in making educated judgements on which vulnerabilities should be addressed first and how resources should be distributed for vulnerability management.

There have been several versions of CVSS, and each version has included enhancements and modifications that make it possible to more accurately evaluate the severity of vulnerabilities. The previous version, CVSS 3.1, has been upgraded to the current version, CVSS 4.0, which includes a number of significant updates and enhancements, including the following:

CVSS 4.0 has been designed with the goal of simplifying the scoring system and making it more accessible to users. It makes the scoring process more straightforward, which makes it simpler for security experts to grasp and put into practise.

Accurate Scoring: CVSS 4.0 includes enhancements in scoring to enable more accurate evaluations of vulnerabilities. These improvements were made possible by the introduction of new scoring methods. It improves the base, temporal, and environmental parameters such that a more accurate representation of the real effect of a vulnerability may be achieved.

Enhanced Metrics: It provides new metrics, such as Scope and Attack Vector, to offer more insights about the nature of the vulnerability and its effect on the system. Enhanced Metrics.

Formula: CVSS 4.0 comes with a revised formula that may be used to determine the total score on the CVSS scale. When paired with additional indicators, this formula provides a more accurate representation of the severity of vulnerabilities.

Contextual Information: When it comes to rating vulnerabilities, CVSS 4.0 strongly recommends making advantage of any available contextual information. This contributes to the provision of a vulnerability assessment that is more precise and relevant depending on certain deployment circumstances.

Increased Scoring Flexibility: The updated version offers an increased degree of scoring flexibility for vulnerabilities. Users are given the option to choose several temporal and environmental criteria, so that the data may more accurately represent their unique situations.

The Common Vulnerability Scoring System (CVSS) version 4.0 marks an advancement in vulnerability scoring and solves some of the restrictions that were present in prior versions. It seeks to offer a system for analysing and prioritising vulnerabilities that is both more accurate and easier to use, with the ultimate goal of assisting organisations in improving their security posture by concentrating on the most pressing problems. In order to improve their vulnerability management procedures, security professionals and organisations should get aware with CVSS 4.0 and consider implementing it.

Lets take  an example of how you would use CVSS 4.0 to determine the degree of severity of a software vulnerability. For the sake of this example, we will employ a made-up vulnerability:

Vulnerability Description: An application contains a buffer overflow vulnerability, which an attacker can exploit to execute arbitrary code on the affected system.

Here’s how you would use CVSS 4.0 to assess the severity of this vulnerability:

Base Metrics:

  • Attack Vector (AV): The vulnerability can be exploited via network (AV:N). The attacker does not need local access to the system.
  • Attack Complexity (AC): The attack requires no special conditions (AC:LOW). It’s relatively easy to exploit.
  • Privileges Required (PR): The attacker needs to gain elevated privileges (PR:HIGH). This makes it more challenging to exploit.
  • User Interaction (UI): No user interaction is required (UI:NONE).
  • Scope (S): The scope of the vulnerability is unchanged, and it doesn’t impact other components (S:UNCHANGED).

Temporal Metrics:

  • Exploit Code Maturity (E): There is proof of concept code available, but no known exploits in the wild (E:POC).
  • Remediation Level (RL): There is an official fix available (RL:OFFICIAL-FIX).
  • Report Confidence (RC): The vulnerability has been confirmed by multiple sources (RC:HIGH).

Environmental Metrics (Specific to the organization’s setup):

  • Modified Attack Vector (MAV): The organization’s security controls have made it harder for attackers to exploit this vulnerability (MAV:NETWORK).
  • Modified Attack Complexity (MAC): The organization’s security measures have increased the difficulty of exploitation (MAC:HIGH).
  • Modified Privileges Required (MPR): The organization’s security settings require lower privileges for successful exploitation (MPR:LOW).

Now, you can calculate the CVSS 4.0 score based on these metrics:

  1. Calculate the Base Score: In this case, it might be, for example, 7.8.
  2. Calculate the Temporal Score by considering the temporal metrics: Let’s say it’s 6.2.
  3. Calculate the Environmental Score, taking into account the environmental metrics and organization-specific factors: The final score might be 4.3.

The overall CVSS 4.0 score for this vulnerability would be the Environmental Score, which is 4.3 in this example. This score helps organizations understand the severity of the vulnerability in their specific context, considering the mitigations and configurations in place.

The higher the CVSS score, the more severe the vulnerability. Organizations can then prioritize addressing vulnerabilities with higher scores to improve their security posture. CVSS 4.0 offers more flexibility and a better representation of the vulnerability’s impact, taking into account various contextual factors.

Cybersecurity Critical Vulnerability CVSS Score Vector: Grid Ruled Notebook, Funny Gift, 120 Pages, 7×8, for Writing Down Security Engineering or Design Ideas

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CVSS 4.0


Oct 13 2023

HOW GOOGLE CHROME VULNERABILITY CAN PUT MILLIONS OF USERS IN DANGER – SAFEGUARD YOUR DATA NOW!

IN-DEPTH ANALYSIS: NAVIGATING THE PERILS OF CVE-2023-5218 IN GOOGLE CHROME

The digital realm, while offering boundless possibilities, is also a fertile ground for myriad cybersecurity threats. One such peril that has recently come to light is the User-After-Free vulnerability in Google Chrome, specifically identified as CVE-2023-5218. This vulnerability not only poses a significant threat to user data and system integrity but also opens a Pandora’s box of potential cyber-attacks and exploitations.

UNRAVELING THE USER-AFTER-FREE VULNERABILITY

The User-After-Free vulnerability is a type of cybersecurity flaw that surfaces when a program continues to utilize memory space after it has been freed or deleted. This flaw allows attackers to execute arbitrary code or potentially gain unauthorized access to a system. CVE-2023-5218, identified within Google Chrome, was noted to be potentially exploitable to perform such malicious actions, thereby putting users’ data and privacy at substantial risk.

TIMELINE AND DISCOVERY

CVE-2023-5218 was unveiled to the public through various cybersecurity platforms and researchers who detected unusual activities and potential exploitation trails leading back to this particular flaw. This vulnerability was identified to be present in a specific Chrome component, prompting Google to release a flurry of updates and patches to mitigate the associated risks.

THE EXPLOIT MECHANICS

Exploiting CVE-2023-5218 allows attackers to manipulate the aforementioned ‘freed’ memory space, enabling them to execute arbitrary code within the context of the affected application. In the context of Chrome, this could potentially allow attackers unauthorized access to sensitive user data, such as saved passwords or personal information, or even navigate the browser to malware-laden websites without user consent.

THE POTENTIAL IMPACT

The exploitation of CVE-2023-5218 could have a multifold impact:

  • Data Theft: Sensitive user data, including login credentials, personal information, and financial details, could be compromised.
  • System Control: Attackers could gain control over the affected system, using it to launch further attacks or for other malicious purposes.
  • Malware Spread: By redirecting browsers to malicious websites, malware could be injected into users’ systems, further expanding the impact of the attack.

TECHNICAL INSIGHTS INTO CVE-2023-5218

  • Vulnerability Class: Use After Free
  • Impact: Confidentiality, Integrity, and Availability
  • Disclosure Date: 10/11/2023
  • AdvisoryChrome Releases Blog
TECHNICAL SYNOPSIS

The vulnerability is rooted in the improper handling of memory in the Site Isolation component of Google Chrome. The flaw arises from referencing memory after it has been freed, which can lead to program crashes, unexpected value utilization, or arbitrary code execution. The vulnerability is classified under CWE-416 and CWE-119, indicating its potential to improperly restrict operations within the bounds of a memory buffer and its susceptibility to use after free exploits.

MITIGATION AND COUNTERMEASURES

The primary mitigation strategy recommended is upgrading to Google Chrome version 118.0.5993.70, which eliminates this vulnerability. However, considering the potential risks associated with such vulnerabilities, organizations and individual users are advised to:

  • Regularly update and patch software to safeguard against known vulnerabilities.
  • Employ robust cybersecurity practices, including using security software and adhering to safe browsing practices.
  • Educate users on recognizing and avoiding potential phishing attempts or malicious sites that might exploit such vulnerabilities.

CONCLUSION

The identification and subsequent mitigation of CVE-2023-5218 underscore the perpetual battle between cybersecurity professionals and cyber adversaries. While this vulnerability has been addressed in the latest Chrome update, it serves as a potent reminder of the criticality of maintaining up-to-date systems and employing prudent cybersecurity practices. As we navigate through the digital era, the complexity and sophistication of cyber threats continue to evolve, making vigilance and preparedness crucial in ensuring secure digital interactions.

The Google Workspace Bible: [14 in 1] The Ultimate All-in-One Guide from Beginner to Advanced | Including Gmail, Drive, Docs, Sheets, and Every Other App from the Suite

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Google Chrome


Oct 12 2023

Adobe, Cisco IOS, Skype, WordPad, and HTTP/2 Rapid Reset Flaws Actively Exploited: CISA Warns

Category: Security vulnerabilitiesdisc7 @ 9:25 am

The US cybersecurity organization CISA has updated its Known Exploited Vulnerabilities catalog to include five new security flaws that are currently being actively exploited.

This means that attackers are using these vulnerabilities to gain unauthorized access to computer systems, steal sensitive data, or cause damage to critical infrastructure.

It is crucial for organizations to be aware of these vulnerabilities and take immediate steps to mitigate the risk of exploitation.

Earlier this year, several vulnerabilities were reported in popular software applications such as Acrobat, Cisco IOS, WordPad, Skype, and HTTP/2 Rapid Reset.

As a precautionary measure, businesses are advised by CISA to be wary of these vulnerabilities and take necessary steps to secure their systems against potential cyber-attacks.

Malicious cyber actors often exploit these vulnerabilities as they are commonly found in the federal enterprise, posing significant threats to their security.

Five Actively Exploited Flaws

  • CVE-2023-21608 Adobe Acrobat and Reader Use-After-Free Vulnerability

A Use After Free vulnerability in Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier), and 20.005.30418 (and earlier) might lead to arbitrary code execution in the context of the current user.

This vulnerability can only be exploited if the victim opens a malicious file that involves user involvement. Adobe patched the vulnerability in January 2023, and the PoC exploit code for this issue is available.

An authenticated, remote attacker with administrative access to a group member or a key server could exploit a vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software.

A successful exploit might give the attacker complete control of the targeted system and the ability to run arbitrary code, or it could force the target system to reload, resulting in a DoS attack. Cisco fixed the flaw at the end of September.

  • CVE-2023-41763 Microsoft Skype for Business Privilege Escalation Vulnerability

An elevation of privilege vulnerability in Skype for Business is identified as CVE-2023-41763.

“An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker”, Microsoft warns.

The attacker may obtain certain private, sensitive data, and in some situations, the information that was revealed could provide the attacker access to internal networks. Microsoft patched the flaw in its October Patch Tuesday release.

  • CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability

This is an information disclosure vulnerability in Microsoft WordPad. Because of the flaw, NTLM hashes can be revealed under certain circumstances. 

To exploit the issue, an attacker would need to be able to get into the system, but if a footing is gained, the adversary could then launch a specially crafted application and seize control of an affected machine.

“The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file,” Microsoft said.

Microsoft patched the flaw in its October Patch Tuesday release.

The HTTP/2 protocol flaw CVE-2023-44487 has recently been utilized to execute massive DDoS attacks against several targets. The HTTP/2 protocol’s handling of request cancellations or resets is the source of the issue.

When a client makes a reset for an HTTP/2 request, it consumes server resources by canceling the relevant stream. 

However, the client can start a new stream right away after initiating a reset. The quick opening and closing of HTTP/2 streams brings on the denial of service.

This vulnerability may affect many web platforms because HTTP/2 has been implemented into so many of them.

CISA urges all organizations to prioritize promptly repairing Catalogue vulnerabilities as part of their vulnerability management procedures to reduce their exposure to attacks.

Cybersecurity and Infrastructure Security Agency (CISA) TIPS

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cybersecurity and Infrastructure Security Agency


Oct 04 2023

ZERO DAY VULNERABILITIES IN QUALCOMM CHIPS ALLOW HACKING INTO BILLION MOBILE PHONES IN WORLD

Category: Security vulnerabilities,Zero daydisc7 @ 10:25 am

Qualcomm recently issued warnings about three zero-day vulnerabilities within its GPU and Compute DSP drivers that are currently being exploited by hackers. These warnings were initiated based on information received from Google’s Threat Analysis Group (TAG) and Project Zero teams. According to their reports, there is limited but targeted exploitation of vulnerabilities identified as CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063.

In response to these imminent threats, Qualcomm has rolled out security updates designed to rectify the issues present within its Adreno GPU and Compute DSP drivers. The company has promptly communicated this information to the affected Original Equipment Manufacturers (OEMs), urging them to implement these security updates without delay.

One of the significant flaws, CVE-2022-22071, which was initially disclosed in May 2022, is categorized as a high-severity issue, with a CVSS v3.1 score of 8.4. This vulnerability is a use-after-free bug that can be exploited locally and affects widely-used chips, including the SD855, SD865 5G, and SD888 5G.

However, Qualcomm has opted to remain tight-lipped regarding the details of the other actively exploited vulnerabilities, namely CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063. Further information on these vulnerabilities is expected to be disclosed in the company’s security bulletin scheduled for December 2023.

In addition to these, Qualcomm’s recent security bulletin also shed light on three other critical vulnerabilities, each with severe implications:

  • CVE-2023-24855 involves memory corruption within Qualcomm’s Modem component. This occurs when processing security-related configurations prior to the AS Security Exchange and has a CVSS v3.1 score of 9.8.
  • CVE-2023-28540 relates to a cryptographic issue within the Data Modem component, resulting from insufficient authentication processes during TLS handshakes, with a CVSS v3.1 score of 9.1.
  • CVE-2023-33028 involves memory corruption in the WLAN firmware which occurs during the copying of pmk cache memory without conducting necessary size checks, and it holds a CVSS v3.1 score of 9.8.

In light of these findings, Qualcomm disclosed an additional 13 high-severity flaws along with three more vulnerabilities classified as critical, all of which were identified by the company’s engineers. In total, Qualcomm has released updates to address 17 vulnerabilities across various components while highlighting that three zero-day vulnerabilities are currently being actively exploited.

Of these identified vulnerabilities, three have been classified as critical, 13 are high-severity, and one is medium-severity. Qualcomm’s advisory noted: “There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation.”

To safeguard against these vulnerabilities, patches for issues in the Adreno GPU and Compute DSP drivers have been issued and are readily available. OEMs have been duly notified and strongly urged to deploy these security patches at the earliest convenience to prevent potential exploitation.

Users of Qualcomm products are advised to stay vigilant and apply updates provided by OEMs as soon as they are released to ensure their devices are protected from these vulnerabilities. This proactive approach to device security is crucial in mitigating the risk of exploitation and maintaining the integrity and functionality of devices that play a pivotal role in various technological applications.

Hacking for Beginners: A Step by Step Guide to Learn How to Hack Websites, Smartphones, Wireless Networks, Work with Social Engineering, Complete a Penetration Test, and Keep Your Computer Safe

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Hacking Mobile Phone


Oct 03 2023

Zip Slip Vulnerability Let Attacker Import Malicious Code and Execute Arbitrary Code

Category: Cyber Attack,Security vulnerabilitiesdisc7 @ 9:02 am

A critical Zip Slip vulnerability was discovered in the open-source data cleaning and transformation tool ‘OpenRefine’, which allowed attackers to import malicious code and execute arbitrary code.

OpenRefine is a strong Java-based, free, open-source tool for handling messy data. This includes cleaning it, converting it into a different format, and expanding it with web services and external data.

According to SonarCloud, the Zip Slip vulnerability in OpenRefine allows attackers to overwrite existing files or the extraction of contents to unexpected locations. This vulnerability is caused by insufficient path validation while extracting archives.

Details of the OpenRefine Zip Slip Vulnerability

The project import feature of OpenRefine versions 3.7.3 and earlier is vulnerable to a Zip Slip vulnerability (CVE-2023-37476) with a CVSS score of 7.8. 

Although OpenRefine is only intended to execute locally on a user’s computer, a user can be tricked into importing a malicious project file. Once this file is imported, the attacker will be able to run arbitrary code on the victim’s computer.

Web Interface of OpenRefine Tool

“The vulnerability gives attackers a strong primitive: writing files with arbitrary content to an arbitrary location on the filesystem. For applications running with root privileges, there are dozens of possibilities to turn this into arbitrary code execution on the operating system: adding a new user to the passwd file, adding an SSH key, creating a cron job, and more”, researchers said.

Fix Available

OpenRefine Version 3.7.4, published on July 17, 2023, has a fix for the issue.

In light of this, Users are recommended to update to OpenRefine 3.7.4 as soon as feasible.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Execute Arbitrary Code


Sep 29 2023

THIS ZERO DAY VULNERABILITY COULD YOU USED TO HACK INTO IPHONE, ANDROID, CHROME AND MANY OTHER SOFTWARE

Category: Security vulnerabilities,Smart Phone,Zero daydisc7 @ 9:22 am

Google has designated a brand new CVE number for a major security vulnerability that has been discovered in the libwebp image library, which is used for displaying pictures in the WebP format. This flaw has been found to be exploited in the wild by malicious users. A major vulnerability that existed in Google Chrome for Windows, macOS, and Linux was addressed by a security update that was provided by Google. A CVE ID of CVE-2023-4863 has been assigned to the security flaw, and the vulnerability has been rated as having a severity of 8.8 (High).

As a result of the analysis of the vulnerability, it was found that the libwebp library included a heap buffer overflow vulnerability. This vulnerability allows a threat actor to conduct an out-of-bounds memory write by using a crafted HTML page to trigger the issue.

However, Google has once again reported this vulnerability, which is now known as CVE-2023-5129 and is being monitored. After further investigation, it was discovered that the vulnerability known as CVE-2023-41064 and this one also impacted the same libwebp library. The development comes after Apple, Google, and Mozilla provided remedies to address a flaw that may enable arbitrary code execution when processing a carefully designed picture. The bug is tracked separately as CVE-2023-41064 and CVE-2023-4863. The execution of arbitrary code might lead to a security breach. It is likely that both problems are solutions to the same fundamental issue that exists in the library. CVE-2023-41064 is claimed to have been linked with CVE-2023-41061 as part of a zero-click iMessage attack chain termed BLASTPASS to deliver a mercenary malware known as Pegasus, as stated by the Citizen Lab. At this time, we do not have access to any other technical specifics.

But the choice to “wrongly scope” CVE-2023-4863 as a vulnerability in Google Chrome belied the reality that it also affects practically every other program that depends on the libwebp library to handle WebP pictures, showing that it had a wider effect than was originally supposed. CVE-2023-4863 was discovered by Google security researchers and is tracked by the CVE identifier.

An investigation carried out by Rezillion over the last week has uncovered a comprehensive list of frequently used software programs, code libraries, frameworks, and operating systems that are susceptible to the CVE-2023-4863 vulnerability.

Additionally, the security researcher who found the vulnerabilities CVE-2023-41064 and CVE-2023-4863 reported both of them. This indicates that the researcher brought this issue to the attention of both firms, which led to the creation of two distinct CVEs in the past.

ZIYUETEK USB Data Blocker, Charge-Only Adapter USB Blocker(2PCS), Provide Safe and high-Speed Charging, Protect Against Juice Jacking, Hacking

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: HACK INTO IPHONE


Sep 28 2023

5 free vulnerability scanners you should check out

Category: Security vulnerabilitiesdisc7 @ 9:39 am

Vulnerability scanners delve into systems to uncover security gaps. The primary mission? To fortify organizations against breaches and shield sensitive data from exposure.

Beyond merely pinpointing weaknesses, vulnerability scanning is a proactive measure to anticipate potential attacker entry points. The essence of this process lies not just in detection but in remediation and refining strategies, ensuring that vulnerabilities are prioritized.

Here’s a list of 5 free, open-source vulnerability scanners you can try today.

Nuclei

Nuclei is a scanner designed to probe modern applications, infrastructure, cloud settings, and networks, assisting in identifying and correcting vulnerabilities. Internally, Nuclei relies on the principle of templates. These YAML files detail how to identify, rank, and fix specific security threats. A global community of security professionals and researchers actively contributes to the template library. This ecosystem, continuously updated within the Nuclei tool, has received over 5000 templates.

Nikto

Nikto is a web server scanning tool that conducts in-depth tests on web servers. It checks for over 6700 potentially dangerous files/programs, including certain files or programs, inspects for outdated versions of more than 1250 servers, and looks for particular issues in over 270 server versions. Nikto isn’t crafted for discreet operations. It aims to assess a web server as swiftly as possible, leaving evident traces in log files or being detectable by IPS/IDS systems. Nevertheless, it supports LibWhisker’s methods to counteract IDS, whether to experiment with or evaluate an IDS setup.

free vulnerability scanners

Cariddi

Cariddi enables you to take a list of domains, crawl URLs, and scan for endpoints, secrets, API keys, file extensions, tokens, and more.

OpenVAS

OpenVAS is a comprehensive vulnerability scanning tool. It offers both unauthenticated and authenticated testing, supports a range of high-level and low-level internet and industrial protocols, provides performance optimization for large-scale scans, and features a robust internal scripting language to design any vulnerability test.

free vulnerability scanners

Wapiti

Wapiti is a tool designed to assess the security of your websites or web applications. It conducts “black-box” scans, meaning it doesn’t analyze the source code. Instead, it navigates through the webpages of the live web application, searching for scripts and forms to input data. After identifying the list of URLs, forms, and their respective inputs, Wapiti functions like a fuzzer, introducing payloads to determine if a script is susceptible to vulnerabilities.

More resources:

Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: free vulnerability scanners


Sep 20 2023

Nagios Monitoring Tool Vulnerabilities Let Attackers Perform SQL Injection

Category: Security Tools,Security vulnerabilitiesdisc7 @ 9:47 am

Nagios XI is a prominent and frequently used commercial monitoring system for IT infrastructure and network monitoring. 

Vulnerability Research Engineer Astrid Tedenbrant found four distinct vulnerabilities in Nagios XI (version 5.11.1 and below) while conducting routine research.

By making use of three of these flaws classified as (CVE-2023-40931CVE-2023-40933, and CVE-2023-40934), users with various levels of access rights can get access to the database field via SQL injection.

Additionally, the vulnerability (CVE-2023-40932) permits Cross-Site Scripting through the Custom Logo component, rendering on all pages, including the login page.

Details of the Vulnerabilities

SQL Injection in Banner acknowledging endpoint (CVE-2023-40931)

“Announcement Banners” are a feature of Nagios XI that users may choose to recognize. This feature’s endpoint is susceptible to a SQL Injection attack.

When a user acknowledges a banner, a POST request is made to ‘/nagiosxi/admin/banner_message-ajaxhelper.php’ with the POST data ‘action=acknowledge banner message&id=3’.

“The ID parameter is assumed to be trusted but comes directly from the client without sanitization”, the researcher explains.

“This leads to a SQL Injection where an authenticated user with low or no privileges can retrieve sensitive data, such as from the `xi_session` and `xi_users` table containing data such as emails, usernames, hashed passwords, API tokens, and backend tickets”.

SQL Injection in Host/Service Escalation in CCM (CVE-2023-40934)

An authorized user with access to control host escalations can run any database query using Nagios XI’s Core Configuration Manager.

The same database access is possible through this vulnerability as through previous SQL Injection vulnerabilities, although it necessitates more privileges than CVE-2023-40931.

SQL Injection in Announcement Banner Settings (CVE-2023-40933)

In this case, while performing the `update_banner_message_settings` action on the affected endpoint, the `id` parameter is assumed to be trusted and is concatenated into a database query with no sanitization. This allows an attacker to modify the query, the researcher said.

Compared to CVE-2023-40931, successful exploitation of this vulnerability needs more privileges but provides the same database access as the other two SQL Injection Vulnerabilities.

Cross-Site Scripting in Custom Logo Component (CVE-2023-40932)

Reports say Nagios XI may be modified to include a unique corporate logo, which will be visible across the entire product. Included in this are the login page, various administration pages, and the landing page.

A cross-site scripting flaw in this functionality allows an attacker to inject arbitrary JavaScript, which any user’s browser will be able to execute.

“This can be used to read and modify page data, as well as perform actions on behalf of the affected user. Plain-text credentials can be stolen from users’ browsers as they enter them.,” reports said.

Fix Available

All of these vulnerabilities have been fixed, and users are encouraged to update to 5.11.2 or later.

The commercial version of the open-source Nagios Core monitoring platform, Nagios XI, offers more functionality that makes managing complicated IT settings easier.

Because of the access that Nagios XI requires, it is frequently used in highly privileged instances, making it an attractive target for attackers.

SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks


InfoSec tools
 | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SQL injection


Sep 13 2023

Windows Arbitrary File Deletion Vulnerability Leads to Full System Compromise

Category: Security vulnerabilities,Windows Securitydisc7 @ 8:02 am

Threat actors were using Windows Arbitrary File Deletion to perform Denial-of-service attacks on systems affected by this vulnerability. However, recent reports indicate that this Windows Arbitrary file deletion can be used for a full compromise.

The possibility of this attack depends on the CVE-2023-27470 arbitrary file deletion vulnerability combining it with a Time-of-Check to Time-of-Use (TOCTOU) race condition, which enables the deletion of files on a Windows system and subsequently creates an elevated Command Prompt.

CVE-2023-27470 & TOCTOU – Technical Analysis

CVE-2023-27470 affects N-Able’s Take Control Agent, which can lead to an arbitrary file deletion vulnerability. This vulnerability analysis was done using Microsoft’s Process Monitor, often called ProcMon. 

This vulnerability exists due to insecure file operations conducted by NT AUTHORITY\SYSTEM processes that were detected with the help of ProcMon filters.

The process that was analyzed during this vulnerability was BASupSrvcUpdater.exe, belonging to Take Control Agent 7.0.41.1141.

Race Condition

BASupSrvcUpdater.exe attempts every 30 seconds to a non-existent folder under the C:\ProgramData\GetSupportService_N-Central\PushUpdates as an NT AUTHORITY\SYSTEM process. For further research, this PushUpdates folder and a dummy file aaa.txt were created.

BASupSrvcUpdater.exe made an attempt to read the contents of the folder and performed a deletion, which was logged in the C:\ProgramData\GetSupportService_N-Central\Logs\BASupSrvcUpdater_[DATE].log log file. 

This particular action gives rise to a race condition, as a threat actor can exploit this condition by utilizing the timeframe between the deletion and logging.

To exploit this condition and perform a full system compromise, an attacker must replace a file in the PushUpdates folder with a pseudo-symlink.

complete report about this attack has been published, which provides detailed information about the exploitation, techniques, process, and method of complete system compromise.

To prevent this attack, it is recommended for organizations using N-able to upgrade to version 7.0.43 to fix this vulnerability.

Mastering Windows Security and Hardening: Secure and protect your Windows environment from cyber threats using zero-trust security principles

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Full System Compromise, Mastering Windows Security and Hardening


Sep 11 2023

Notepad++ v8.5.7 Released: Fix for 4 Security Vulnerabilities

Category: Security vulnerabilitiesdisc7 @ 8:19 am

Notepad++ v8.5.7 has been released, which has several bug fixes and new features. There has also been Integrity and authenticity validation, added Security enhancement and fixed a memory leak while reading Utf8-16 files.

Multiple vulnerabilities in Notepad++ relating to Heap buffer read overflow, Heap buffer write overflow & Global buffer read overflow were previously reported. However, the new version of Notepad++ claims to have patched these vulnerabilities.

Gitlab security researcher Jaroslav Lobačevski (@JarLob) discovered these vulnerabilities during the end of August 2023. However, as part of the GitLab coordinated disclosure policy, these vulnerabilities were publicly disclosed before Notepad++ patched them.

Notepad++ v8.5.7

This current new version of Notepad++ implemented the integrity and authenticity validation by introducing the GPG Notepad++ Public key which can be used for the verification of GPG Signature. In addition to that, SHA-256 digests of binary packages have also been added which can be used for checking the integrity of your Notepad++ download.

As part of Bug fixes and new features, Notepad++ has fixed the vulnerabilities reported previously which had the CVE IDs CVE-2023-40031CVE-2023-40036CVE-2023-40164 & CVE-2023-40166

Other fixes include Document disassociated issue, Dragging tab performance issue, Session file saving problem, product version value displayed in file’s properties and activating wrong file(s) were also rectified as part of this new release.

Furthermore, Notepad++ has added an option to suppress file with more than 2GB. This option enables Notepad++ to wait for user confirmation before opening a large file.

“Notepad++ will completely hang and await user confirmation when trying to open a file bigger than 2GB.” reads the issue on GitHub. Notepad++ has also released their current version of source code which can be found in this link

It is recommended for users of Notepad++ to upgrade to version 8.5.7 in order to fix the vulnerabilities and improve the application’s performance.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Notepad++


Next Page »