Apr 05 2022

CISA adds Spring4Shell flaw to its Known Exploited Vulnerabilities Catalog

Category: Security vulnerabilitiesDISC @ 8:41 am
CISA adds Spring4Shell flaw to its Known Exploited Vulnerabilities Catalog

The U.S. CISA added the recently disclosed remote code execution (RCE) vulnerability Spring4Shell to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed 

CVE-2022-22965
 (aka Spring4Shell, CVSS score: 9.8) flaw in the Spring Framework, along with three other issues, to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

The Spring4Shell issue was disclosed last week, it resides in the Spring Core Java framework. An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.

The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.

The vulnerability was disclosed after a Chinese security researcher published a proof-of-concept (PoC) exploit before deleting its account (helloexp).

This week VMware has published security updates to address the Spring4Shell flaw, according to the virtualization giant, the flaw impacts many of its cloud computing and virtualization products.

The flaw impacts Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later.

Spring4Shell impacts VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

The exploitation of this flaw could allow a remote attacker to execute arbitrary code on vulnerable systems. Researchers from Palo Alto Networks’ Unit42 and Akamai have observed the issue being exploited in the wild to deploy malicious code.

CISA also added CVE-2022-22675CVE-2022-22674CVE-2021-45382 flaws to its catalog. The four vulnerabilities added to the catalog have to be addressed by federal agencies by April 25, 2022.

Tags: Spring4Shell

Apr 04 2022

Brokenwire attack, how hackers can disrupt charging for electric vehicles

Category: Cyber Attack,Security vulnerabilitiesDISC @ 8:00 am
Brokenwire attack, how hackers can disrupt charging for electric vehicles

Boffins devised a new attack technique, dubbed Brokenwire, against the Combined Charging System (CCS) that could potentially disrupt charging for electric vehicles.

A group of researchers from the University of Oxford and Armasuisse S+T has devised a new attack technique, dubbed Brokenwire, against the popular Combined Charging System (CCS) that could be exploited by remote attackers to disrupt charging for electric vehicles.

The Combined Charging System (CCS) is one of the most widely used DC rapid charging technologies for electric vehicles (EVs). 

The attack aims at interrupting the control communication between the vehicle and charger, causing the disruption of charging sessions.

“The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously.” reads the post published by the academics. “In addition, the attack can be mounted with off-the-shelf radio hardware and minimal technical knowledge. With a power budget of 1 W, the attack is successful from around 47 m distance. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it.”

Brokenwire attack

The researchers demonstrated that the Brokenwire attack can be conducted from a distance of as far as 47m (151ft). Experts pointed out that the interruption of the charging process of critical vehicles, such as electric ambulances, can have life-threatening consequences.

The experts did not disclose details about the attack technique to prevent attacks in the wild.

The researchers published a video PoC of the attack showing their technique in action.

Let me close with a couple of Questions from FAQ published by the researchers:

I have a charger at home, can someone stop my car from charging?

Probably not. Most likely your home charger uses AC charging and a different communication standard (IEC 61851), so won’t be affected. This might change in the future though, with home chargers getting ISO 15118 support.

Can Brokenwire also break my car?

We’ve never seen any evidence of long-term damage caused by the Brokenwire attack. Based on our development work, we also have good reason to expect there isn’t any.

Tags: Brokenwire attack

Mar 16 2022

CISA adds 15 new flaws to the Known Exploited Vulnerabilities Catalog

Category: Security vulnerabilitiesDISC @ 9:52 pm
CISA adds 15 new flaws to the Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) added 15 new flaws to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 15 vulnerabilities to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

The new vulnerabilities added to the catalog include one SonicWall SonicOS issue, tracked as CVE-2020-5135, and 14 Microsoft Windows flaws addressed between 2016 and 2019.

The CVE-2020-5135 is a stack-based buffer overflow that affects the SonicWall Network Security Appliance (NSA). The vulnerability can be exploited by an unauthenticated HTTP request involving a custom protocol handler.

The flaw resides in the HTTP/HTTPS service used for product management as well as SSL VPN remote access.

All the flaws added in this round have to be addressed by federal agencies by April 5.

The CISA Catalog has reached a total of 504 entries with the latest added issues.

Cisa Known Exploited Vulnerabilities Catalog

Hackable

Tags: CISA, Exploited Vulnerabilities Catalog, Hackable

Mar 10 2022

TLStorm flaws allow to remotely manipulate the power of millions of enterprise UPS devices

Category: Remote code,Security vulnerabilitiesDISC @ 10:33 am
TLStorm flaws allow to remotely manipulate the power of millions of enterprise UPS devices

Three flaws in APC Smart-UPS devices, tracked as TLStorm, could be exploited by remote attackers to hack and destroy them.

Researchers from IoT security company Armis have discovered three high-impact security flaws, collectively tracked as TLStorm, affecting APC Sm

art-UPS devices.

The flaws can allow remote attackers to manipulate the power of millions of enterprise devices carrying out extreme cyber-physical attacks.

Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical systems.

“If exploited, these vulnerabilities, dubbed TLStorm, allow for complete remote take-over of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks. According to Armis data, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities.” reads the analysis published by Armis.

APC has over 20 million devices worldwide, according to the researchers, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities. 

Two of the TLStorm vulnerabilities reside in the TLS implementation used by Cloud-connected Smart-UPS devices, while the third one is a design flaw in the firmware upgrade process of Smart-UPS devices.

The researchers discovered that the firmware upgrades are not properly signed and validated.

This third flaw could be exploited by an attacker to achieve persistence by planting a malicious update on vulnerable UPS devices.

Below is the list of the flaws discovered by the experts:

  • CVE-2022-22806 – TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.
  • CVE-2022-22805 – TLS buffer overflow: A memory corruption bug in packet reassembly (RCE).
  • CVE-2022-0715 – Unsigned firmware upgrade that can be updated over the network (RCE).

An attacker can trigger one of the above issues to gain remote code execution on vulnerable devices and interfere with the operation of the UPS to cause physical damage.

“The fact that UPS devices regulate high voltage power, combined with their Internet connectivity—makes them a high-value cyber-physical target. In the television series Mr. Robot, bad actors cause an explosion using an APC UPS device.” continues Armis. “However, this is no longer a fictional attack. By exploiting these vulnerabilities in the lab, Armis researchers were able to remotely ignite a Smart-UPS device and make it literally go up in smoke.”

TLStorm

Experts pointed out that vulnerabilities in the firmware upgrade process are often abused by sophisticated APT groups.

Armis reported the flaws to Schneider Electric’s APC on October 31, 2021, the vendor addressed them with the release of Patch Tuesday security updates on March 8, 2022.

“UPS devices, like many other digital infrastructure appliances, are often installed and forgotten. Since these devices are connected to the same internal networks as the core business systems, exploitation attempts can have severe implications.” concludes the report. It’s important for security professionals to have complete visibility of all assets, along with the ability to monitor their behavior, in order to identify anomalies and/or exploit attempts. However traditional security solutions do not cover these assets. As a result, they remain “unseen” and therefore expose the organization to significant risk.”

Reliability/Availability of Electrical & Mechanical Systems for Command, Control, Communications, Computer, Intelligence, Surveillance and Reconnaissance (C4ISR) Facilities

Tags: TLStorm flaws, UPS devices

Mar 08 2022

CISA urges to fix actively exploited Firefox zero-days by March 21

Category: Security vulnerabilities,Zero dayDISC @ 10:34 am
CISA urges to fix actively exploited Firefox zero-days by March 21

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added recently disclosed Firefox zero-days to its Known Exploited Vulnerabilities Catalog.

The Cybersecurity and Infrastructure Security Agency (CISA) added two critical security vulnerabilities in Mozilla firefox, tracked as 

CVE-2022-26485
 and 
CVE-2022-26486
, to its Known Exploited Vulnerabilities Catalog. The US agency has ordered federal civilian agencies to address both issues by March 21, 2022.

Yesterday Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to address the two zero-day vulnerabilities that are actively exploited in attacks.

The two vulnerabilities are “Use-after-free” issues in XSLT parameter processing and in the WebGPU IPC Framework respectively.

Successful exploitation of the flaws can cause a program crash or execute arbitrary commands on the machine.

Below is the description of both flaws included in the advisory published by Mozilla:

  • CVE-2022-26485: Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.
  • CVE-2022-26486: An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. 

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

CISA added nine other vulnerabilities to its Known Exploited Vulnerabilities Catalog that are reported in the following table along with the associated due date.

CVE ID Vulnerability Name Due Date 
CVE-2022-26486Mozilla Firefox Use-After-Free Vulnerability03/21/22
CVE-2022-26485Mozilla Firefox Use-After-Free Vulnerability03/21/22
CVE-2021-21973VMware vCenter Server, Cloud Foundation Server Side Request Forgery (SSRF)03/21/22
CVE-2020-8218Pulse Connect Secure Code Injection Vulnerability09/07/22
CVE-2019-11581Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability09/07/22
CVE-2017-6077NETGEAR DGN2200 Remote Code Execution Vulnerability09/07/22
CVE-2016-6277NETGEAR Multiple Routers Remote Code Execution Vulnerability09/07/22
CVE-2013-0631Adobe ColdFusion Information Disclosure Vulnerability09/07/22
CVE-2013-0629Adobe ColdFusion Directory Traversal Vulnerability09/07/22
CVE-2013-0625Adobe ColdFusion Authentication Bypass Vulnerability09/07/22
CVE-2009-3960Adobe BlazeDS Information Disclosure Vulnerability09/07/22

Zero Days

Tags: CISA, zero-days

Mar 04 2022

75% of medical infusion pumps affected by known vulnerabilities

Category: hipaa,Security vulnerabilitiesDISC @ 9:52 am
75% of medical infusion pumps affected by known vulnerabilities

Researchers analyzed more than 200,000 network-connected medical infusion pumps and discovered that over 100,000 of them are vulnerable.

Researchers from Palo Alto Networks have analyzed more than 200,000 medical infusion pumps on the networks of hospitals and other healthcare organizations and discovered that 75% are affected by known vulnerabilities that could be exploited by attackers.

“We reviewed crowdsourced data from scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations using IoT Security for Healthcare from Palo Alto Networks.” reads the report published by Palo Alto Networks. “An alarming 75 percent of infusion pumps scanned had known security gaps that put them at heightened risk of being compromised by attackers. These shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices.”

Image source: Ateq USA website

One of the most interesting findings that emerged from the report is that 52% of all infusion pumps analyzed by the experts were susceptible to two vulnerabilities publicly disclosed in 2019. These data are disconcerting considering that the average infusion pump has a life of eight to 10 years.

The following table reports the 10 most prevalent issues that emerged from the scan of network-connected medical devices. 


CVE		Severity
(Score)		% of analyzed pumps with CVEs
1CVE-2019-122559.8 (Critical)52.11%
2CVE-2019-122647.1 (High)52.11%
3CVE-2016-93555.3 (Medium) 50.39%
4CVE-2016-83754.9 (Medium)50.39%
5CVE-2020-251657.5 (High)39.54%
6CVE-2020-120409.8 (Critical)17.83%
7CVE-2020-120479.8 (Critical)15.23%
8CVE-2020-120459.8 (Critical)15.23%
9CVE-2020-120439.8 (Critical)15.23%
10CVE-2020-120419.8 (Critical)15.23%

Table 1. The top 10 most prevalent vulnerabilities found in the more than 200,000 inf

Experts grouped the issues is several categories, including leakage of sensitive information, unauthorized access and buffer overflow. Palo Alto Networks reported that some issues are related to third-party cross-platform libraries used by the devices, such as network stacks. 

CVE-2019-12255
 and CVE 2019-12264 vulnerabilities in the TCP/IP stack IPNet.

Both flaws affect 52% of the analyzed infusion pumps, approximately more than 104,000 devices.

Palo Alto Networks recommends healthcare providers adopt a proactive security strategy to prevent attacks, below are some key capabilities to consider when evaluating IoMT security strategies and technologies for healthcare:

  • Accurate discovery and inventory
  • Holistic risk assessment
  • Apply risk reduction policies
  • Prevent Threats

“Among the 200,000 infusion pumps we studied, 75% were vulnerable to at least one vulnerability or threw up at least one security alert. While some of these vulnerabilities and alerts may be impractical for attackers to take advantage of unless physically present in an organization, all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations in which threat actors may be motivated to put extra resources into attacking a target.” concludes the report.

Do No Harm: Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States –  cybersecurity expert Matthew Webster delivers an insightful synthesis of the health benefits of the Internet of Medical Things (IoMT), the evolution of security risks that have accompanied the growth of those devices, and practical steps we can take to protect ourselves,  our data, and our hospitals from harm. 

Tags: medical infusion pumps

Mar 03 2022

Popular open-source PJSIP library is affected by critical flaws

Category: Security vulnerabilitiesDISC @ 10:46 am
Popular open-source PJSIP library is affected by critical flaws

Researchers from JFrog’s Security Research team discovered five vulnerabilities in the popular PJSIP open-source multimedia communication library.

PJSIP is a communication library written in C language implementing standard-based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. It combines signaling protocol (SIP) with rich multimedia framework and NAT traversal functionality into high level API that is portable and suitable for almost any type of systems ranging from desktops, embedded systems, to mobile handsets.

PJSIP supports audio, video, presence, and instant messaging, the APT supplied by the library can be used by IP telephony applications, including VoIP devices.

Many popular communication applications use the library, including WhatsApp, BlueJeans and Asterisk.

An attacker can exploit the flaws to gain arbitrary code execution on devices running applications using the vulnerable library or to trigger a denial-of-service (DoS) condition.

The list of the flaws discovered in the PJSIP library:

Open Source Security: Your Network More Secure With Open Source Tools 

Tags: critical flaws, open-source PJSIP

Feb 22 2022

Microsoft Safety Scanner

Category: Malware,Security vulnerabilitiesDISC @ 10:10 am
How to Use Microsoft Safety Scanner for Windows

Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.

 Note

Starting November 2019, Safety Scanner will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run Safety Scanner. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

Important information

  • The security intelligence update version of the Microsoft Safety Scanner matches the version described in this web page.
  • Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
  • Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
  • This tool does not replace your antimalware product. For real-time protection with automatic updates, use Microsoft Defender Antivirus on Windows 11, Windows 10, and Windows 8 or Microsoft Security Essentials on Windows 7. These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on removing difficult threats.

System requirements

Safety Scanner helps remove malicious software from computers running Windows 11, Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. For details, refer to the Microsoft Lifecycle Policy.

How to run a scan

  1. Download this tool and open it.
  2. Select the type of scan that you want to run and start the scan.
  3. Review the scan results displayed on screen. For detailed detection results, view the log at %SYSTEMROOT%\debug\msert.log.

To remove this tool, delete the executable file (msert.exe by default).

For more information about the Safety Scanner, see the support article on how to troubleshoot problems using Safety Scanner.

Recommended content

Feb 01 2022

CISA adds 8 new vulnerabilities to its Known Exploited Vulnerabilities Catalog

Category: Security vulnerabilitiesDISC @ 9:57 am
CISA adds 8 new vulnerabilities to its Known Exploited Vulnerabilities Catalog

The US Cybersecurity & Infrastructure Security Agency (CISA) has added eight more flaws to the Known Exploited Vulnerabilities Catalog.

The ‘Known Exploited Vulnerabilities Catalog‘ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

Below is the list of the new entries in the catalog:

CVE IDDescriptionPatch Deadline
CVE-2022-22587Apple IOMobileFrameBuffer Memory Corruption Vulnerability2/11/2022
CVE-2021-20038SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability2/11/2022
CVE-2014-7169GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability7/28/2022
CVE-2014-6271GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability7/28/2022
CVE-2020-0787Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability7/28/2022
CVE-2014-1776Microsoft Internet Explorer Use-After-Free Vulnerability7/28/2022
CVE-2020-5722Grandstream Networks UCM6200 Series SQL Injection Vulnerability7/28/2022
CVE-2017-5689Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalation Vulnerability7/28/2022

“CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below.” reads the announcement published by CISA. “These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”

With the addition of these eight vulnerabilities, the number of flaws in the CISA’s Known Exploited Vulnerabilities Catalog reached 351.

Among the recent entries, there is the CVE-2022-22587 memory corruption issue that resides in the IOMobileFrameBuffer and affects iOS, iPadOS, and macOS Monterey. The exploitation of this flaw leads to arbitrary code execution with kernel privileges on compromised devices.

A few days ago, Apple has released security updates to address a couple of zero-day vulnerabilities, one of them being actively exploited in the wild by threat actors to compromise iPhone and Mac devices.

CISA is ordering federal agencies to address the CVE-2022-22587 flaw by February 11, 2022, along with the CVE-2021-20038vulnerability in SonicWall SMA 100 Appliances.

The vulnerability is an unauthenticated stack-based buffer overflow that was reported by Jacob Baines, lead security researcher at Rapid7. The 

CVE-2021-20038
 vulnerability impacts SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v) even when the web application firewall (WAF) is enabled.

A remote attacker can exploit the vulnerability to execute arbitrary code as the ‘nobody’ user in compromised SonicWall appliances.

CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation.

CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation by [United States Government Accountability Office]

Tags: CISA, Exploited Vulnerabilities

Jan 24 2022

US CISA added 17 flaws to its Known Exploited Vulnerabilities Catalog

Category: Security vulnerabilitiesDISC @ 9:59 am
US CISA added 17 flaws to its Known Exploited Vulnerabilities Catalog

The ‘Known Exploited Vulnerabilities Catalog‘ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) this week added seventeen actively exploited vulnerabilities to the Catalog.

The total number of vulnerabilities included in the catalog reached this week 341 vulnerabilities.

CISA is requiring 10 of 17 vulnerabilities added this week to be addressed within February 1st, 2022.

CVE NumberCVE TitleRequired Action Due Date
CVE-2021-32648October CMS Improper Authentication2/1/2022
CVE-2021-21315System Information Library for node.js Command Injection Vulnerability2/1/2022
CVE-2021-21975Server Side Request Forgery in vRealize Operations Manager API Vulnerability2/1/2022
CVE-2021-22991BIG-IP Traffic Microkernel Buffer Overflow Vulnerability2/1/2022
CVE-2021-25296Nagios XI OS Command Injection Vulnerability2/1/2022
CVE-2021-25297Nagios XI OS Command Injection Vulnerability2/1/2022
CVE-2021-25298Nagios XI OS Command Injection Vulnerability2/1/2022
CVE-2021-33766Microsoft Exchange Server Information Disclosure Vulnerability2/1/2022
CVE-2021-40870Aviatrix Controller Unrestricted Upload of File Vulnerability2/1/2022
CVE-2021-35247SolarWinds Serv-U Improper Input Validation Vulnerability02/04/2022
CVE-2020-11978Apache Airflow Command Injection Vulnerability7/18/2022
CVE-2020-13671Drupal Core Unrestricted Upload of File Vulnerability7/18/2022
CVE-2020-13927Apache Airflow Experimental API Authentication Bypass Vulnerability7/18/2022
CVE-2020-14864Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability7/18/2022
CVE-2006-1547Apache Struts 1 ActionForm Denial of Service Vulnerability07/21/2022
CVE-2012-0391Apache Struts 2 Improper Input Validation Vulnerability07/21/2022
CVE-2018-8453Microsoft Windows Win32k Privilege Escalation Vulnerability07/21/2022

One of the issues added this week is a vulnerability in the October CMS, tracked as 

CVE-2021-32648
, which was recently exploited in attacks against websites of the Ukrainian government.

CISA also added a vulnerability, tracked as 

CVE-2021-35247
, recently addressed by SolarWinds in Serv-U products that threat actors are actively exploited in the wild. The company pointed out that all the attack attempts failed.

CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation

CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation by [United States Government Accountability Office]

Tags: US CISA

Jan 17 2022

High-Severity flaw in 3 WordPress plugins impacts 84,000 websites

Category: Security vulnerabilities,Web SecurityDISC @ 11:54 am
High-Severity flaw in 3 WordPress plugins impacts 84,000 websites

Researchers from WordPress security company Wordfence discovered a high-severity vulnerability that affects three different WordPress plugins that impact over 84,000 websites. The vulnerability tracked as CVE-2022-0215 is a cross-site request forgery (CSRF) issue that received a CVSS score of 8.8.

A threat actor could exploit the vulnerability to take over vulnerable websites.

The flaw impacts three plugins maintained by Xootix:

“On November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Login/Signup Popup”, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same vulnerability present in two additional plugins developed by the same author: “Side Cart Woocommerce (Ajax)”, installed on over 60,000 sites, and “Waitlist Woocommerce ( Back in stock notifier )”, installed on over 4,000 sites.” reads the advisory published by Wordfence. “This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.”

WordPress – Security Tips 

Tags: WordPress plugins

Jan 14 2022

Threat actors can bypass malware detection due to Microsoft Defender weakness

Category: Malware,Security vulnerabilitiesDISC @ 9:15 am
Threat actors can bypass malware detection due to Microsoft Defender weakness

A weakness in the Microsoft Defender antivirus can allow attackers to retrieve information to use to avoid detection.

Threat actors can leverage a weakness in Microsoft Defender antivirus to determine in which folders plant malware to avoid the AV scanning.

Microsoft Defender allows users to exclude locations on their machines that should be excluded from scanning by the security solution.

The knowledge of the list of scanning exceptions allows attackers to know where to store their malicious code to avoid detection. This means that once inside a compromised network, threat actors can decide were store their malicious tools and malware without being detected.

The issue seems to affect Windows 10 21H1 and Windows 10 21H2 since at least eight years, but it does not affect Windows 11.

SentinelOne threat researcher Antonio Cocomazzi pointed out that the list of scanning exceptions can be accessed by any local user, regardless of its permissions.

Running the “reg query” command it is possible to access the list.

https://twitter.com/splinter_code/status/1481073265380581381?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1481073265380581381%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fsecurityaffairs.co%2Fwordpress%2F126689%2Fhacking%2Fmicrosoft-defender-weakness.html
Microsoft Defender exclusion list

Tags: Microsoft Defender weakness

Dec 21 2021

More than 35,000 Java packages impacted by Log4j flaw, Google warns

Category: Log4j,Security logs,Security vulnerabilitiesDISC @ 11:12 am
More than 35,000 Java packages impacted by Log4j flaw, Google warns

The Google Open Source Team scanned the Maven Central Java package repository and found that 35,863 packages (8% of the total) were using versions of the Apache Log4j library vulnerable to Log4Shell exploit and to the CVE-2021-45046 RCE.

“More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities (12), with widespread fallout across the software industry.” reads the report published by Google. “As far as ecosystem impact goes, 8% is enormous.”

The Google experts used the Open Source Insights, a project used to determine open source dependencies, to assess all versions of all artifacts in the Maven Central Repository.

The experts pointed out that the direct dependencies account for around 7,000 of the affected packages. Most of the affected artifacts are related to indirect dependencies.

log4j

“The deeper the vulnerability is in a dependency chain, the more steps are required for it to be fixed. The following diagram shows a histogram of how deeply an affected log4j package (core or api) first appears in consumers dependency graphs.” reads the post published by the researchers. “For greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down). These packages will require fixes throughout all parts of the tree, starting from the deepest dependencies first.”

But since the vulnerability was disclosed, 13% of all vulnerable packages have been fixed (4,620).

How long will it take for this vulnerability to be fixed across the entire ecosystem?

Log4j Java Programmer Programming Coding Funny Tote Bag

Tags: Java packages, Log4j, Log4shell

Dec 20 2021

Log4Shell: The Movie… a short, safe visual tour for work and home

Category: Log Management,Log4j,Security vulnerabilitiesDISC @ 11:52 am
Log4Shell: The Movie… a short, safe visual tour for work and home

As Christmas 2021 approaches, spare a thought for your sysamins, for your IT team, and for your cybersecurity staff.

There may be plenty of mice stirring all through the IT house right up to Christmas Eve…

…because that’s the deadline set by the US Cybersecurity and Infrastructure Security Agency (CISA) for patching the infamous Log4Shell vulnerability, a dangerously exploitable flaw in Apache’s widely used Log4j (Logging for Java) programming toolkit.

Since news first broke of the problem on 09 December 2021, Apache has a-patched the code not once but three times, variously fixing CVE-2021-44228 with version 2.15.0, quickly followed by 2.16.0 to fix a related bug dubbed CVE-2021-45046, foillowed quickly yet again by 2.17.0 to deal with CVE-2021-45105.

Why the pressure from CISA? Why the rush when we’re supposed to enjoying a global holiday season? Why not wait until New Year and deal with things then?

Here’s why your sysadmins are taking one (three, actually) for the team…

Log4Shell Response and Mitigation Recommendations

Advisory: 2021-007: Log4j vulnerability – advice and mitigations

Apache Log4j 2 v. 2.17.0 User’s Guide

Tags: Log4j, Log4shell

Dec 17 2021

Serious Security: OpenSSL fixes “error conflation” bugs – how mixing up mistakes can lead to trouble

Category: App Security,Security vulnerabilitiesDISC @ 12:32 pm
Serious Security: OpenSSL fixes “error conflation” bugs – how mixing up mistakes can lead to trouble

OpenSSL publishes updates

Well, in case you missed it, the renowned OpenSSL cryptographic toolkit – a free and open source software product that we’re guessing is installed somewhere between one and three orders of magnitude more widely than Log4J – also published updates this week.

OpenSSL 1.1.1m replaces 1.1.1l (those last characters are M-for-Mike and L-for-Lima), and OpenSSL 3.0.1 replaces 3.0.0.

In case you were wondering, the popular X.Y.Z versioning scheme used by OpenSSL 3 was introduced at least in part to avoid the confusion caused by the trailing letter in the earlier version “numbering” system. As for OpenSSL 2, there wasn’t one. Only the 1.1.1 and the 3.0 series are currently supported, so updating versions such as OpenSSL 1.0.x means jumping to 1.1.1m, or directly to the OpenSSL 3 series.

“Applications may not behave correctly”

The good news is that the OpenSSL 1.1.1m release notes don’t list any CVE-numbered bugs, suggesting that although this update is both desirable and important (OpenSSL releases are infrequent enough that you can assume they arrive with purpose), you probably don’t need to consider it critical just yet.

But those of you who have already moved forwards to OpenSSL 3 – and, like your tax return, it’s ultimately inevitable, and somehow a lot easier if you start sooner – should note that OpenSSL 3.0.1 patches a security risk dubbed CVE-2021-4044.

As far as we’re aware, there are no viable known exploits for this bug, but as the OpenSSL release notes point out:

[The error code that may be returned due to the bug] will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.

In theory, a precisely written application ought not to be dangerously vulnerable to this bug, which is caused by what we referred to in the headline as error conflation, which is really just a fancy way of saying, “We gave you the wrong result.”

Simply put, some internal errors in OpenSSL – a genuine but unlikely error, for example, such as running out of memory, or a flaw elsewhere in OpenSSL that provokes an error where there wasn’t one – don’t get reported correctly.

Instead of percolating back to your application precisely, these errors get “remapped” as they are passed back up the call chain in OpenSSL, where they ultimately show up as a completely different sort of error.

You can see a contrived but explanatory example of bugs of this sort in this code:

Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications

Tags: Bulletproof SSL and TLS:, OpenSSL

Dec 16 2021

Active scanning for Apache Log4j 2

Category: Log Management,Log4j,Security vulnerabilitiesDISC @ 3:56 pm

Active-scanning-for-Apache-Log4j-2-1Download

Tags: Apache Log4j 2

Dec 16 2021

Apple security updates are out – and not a Log4Shell mention in sight

Category: Log4j,Security patching,Security vulnerabilitiesDISC @ 10:26 am
Apple security updates are out – and not a Log4Shell mention in sight

Amongst all the brouhaha about Log4Shell, it’s easy to forget all the other updates that surround us.

Not only is it Patch Tuesday (keep your eye on our sister site news.sophos.com for the latest on that score later in the day)…

…but it’s also time to check your Apple devices, because Apple just pushed out a slew of its they-arrive-when-they’re-ready-and-don’t-expect-any-warning security patches.

The updated versions you’re looking for are:

As for iOS 14 and iOS 12, which are the official previous and pre-previous iPhone operating systems (in the same way that Big Sur and Catalina are the previous incarnations of macOS), there’s no sign of any updates for them.

Observant readers will notice that the URLs in the list above form an unbroken numeric sequence except for a gap at HT212977, so whether that’s a space left open for a delayed update for iOS 14 or not we can’t tell you…

…but we did notice that Apple’s main security noticeboard page, HT201222, still [2021-12-14T12:00Z] doesn’t mention the updates listed above.

In the past, we’ve noticed an apparent correlation between delayed updates for individual platforms and delayed listings on HT201222, but we have no idea whether that is coincidence rather that true correlation, or a desire on Apple’s part to hold off updating the central listing until all the new versions can be displayed in one go.

(Apple, as you know, has an official policy of saying as little as possible about updates and update cycles, so we shall have to wait and see.)

What about Log4Shell?

Apple Device Management

MacOS and iOS Internals

Tags: Apple Device Management, Apple security updates

Dec 16 2021

While attackers begin exploiting a second Log4j flaw, a third one emerges

Category: App Security,Log4j,Security vulnerabilitiesDISC @ 9:54 am
While attackers begin exploiting a second Log4j flaw, a third one emerges

Experts warn that threat actors are actively attempting to exploit a second bug disclosed in the popular Log4j logging library.

American web infrastructure and website security company Cloudflare warns that threat actors are actively attempting to exploit a second vulnerability, tracked as CVE-2021-45046, disclosed in the Log4j library.

The CVE-2021-45046 received a CVSS score of 3.7 and affects Log4j versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 (which was released to fix CVE-2021-44228).

The Apache Software Foundation (ASF) has already released a patch for the Log4Shell vulnerability (CVE-2021-44228), but this fix partially address the flaw in certain non-default configurations. An attacker with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) can craft malicious input data using a JNDI Lookup pattern triggering a denial of service (DOS) condition.

Both issues were assessed with the release of Log4j 2.16.0 version that addresses the CVE-2021-45046 by removing support for message lookup patterns and disabling JNDI functionality by default.

“Hot on the heels of CVE-2021-44228 a second Log4J CVE has been filed CVE-2021-45046. The rules that we previously released for CVE-2021-44228 give the same level of protection for this new CVE.” states CloudFlare.”This vulnerability is actively being exploited and anyone using Log4J should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0. The latest version can be found on the Log4J download page.”

The bad news are not ended, because researchers at security firm Praetorian warned of a third security vulnerability the Log4j version 2.15.0 that was released to fix the initial Log4Shell.

This third vulnerability can be exploited by attackers to exfiltrate sensitive data in certain circumstances.

“However, in our research we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances. We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.” states the post published by Praetorian.

This image has an empty alt attribute; its file name is image-13.png

Secure By Design

Secure Software Development Fundamentals Professional Certificate

Tags: Log4j, Log4shell, Secure By Design

Dec 15 2021

Log4Shell: A new fix, details of active attacks, and risk mitigation recommendations

Category: Log4j,Security vulnerabilitiesDISC @ 1:22 pm
Log4Shell: A new fix, details of active attacks, and risk mitigation recommendations

New versions of Log4j

The recent discovery of a second Log4j vulnerability (CVE-2021-45046) has shown that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

This vulnerability could allow attackers to craft malicious input data using a JNDI Lookup pattern, resulting in a denial of service (DoS) attack.

“Note that previous mitigations involving configuration such as to set the system property ‘log4j2.noFormatMsgLookup’ to ‘true’ do NOT mitigate this specific vulnerability,” the Apache Log4j security team noted.

“Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).” The team advises users either to upgrade to version 2.12.2 (for Java 7) or 2.16.0 (for Java 8 or later), in which the Message Lookups feature has been removed and access to JNDI has been disabled by default, and explained why some of the mitigation measures shared a few days ago are incomplete.

Active exploitation

PoCs are constantly popping up on GitHub and getting forked. GitHub is steadily working on removing them, but the proverbial cat is now out of the bag, and there is no going back.

Exploitation attempts detected so far in the wild can be tied to ransomware groups and access brokers, botnet herders (delivering coin miners), and nation-backed APTs.

“The way modern products are built is using a big hierarchy of dependencies, where developers use libraries written by third-party companies and engineers to speed up the software release process. Log4J is an extremely basic library that allows log writing in Java applications. The way CVE-2021-44228 affects comes in 3 layers – cloud products that directly use the Log4J, web applications that use libraries that use Log4J, and off-the-shelf software which is internally deployed on customer servers and endpoints,” says Michael Assraf, CEO at Vicarius.

“As fixing and deploying cloud applications can be fast, updating libraries that use Log4J can break functionality unless done with caution. The most problematic fixes are internally deployed software, which will have to wait for a vendor update or a security patch, in that scenario customers are advised to wait on further vendor guidance and as of right now are helpless in reacting. Examples include: Elasticsearch, Intellij IDE, Jira Confluence, Apache Tomcat, Minecraft, Apache Hadoop, Eclipse IDE, and many more.”

Gallagher says that the most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems.

“Where systems have been identified as vulnerable, defenders should run an incident response process and monitor for signs of remote access trojans such as C2 call-backs. Secrets stored on exposed systems should also be rotated, particularly if they are exposed in environment variables. Lastly, consider critical third party vendors who may also be at risk,” he advised.

Mathew Eble, VP of Services at Praetorian, also warned the issue will be prone to false negatives.

“Externally there is no way to cover all the possible paths that exploitation can take. Even when external scanning tools get more sophisticated in how they identify the issue, we strongly advocate not relying on scan results as strong indicator of your risk,” he noted.

This recommendation is based on four issues the company has confirmed when working with customers. Based on this, they have expanded their initial recommendations for defenders.

Log4Shell mitigation

Secure By Design

Secure Software Development Fundamentals Professional Certificate

Tags: Log4j, Log4shell, Secure By Design

Dec 13 2021

Microsoft vulnerabilities have grave implications for organizations of all sizes

Category: Security vulnerabilitiesDISC @ 10:02 am
Microsoft vulnerabilities have grave implications for organizations of all sizes

Over 1 million companies worldwide and over 731,000 companies in the U.S. use Office 365, and though Microsoft offers no hard stats, some sources suggest there are over 90,000 Microsoft partners facilitating services and products for clients. It’s no wonder, then, that vulnerabilities in Microsoft solutions are an attractive attack vector.

So far in 2021, the 12 most notable critical Microsoft vulnerabilities fall within five major threat categories:

Tags: Microsoft vulnerabilities

« Previous PageNext Page »