Mar 27, 2024NewsroomVulnerability / API Security

A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users’ systems and carry out malicious actions.

“This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user’s knowledge,” Guardio Labs security researcher Oleg Zaytsev said in a new report shared with The Hacker News.

Tracked as CVE-2024-21388 (CVSS score: 6.5), it was addressed by Microsoft in Edge stable version 121.0.2277.83 released on January 25, 2024, following responsible disclosure in November 2023. The Windows maker credited both Zaytsev and Jun Kokatsu for reporting the issue.

“An attacker who successfully exploited this vulnerability could gain the privileges needed to install an extension,” Microsoft said in an advisory for the flaw, adding it “could lead to a browser sandbox escape.”

Describing it as a privilege escalation flaw, the tech giant also emphasized that a successful exploitation of the bug requires an attacker to “take additional actions prior to exploitation to prepare the target environment.”

According to Guardio’s findings, CVE-2024-21388 allows a bad actor with the ability to run JavaScript on bing[.]com or microsoft[.]com pages to install any extensions from the Edge Add-ons store sans requiring user’s consent or interaction.

This is made possible by the fact that the browser comes with privileged access to certain private APIs that make it possible to install an add-on as long as it’s from the vendor’s own extension marketplace.

One such API in the Chromium-based Edge browser is edgeMarketingPagePrivate, which is accessible from a set of allowlisted websites that belong to Microsoft, including bing[.]com, microsoft[.]com, microsoftedgewelcome.microsoft[.]com, and microsoftedgetips.microsoft[.]com, among others.

The API also packs in a method called installTheme() that, as the name implies, is designed to install a theme from the Edge Add-ons store by passing a unique theme identifier (“themeId”) and its manifest file as input.

The bug identified by Guardio is essentially a case of insufficient validation, thereby enabling an attacker to provide any extension identifier from the storefront (as opposed to the themeId) and get it stealthily installed.

“As an added bonus, as this extension installation is not done quite in the manner it was originally designed for, there will be no need for any interaction or consent from the user,” Zaytsev explained.

In a hypothetical attack scenario leveraging CVE-2024-21388, a threat actor could publish a seemingly harmless extension to the add-ons store and use it to inject a piece of malicious JavaScript code into bing[.]com – or any of the sites that are allowed to access the API – and install an arbitrary extension of their choice by invoking the API using the extension identifier.

Put differently, executing the specially crafted extension on the Edge browser and going to bing[.]com will automatically install the targeted extension without the victim’s permission.

Guardio told The Hacker News that while there is no evidence of this bug being exploited in the wild, it highlights the need for balancing user convenience and security, and how browser customizations can inadvertently defeat security mechanisms and introduce several new attack vectors.

“It’s relatively easy for attackers to trick users into installing an extension that appears harmless, not realizing it serves as the initial step in a more complex attack,” Zaytsev said. “This vulnerability could be exploited to facilitate the installation of additional extensions, potentially for monetary gain.”

Feb 13, 2024NewsroomVulnerability / Cyber Threat

Threat actors are leveraging a recently disclosed security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed DSLog on susceptible devices.

That’s according to findings from Orange Cyberdefense, which said it observed the exploitation of CVE-2024-21893 within hours of the public release of the proof-the-concept (PoC) code.

CVE-2024-21893, which was disclosed by Ivanti late last month alongside CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability in the SAML module that, if successfully exploited, could permit access to otherwise restricted resources sans any authentication.

The Utah-based company has since acknowledged that the flaw has limited targeted attacks, although the exact scale of the compromises is unclear.

Then, last week, the Shadowserver Foundation revealed a surge in exploitation attempts targeting the vulnerability originating from over 170 unique IP addresses, shortly after both Rapid7 and AssetNote shared additional technical specifics.

Orange Cyberdefense’s latest analysis shows that compromises have been detected as early as February 3, with the attack targeting an unnamed customer to inject a backdoor that grants persistent remote access.

“The backdoor is inserted into an existing Perl file called ‘DSLog.pm,'” the company said, highlighting an ongoing pattern in which existing legitimate components – in this case, a logging module – are modified to add the malicious code.

DSLog, the implant, comes fitted with its own tricks to hamper analysis and detection, including embedding a unique hash per appliance, thereby making it impossible to use the hash to contact the same backdoor on another device.

The same hash value is supplied by the attackers to the User-Agent header field in an HTTP request to the appliance to allow the malware to extract the command to be executed from a query parameter called “cdi.” The decoded instruction is then run as the root user.

“The web shell does not return status/code when trying to contact it,” Orange Cyberdefense said. “There is no known way to detect it directly.”

It further observed evidence of threat actors erasing “.access” logs on “multiple” appliances in a bid to cover up the forensic trail and fly under the radar.

But by checking the artifacts that were created when triggering the SSRF vulnerability, the company said it was able to detect 670 compromised assets during an initial scan on February 3, a number that has dropped to 524 as of February 7.

In light of the continued exploitation of Ivanti devices, it’s highly recommended that “all customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.”