Lets – INDIA NEWS http://www.indiavpn.org News Blog Fri, 26 Jan 2024 08:06:11 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 Critical Cisco Flaw Lets Hackers Remotely Take Over Unified Comms Systems http://www.indiavpn.org/2024/01/26/critical-cisco-flaw-lets-hackers-remotely-take-over-unified-comms-systems/ http://www.indiavpn.org/2024/01/26/critical-cisco-flaw-lets-hackers-remotely-take-over-unified-comms-systems/#respond Fri, 26 Jan 2024 08:06:11 +0000 https://www.indiavpn.org/2024/01/26/critical-cisco-flaw-lets-hackers-remotely-take-over-unified-comms-systems/ [ad_1]

Jan 26, 2024NewsroomNetwork Security / Vulnerability

Cisco

Cisco has released patches to address a critical security flaw impacting Unified Communications and Contact Center Solutions products that could permit an unauthenticated, remote attacker to execute arbitrary code on an affected device.

Tracked as CVE-2024-20253 (CVSS score: 9.9), the issue stems from improper processing of user-provided data that a threat actor could abuse to send a specially crafted message to a listening port of a susceptible appliance.

“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco said in an advisory. “With access to the underlying operating system, the attacker could also establish root access on the affected device.”

Cybersecurity

Synacktiv security researcher Julien Egloff has been credited with discovering and reporting CVE-2024-20253. The following products are impacted by the flaw –

  • Unified Communications Manager (versions 11.5, 12.5(1), and 14)
  • Unified Communications Manager IM & Presence Service (versions 11.5(1), 12.5(1), and 14)
  • Unified Communications Manager Session Management Edition (versions 11.5, 12.5(1), and 14)
  • Unified Contact Center Express (versions 12.0 and earlier and 12.5(1))
  • Unity Connection (versions 11.5(1), 12.5(1), and 14), and
  • Virtualized Voice Browser (versions 12.0 and earlier, 12.5(1), and 12.5(2))

While there are no workarounds that address the shortcoming, the networking equipment maker is urging users to set up access control lists to limit access where applying the updates is not immediately possible.

Cybersecurity

“Establish access control lists (ACLs) on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network to allow access only to the ports of deployed services,” the company said.

The disclosure arrives weeks after Cisco shipped fixes for a critical security flaw impacting Unity Connection (CVE-2024-20272, CVSS score: 7.3) that could permit an adversary to execute arbitrary commands on the underlying system.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



[ad_2]

Source link

]]>
http://www.indiavpn.org/2024/01/26/critical-cisco-flaw-lets-hackers-remotely-take-over-unified-comms-systems/feed/ 0
Google Kubernetes Misconfig Lets Any Gmail Account Control Your Clusters http://www.indiavpn.org/2024/01/24/google-kubernetes-misconfig-lets-any-gmail-account-control-your-clusters/ http://www.indiavpn.org/2024/01/24/google-kubernetes-misconfig-lets-any-gmail-account-control-your-clusters/#respond Wed, 24 Jan 2024 15:28:42 +0000 https://www.indiavpn.org/2024/01/24/google-kubernetes-misconfig-lets-any-gmail-account-control-your-clusters/ [ad_1]

Jan 24, 2024NewsroomCloud Security / Kubernetes

Google Kubernetes

Cybersecurity researchers have discovered a loophole impacting Google Kubernetes Engine (GKE) that could be potentially exploited by threat actors with a Google account to take control of a Kubernetes cluster.

The critical shortcoming has been codenamed Sys:All by cloud security firm Orca. As many as 250,000 active GKE clusters in the wild are estimated to be susceptible to the attack vector.

In a report shared with The Hacker News, security researcher Ofir Yakobi said it “stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (even outside the organization).”

Cybersecurity

The system:authenticated group is a special group that includes all authenticated entities, counting human users and service accounts. As a result, this could have serious consequences when administrators inadvertently bestow it with overly permissive roles.

Specifically, an external threat actor in possession of a Google account could misuse this misconfiguration by using their own Google OAuth 2.0 bearer token to seize control of the cluster for follow-on exploitation such as lateral movement, cryptomining, denial-of-service, and sensitive data theft.

To make matters worse, this approach does not leave a trail in a manner that can be linked back to the actual Gmail or Google Workspace account that obtained the OAuth bearer token.

Sys:All has been found to impact numerous organizations, leading to the exposure of various sensitive data, such as JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, private keys, and credentials to container registries, the last of which could then be used to trojanize container images.

Following responsible disclosure to Google, the company has taken steps to block the binding of the system:authenticated group to the cluster-admin role in GKE versions 1.28 and later.

“To help secure your clusters against mass malware attacks that exploit cluster-admin access misconfigurations, GKE clusters running version 1.28 and later won’t allow you to bind the cluster-admin ClusterRole to the system:anonymous user or to the system:unauthenticated or system:authenticated groups,” Google now notes in its documentation.

Cybersecurity

Google is also recommending users to not bind the system:authenticated group to any RBAC roles, as well as assess whether the clusters have been bound to the group using both ClusterRoleBindings and RoleBindings and remove unsafe bindings.

Orca has also warned that while there is no public record of a large-scale attack utilizing this method, it could be only a matter of time, necessitating that users take appropriate steps to secure their cluster access controls.

“Even though this is an improvement, it is important to note that this still leaves many other roles and permissions that can be assigned to the group,” the company said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



[ad_2]

Source link

]]>
http://www.indiavpn.org/2024/01/24/google-kubernetes-misconfig-lets-any-gmail-account-control-your-clusters/feed/ 0
New Flaw Lets Attackers Bypass Security and Spoof Emails http://www.indiavpn.org/2024/01/03/new-flaw-lets-attackers-bypass-security-and-spoof-emails/ http://www.indiavpn.org/2024/01/03/new-flaw-lets-attackers-bypass-security-and-spoof-emails/#respond Wed, 03 Jan 2024 13:14:08 +0000 https://www.indiavpn.org/2024/01/03/new-flaw-lets-attackers-bypass-security-and-spoof-emails/ [ad_1]

Jan 03, 2024NewsroomCyber Threat / Email Security

SMTP Smuggling

A new exploitation technique called Simple Mail Transfer Protocol (SMTP) smuggling can be weaponized by threat actors to send spoofed emails with fake sender addresses while bypassing security measures.

“Threat actors could abuse vulnerable SMTP servers worldwide to send malicious emails from arbitrary email addresses, allowing targeted phishing attacks,” Timo Longin, a senior security consultant at SEC Consult, said in an analysis published last month.

SMTP is a TCP/IP protocol used to send and receive email messages over a network. To relay a message from an email client (aka mail user agent), an SMTP connection is established between the client and server in order to transmit the actual content of the email.

Cybersecurity

The server then relies on what’s called a mail transfer agent (MTA) to check the domain of the recipient’s email address, and if it’s different from that of the sender, it queries the domain name system (DNS) to look up the MX (mail exchanger) record for the recipient’s domain and complete the mail exchange.

The crux of SMTP smuggling is rooted in the inconsistencies that arise when outbound and inbound SMTP servers handle end-of-data sequences differently, potentially enabling threat actors to break out of the message data, “smuggle” arbitrary SMTP commands, and even send separate emails.

SMTP Smuggling

It borrows the concept from a known attack method known as HTTP request smuggling, which takes advantage of discrepancies in the interpretation and processing of the “Content-Length” and “Transfer-Encoding” HTTP headers to prepend an ambiguous request to the inbound request chain.

Specifically, it exploits security flaws in messaging servers from Microsoft, GMX, and Cisco to send emails spoofing millions of domains. Also impacted are SMTP implementations from Postfix and Sendmail.

Cybersecurity

This allows for sending forged emails that seemingly look like they are originating from legitimate senders and defeat checks in place erected to ensure the authenticity of incoming messages – i.e., DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF).

While Microsoft and GMX have rectified the issues, Cisco said the findings do not constitute a “vulnerability, but a feature and that they will not change the default configuration.” As a result, inbound SMTP smuggling to Cisco Secure Email instances is still possible with default configurations.

As a fix, SEC Consult recommends Cisco users change their settings from “Clean” to “Allow” in order to avoid receiving spoofed emails with valid DMARC checks.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



[ad_2]

Source link

]]>
http://www.indiavpn.org/2024/01/03/new-flaw-lets-attackers-bypass-security-and-spoof-emails/feed/ 0