Apr 11, 2024NewsroomVulnerability / Threat Mitigation

Fortinet has released patches to address a critical security flaw impacting FortiClientLinux that could be exploited to achieve arbitrary code execution.

Tracked as CVE-2023-45590, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.

“An Improper Control of Generation of Code (‘Code Injection’) vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website,” Fortinet said in an advisory.

The shortcoming, which has been described as a case of remote code execution due to a “dangerous nodejs configuration,” impacts the following versions –

• FortiClientLinux versions 7.0.3 through 7.0.4 and 7.0.6 through 7.0.10 (Upgrade to 7.0.11 or above)
• FortiClientLinux version 7.2.0 (Upgrade to 7.2.1 or above)

Security researcher CataLpa from Dbappsecurity has been credited with discovering and reporting the vulnerability.

Fortinet’s security patches for April 2024 also address an issue with FortiClientMac installer that could also lead to code execution (CVE-2023-45588 and CVE-2024-31492, CVSS scores: 7.8).

Also resolved is a FortiOS and FortiProxy bug that could leak administrator cookies in certain scenarios (CVE-2023-41677, CVSS score: 7.5).

While there is no evidence of any of the flaws being exploited in the wild, it’s recommended that users keep their systems up-to-date to mitigate potential threats.

Mar 01, 2024NewsroomDevSecOps / Cybersecurity

GitHub on Thursday announced that it’s enabling secret scanning push protection by default for all pushes to public repositories.

“This means that when a supported secret is detected in any push to a public repository, you will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block,” Eric Tooley and Courtney Claessens said.

Push protection was first piloted as an opt-in feature in August 2023, although it has been under testing since April 2022. It became generally available in May 2023.

The secret scanning feature is designed to identify over 200 token types and patterns from more than 180 service providers in order to prevent their fraudulent use by malicious actors.

The development comes nearly five months after the Microsoft subsidiary expanded secret scanning to include validity checks for popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack.

It also follows the discovery of an ongoing “repo confusion” attack targeting GitHub that’s inundating the source code hosting platform with thousands of repositories containing obfuscated malware capable of stealing passwords and cryptocurrency from developer devices.

The attacks represent another wave of the same malware distribution campaign that was disclosed by Phylum and Trend Micro last year, leveraging bogus Python packages hosted on the cloned, trojanized repositories to deliver a stealer malware called BlackCap Grabber.

“Repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well,” Apiiro said in a report this week.

Feb 14, 2024NewsroomPatch Tuesday / Vulnerability

Microsoft has released patches to address 73 security flaws spanning its software lineup as part of its Patch Tuesday updates for February 2024, including two zero-days that have come under active exploitation.

Of the 73 vulnerabilities, 5 are rated Critical, 65 are rated Important, and three and rated Moderate in severity. This is in addition to 24 flaws that have been fixed in the Chromium-based Edge browser since the release of the January 24 Patch Tuesday updates.

The two flaws that are listed as under active attack at the time of release are below –

• CVE-2024-21351 (CVSS score: 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability
• CVE-2024-21412 (CVSS score: 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability

“The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both,” Microsoft said about CVE-2024-21351.

Successful exploitation of the flaw could allow an attacker to circumvent SmartScreen protections and run arbitrary code. However, for the attack to work, the threat actor must send the user a malicious file and convince the user to open it.

CVE-2024-21412, in a similar manner, permits an unauthenticated attacker to bypass displayed security checks by sending a specially crafted file to a targeted user.

“However, the attacker would have no way to force a user to view the attacker-controlled content.” Redmond noted. “Instead, the attacker would have to convince them to take action by clicking on the file link.”

CVE-2024-21351 is the second bypass bug to be discovered in SmartScreen after CVE-2023-36025 (CVSS score: 8.8), which was plugged by the tech giant in November 2023. The flaw has since been exploited by multiple hacking groups to proliferate DarkGate, Phemedrone Stealer, and Mispadu.

Trend Micro, which detailed an attack campaign undertaken by Water Hydra (aka DarkCasino) targeting financial market traders by means of a sophisticated zero-day attack chain leveraging CVE-2024-21412, described CVE-2024-21412 as a bypass for CVE-2023-36025, thereby enabling threat actors to evade SmartScreen checks.

Water Hydra, first detected in 2021, has a track record of launching attacks against banks, cryptocurrency platforms, trading services, gambling sites, and casinos to deliver a trojan called DarkMe using zero-day exploits, including the WinRAR flaw that came to light in August 2023 (CVE-2023-38831, CVSS score: 7.8).

Late last year, Chinese cybersecurity company NSFOCUS graduated the “economically motivated” hacking group to an entirely new advanced persistent threat (APT).

“In January 2024, Water Hydra updated its infection chain exploiting CVE-2024-21412 to execute a malicious Microsoft Installer File (.MSI), streamlining the DarkMe infection process,” Trend Micro said.

Both vulnerabilities have since been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), urging federal agencies to apply the latest updates by March 5, 2024.

Also patched by Microsoft are five critical flaws –

• CVE-2024-20684 (CVSS score: 6.5) – Windows Hyper-V Denial of Service Vulnerability
• CVE-2024-21357 (CVSS score: 7.5) – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
• CVE-2024-21380 (CVSS score: 8.0) – Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
• CVE-2024-21410 (CVSS score: 9.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability
• CVE-2024-21413 (CVSS score: 9.8) – Microsoft Outlook Remote Code Execution Vulnerability

“CVE-2024-21410 is an elevation of privilege vulnerability in Microsoft Exchange Server,” Satnam Narang, senior staff research engineer at Tenable, said in a statement. “This flaw is more likely to be exploited by attackers according to Microsoft.”

“Exploiting this vulnerability could result in the disclosure of a targeted user’s Net-New Technology LAN Manager (NTLM) version 2 hash, which could be relayed back to a vulnerable Exchange Server in an NTLM relay or pass-the-hash attack, which would allow the attacker to authenticate as the targeted user.”

The security update further resolves 15 remote code execution flaws in Microsoft WDAC OLE DB provider for SQL Server that an attacker could exploit by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB.

Rounding off the patch is a fix for CVE-2023-50387 (CVSS score: 7.5), a 24-year-old design flaw in the DNSSEC specification that can be abused to exhaust CPU resources and stall DNS resolvers, resulting in a denial-of-service (DoS).

The vulnerability has been codenamed KeyTrap by the National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt.

“They demonstrated that just with a single DNS packet the attack can exhaust the CPU and stall all widely used DNS implementations and public DNS providers, such as Google Public DNS and Cloudflare,” the researchers said. “In fact, the popular BIND 9 DNS implementation can be stalled for as long as 16 hours.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —