Apr 12, 2024NewsroomNetwork Security / Zero-Day

Palo Alto Networks is warning that a critical flaw impacting its PAN-OS software used in its GlobalProtect gateways is being exploited in the wild.

Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity.

“A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall,” the company said in an advisory published today.

The flaw impacts the following versions of PAN-OS, with fixes expected to be released on April 14, 2024 –

• PAN-OS < 11.1.2-h3
• PAN-OS < 11.0.4-h1
• PAN-OS < 10.2.9-h1

The company also said that the issue is applicable only to firewalls that have the configurations for both GlobalProtect gateway (Network > GlobalProtect > Gateways) and device telemetry (Device > Setup > Telemetry) enabled.

Cybersecurity firm Volexity has been credited with discovering and reporting the bug.

While there are no other technical details about the nature of the attacks, Palo Alto Networks acknowledged that it’s “aware of a limited number of attacks that leverage the exploitation of this vulnerability.”

In the interim, it’s recommending customers with a Threat Prevention subscription to enable Threat ID 95187 to secure against the threat.

The development comes as Chinese threat actors have increasingly relied on zero-day flaws impacting Barracuda Networks, Fortinet, Ivanti, and VMware to breach targets of interest and deploy covert backdoors for persistent access.

Apr 11, 2024NewsroomVulnerability / Threat Mitigation

Fortinet has released patches to address a critical security flaw impacting FortiClientLinux that could be exploited to achieve arbitrary code execution.

Tracked as CVE-2023-45590, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.

“An Improper Control of Generation of Code (‘Code Injection’) vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website,” Fortinet said in an advisory.

The shortcoming, which has been described as a case of remote code execution due to a “dangerous nodejs configuration,” impacts the following versions –

• FortiClientLinux versions 7.0.3 through 7.0.4 and 7.0.6 through 7.0.10 (Upgrade to 7.0.11 or above)
• FortiClientLinux version 7.2.0 (Upgrade to 7.2.1 or above)

Security researcher CataLpa from Dbappsecurity has been credited with discovering and reporting the vulnerability.

Fortinet’s security patches for April 2024 also address an issue with FortiClientMac installer that could also lead to code execution (CVE-2023-45588 and CVE-2024-31492, CVSS scores: 7.8).

Also resolved is a FortiOS and FortiProxy bug that could leak administrator cookies in certain scenarios (CVE-2023-41677, CVSS score: 7.5).

While there is no evidence of any of the flaws being exploited in the wild, it’s recommended that users keep their systems up-to-date to mitigate potential threats.

Apr 10, 2024NewsroomSoftware Security / Vulnerability

A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks.

The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are invoked on Windows with untrusted arguments.

“The Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API,” the Rust Security Response working group said in an advisory released on April 9, 2024.

“An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.”

The flaw impacts all versions of Rust before 1.77.2. Security researcher RyotaK has been credited with discovering and reporting the bug to the CERT Coordination Center (CERT/CC).

RyotaK said the vulnerability – codenamed BatBadBut – impacts several programming languages and that it arises when the “programming language wraps the CreateProcess function [in Windows] and adds the escaping mechanism for the command arguments.”

But in light of the fact that not every programming language has addressed the problem, developers are being recommended to exercise caution when executing commands on Windows.

“To prevent the unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable,” RyotaK said in a word of advice to users.

“In this case, the batch files won’t be executed unless the full path is specified, so the unexpected execution of batch files can be prevented.”

Apr 09, 2024NewsroomBotnet / Vulnerability

Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices.

Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in an advisory, said it does not plan to ship a patch and instead urges customers to replace them.

“The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hard-coded credentials, and a command injection vulnerability via the system parameter,” security researcher who goes by the name netsecfish said in late March 2024.

Successful exploitation of the flaws could lead to arbitrary command execution on the affected D-Link NAS devices, granting threat actors the ability to access sensitive information, alter system configurations, or even trigger a denial-of-service (DoS) condition.

The issues affect the following models –

• DNS-320L
• DNS-325
• DNS-327L, and
• DNS-340L

Threat intelligence firm GreyNoise said it observed attackers attempting to weaponize the flaws to deliver the Mirai botnet malware, thus making it possible to remotely commandeer the D-Link devices.

In the absence of a fix, the Shadowserver Foundation is recommending that users either take these devices offline or have remote access to the appliance firewalled to mitigate potential threats.

The findings once again illustrate that Mirai botnets are continuously adapting and incorporating new vulnerabilities into their repertoire, with threat actors swiftly developing new variants that are designed to abuse these issues to breach as many devices as possible.

With network devices becoming common targets for financially motivated and nation-state-linked attackers, the development comes as Palo Alto Networks Unit 42 revealed that threat actors are increasingly switching to malware-initiated scanning attacks to flag vulnerabilities in target networks.

“Some scanning attacks originate from benign networks likely driven by malware on infected machines,” the company said.

“By launching scanning attacks from compromised hosts, attackers can accomplish the following: Covering their traces, bypassing geofencing, expanding botnets, [and] leveraging the resources of these compromised devices to generate a higher volume of scanning requests compared to what they could achieve using only their own devices.”

Apr 03, 2024NewsroomWeb Security / Vulnerability

A critical security flaw impacting the LayerSlider plugin for WordPress could be abused to extract sensitive information from databases, such as password hashes.

The flaw, designated as CVE-2024-2879, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as a case of SQL injection impacting versions from 7.9.11 through 7.10.0.

The issue has been addressed in version 7.10.1 released on March 27, 2024, following responsible disclosure on March 25. “This update includes important security fixes,” the maintainers of LayerSlider said in their release notes.

LayerSlider is a visual web content editor, a graphic design software, and a digital visual effects that allows users to create animations and rich content for their websites. According to its own site, the plugin is used by “millions of users worldwide.”

The flaw discovered in the tool stems from a case of insufficient escaping of user supplied parameters and the absence of wpdb::prepare(), enabling unauthenticated attackers to append additional SQL queries and glean sensitive information, Wordfence said.

The development follows the discovery of an unauthenticated stored cross-site scripting (XSS) flaw in the WP-Members Membership Plugin (CVE-2024-1852, CVSS score: 7.2) that could facilitate the execution of arbitrary JavaScript code. It has been resolved in version 3.4.9.3.

The vulnerability, due to insufficient input sanitization and output escaping, “makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page which is the edit users page,” the WordPress security company said.

Should the code be executed in the context of an administrator’s browser session, it can be used to create rogue user accounts, redirect site visitors to other malicious sites, and carry out other attacks, it added.

Over the past few weeks, security vulnerabilities have also been disclosed in other WordPress plugins such as Tutor LMS (CVE-2024-1751, CVSS score: 8.8) and Contact Form Entries (CVE-2024-2030, CVSS score: 6.4) that could be exploited for information disclosure and inject arbitrary web scripts, respectively.

Mar 27, 2024NewsroomVulnerability / Data Security

Cybersecurity researchers are warning that threat actors are actively exploiting a “disputed” and unpatched vulnerability in an open-source artificial intelligence (AI) platform called Anyscale Ray to hijack computing power for illicit cryptocurrency mining.

“This vulnerability allows attackers to take over the companies’ computing power and leak sensitive data,” Oligo Security researchers Avi Lumelsky, Guy Kaplan, and Gal Elbaz said in a Tuesday disclosure.

“This flaw has been under active exploitation for the last seven months, affecting sectors like education, cryptocurrency, biopharma, and more.”

The campaign, ongoing since September 2023, has been codenamed ShadowRay by the Israeli application security firm. It also marks the first time AI workloads have been targeted in the wild through shortcomings underpinning the AI infrastructure.

Ray is an open-source, fully-managed compute framework that allows organizations to build, train, and scale AI and Python workloads. It consists of a core distributed runtime and a set of AI libraries for simplifying the ML platform.

It’s used by some of the biggest companies, including OpenAI, Uber, Spotify, Netflix, LinkedIn, Niantic, and Pinterest, among others.

The security vulnerability in question is CVE-2023-48022 (CVSS score: 9.8), a critical missing authentication bug that allows remote attackers to execute arbitrary code via the job submission API. It was reported by Bishop Fox alongside two other flaws in August 2023.

The cybersecurity company said the lack of authentication controls in two Ray components, Dashboard, and Client, could be exploited by “unauthorized actors to freely submit jobs, delete existing jobs, retrieve sensitive information, and achieve remote command execution.”

This makes it possible to obtain operating system access to all nodes in the Ray cluster or attempt to retrieve Ray EC2 instance credentials. Anyscale, in an advisory published in November 2023, said it does not plan to fix the issue at this point in time.

“That Ray does not have authentication built in – is a long-standing design decision based on how Ray’s security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy,” the company noted.

It also cautions in its documentation that it’s the platform provider’s responsibility to ensure that Ray runs in “sufficiently controlled network environments” and that developers can access Ray Dashboard in a secure fashion.

Oligo said it observed the shadow vulnerability being exploited to breach hundreds of Ray GPU clusters, potentially enabling the threat actors to get hold of a trove of sensitive credentials and other information from compromised servers.

This includes production database passwords, private SSH keys, access tokens related to OpenAI, HuggingFace, Slack, and Stripe, the ability to poison models, and elevated access to cloud environments from Amazon Web Services, Google Cloud, and Microsoft Azure.

In many of the instances, the infected instances have been found to be hacked with cryptocurrency miners (e.g., XMRig, NBMiner, and Zephyr) and reverse shells for persistent remote access.

The unknown attackers behind ShadowRay have also utilized an open-source tool named Interactsh to fly under the radar.

“When attackers get their hands on a Ray production cluster, it is a jackpot,” the researchers said. “Valuable company data plus remote code execution makes it easy to monetize attacks — all while remaining in the shadows, totally undetected (and, with static security tools, undetectable).”

Mar 22, 2024NewsroomAmazon Web Services / Vulnerability

Cybersecurity researchers have shared details of a now-patched security vulnerability in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA) that could be potentially exploited by a malicious actor to hijack victims’ sessions and achieve remote code execution on underlying instances.

The vulnerability, now addressed by AWS, has been codenamed FlowFixation by Tenable.

“Upon taking over the victim’s account, the attacker could have performed tasks such as reading connection strings, adding configurations and triggering directed acyclic graphs (DAGS),” senior security researcher Liv Matan said in a technical analysis.

“Under certain circumstances such actions can result in RCE on the instance that underlies the MWAA, and in lateral movement to other services.”

The root cause of the vulnerability, per the cybersecurity firm, is a combination of session fixation on the web management panel of AWS MWAA and an AWS domain misconfiguration that results in a cross-site scripting (XSS) attack.

Session fixation is a web attack technique that occurs when a user is authenticated to a service without invalidating any existing session identifiers. This permits the adversary to force (aka fixate) a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.

By abusing the shortcoming, a threat actor could have forced victims to use and authenticate the attacker’s known session and ultimately take over the victim’s web management panel.

“FlowFixation highlights a broader issue with the current state of cloud providers’ domain architecture and management as it relates to the Public Suffix List (PSL) and shared-parent domains: same-site attacks,” Matan said, adding the misconfiguration also impacts Microsoft Azure and Google Cloud.

Tenable also pointed out that the shared architecture – where several customers have the same parent domain – could be a goldmine for attackers looking to exploit vulnerabilities like same-site attacks, cross-origin issues, and cookie tossing, effectively leading to unauthorized access, data leaks, and code execution.

The shortcoming has been addressed by both AWS and Azure adding the misconfigured domains to PSL, thus causing web browsers to recognize the added domains as a public suffix. Google Cloud, on the other hand, has described the issue as not “severe enough” to merit a fix.

“In the case of same-site attacks, the security impact of the mentioned domain architecture is significant, with heightened risk of such attacks in cloud environments,” Matan explained.

“Among these, cookie-tossing attacks and same-site attribute cookie protection bypass are particularly concerning as both can circumvent CSRF protection. Cookie-tossing attacks can also abuse session-fixation issues.”

Mar 21, 2024NewsroomDatabase / Vulnerability

Atlassian has released patches for more than two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server that could be exploited without requiring user interaction.

Tracked as CVE-2024-1597, the vulnerability carries a CVSS score of 10.0, indicating maximum severity.

Described as an SQL injection flaw, it’s rooted in a dependency called org.postgresql:postgresql, as a result of which the company said it “presents a lower assessed risk” despite the criticality.

“This org.postgresql:postgresql dependency vulnerability […] could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction,” Atlassian said.

According to a description of the flaw in the NIST’s National Vulnerability Database (NVD), “pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE.” The driver versions prior to the ones listed below are impacted –

• 42.7.2
• 42.6.1
• 42.5.5
• 42.4.4
• 42.3.9, and
• 42.2.28 (also fixed in 42.2.28.jre7)

“SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value,” the maintainters said in an advisory last month.

“There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.”

The Atlassian vulnerability is said to have been introduced in the following versions of Bamboo Data Center and Server –

• 8.2.1
• 9.0.0
• 9.1.0
• 9.2.1
• 9.3.0
• 9.4.0, and
• 9.5.0

The company also emphasized that Bamboo and other Atlassian Data Center products are unaffected by CVE-2024-1597 as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings.

SonarSource security researcher Paul Gerste has been credited with discovering and reporting the flaw. Users are advised to update their instances to the latest version to protect against any potential threats.

Mar 21, 2024NewsroomVulnerability / Web Security

Ivanti has disclosed details of a critical remote code execution flaw impacting Standalone Sentry, urging customers to apply the fixes immediately to stay protected against potential cyber threats.

Tracked as CVE-2023-41724, the vulnerability carries a CVSS score of 9.6.

“An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network,” the company said.

The flaw impacts all supported versions 9.17.0, 9.18.0, and 9.19.0, as well as older versions. The company said it has made available a patch (versions 9.17.1, 9.18.1, and 9.19.1) that can be downloaded via the standard download portal.

It credited Vincent Hutsebaut, Pierre Vivegnis, Jerome Nokin, Roberto Suggi Liverani and Antonin B. of NATO Cyber Security Centre for “their collaboration on this issue.”

Ivanti emphasized that it’s not aware of any customers affected by CVE-2023-41724, and added that “threat actors without a valid TLS client certificate enrolled through EPMM cannot directly exploit this issue on the internet.”

Recently disclosed security flaws in Ivanti software have been subject to exploitation by at least three different suspected China-linked cyber espionage clusters tracked as UNC5221, UNC5325, and UNC3886, according to Mandiant.

The development comes as SonarSource revealed a mutation cross-site scripting (mXSS) flaw impacting an open-source email client called Mailspring aka Nylas Mail (CVE-2023-47479) that could be exploited to bypass sandbox and Content Security Policy (CSP) protections and achieve code execution when a user replies to or forwards a malicious email.

“mXSS takes advantage of that by providing a payload that seems innocent initially when parsing (during the sanitization process) but mutates it to a malicious one when re-parsing it (in the final stage of displaying the content),” security researcher Yaniv Nizry said.

Mar 18, 2024NewsroomVulnerability / Threat Mitigation

Fortra has released details of a now-patched critical security flaw impacting its FileCatalyst file transfer solution that could allow unauthenticated attackers to gain remote code execution on susceptible servers.

Tracked as CVE-2024-25153, the shortcoming carries a CVSS score of 9.8 out of a maximum of 10.

“A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request,” the company said in an advisory last week.

“In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.”

The vulnerability, the company said, was first reported on August 9, 2023, and addressed two days later in FileCatalyst Workflow version 5.1.6 Build 114 without a CVE identifier. Fortra was authorized as a CVE Numbering Authority (CNA) in early December 2023.

Security researcher Tom Wedgbury of LRQA Nettitude has been credited with discovering and reporting the flaw. The company has since released a full proof-of-concept (PoC) exploit, describing how the flaw could be weaponized to upload a web shell and execute arbitrary system commands.

Also resolved by Fortra in January 2024 are two other security vulnerabilities in FileCatalyst Direct (CVE-2024-25154 and CVE-2024-25155) that could lead to information leakage and code execution.

With previously disclosed flaws in Fortra GoAnywhere managed file transfer (MFT) coming under heavy exploitation last year by threat actors like Cl0p, it’s recommended that users have applied the necessary updates to mitigate potential threats.