Mar 30, 2024NewsroomLinux / Supply Chain Attack

RedHat on Friday released an “urgent security alert” warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.

The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).

“Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code,” the IBM subsidiary said in an advisory.

“This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.”

Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite, and potentially enable a threat actor to break sshd authentication and gain unauthorized access to the system remotely “under the right circumstances.”

Microsoft security researcher Andres Freund has been credited with discovering and reporting the issue on Friday. The heavily obfuscated malicious code is said to have been introduced over a series of four commits to the Tukaani Project on GitHub by a user named JiaT75.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund said. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes.'”

Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani Project “due to a violation of GitHub’s terms of service.” There are currently no reports of active exploitation in the wild.

Evidence shows that the packages are only present in Fedora 41 and Fedora Rawhide, and do not impact Red Hat Enterprise Linux (RHEL), Debian Stable, Amazon Linux, and SUSE Linux Enterprise and Leap.

Out of an abundance of caution, Fedora Linux 40 users have been recommended to downgrade to a 5.4 build. Some of the other Linux distributions impacted by the supply chain attack are below –

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert of its own, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable).

Mar 20, 2024NewsroomDoS Attack / Network Security

A novel denial-of-service (DoS) attack vector has been found to target application-layer protocols based on User Datagram Protocol (UDP), putting hundreds of thousands of hosts likely at risk.

Called Loop DoS attacks, the approach pairs “servers of these protocols in such a way that they communicate with each other indefinitely,” researchers from the CISPA Helmholtz-Center for Information Security said.

UDP, by design, is a connectionless protocol that does not validate source IP addresses, making it susceptible to IP spoofing.

Thus, when attackers forge several UDP packets to include a victim IP address, the destination server responds to the victim (as opposed to the threat actor), creating a reflected denial-of-service (DoS) attack.

The latest study found that certain implementations of the UDP protocol, such as DNS, NTP, TFTP, Active Users, Daytime, Echo, Chargen, QOTD, and Time, can be weaponized to create a self-perpetuating attack loop.

“It pairs two network services in such a way that they keep responding to one another’s messages indefinitely,” the researchers said. “In doing so, they create large volumes of traffic that result in a denial-of-service for involved systems or networks. Once a trigger is injected and the loop set in motion, even the attackers are unable to stop the attack.”

Put simply, given two application servers running a vulnerable version of the protocol, a threat actor can initiate communication with the first server by spoofing the address of the second server, causing the first server to respond to the victim (i.e., the second server) with an error message.

The victim, in turn, will also exhibit similar behavior, sending back another error message to the first server, effectively exhausting each other’s resources and making either of the services unresponsive.

“If an error as input creates an error as output, and a second system behaves the same, these two systems will keep sending error messages back and forth indefinitely,” Yepeng Pan and Christian Rossow explained.

CISPA said an estimated 300,000 hosts and their networks can be abused to carry out Loop DoS attacks.

While there is currently no evidence that the attack has been weaponized in the wild, the researchers warned that exploitation is trivial and that multiple products from Broadcom, Cisco, Honeywell, Microsoft, MikroTik, and Zyxel are affected.

“Attackers need a single spoofing-capable host to trigger loops,” the researchers noted. “As such, it is important to keep up initiatives to filter spoofed traffic, such as BCP38.”

Feb 20, 2024NewsroomWebsite Security / PHP Code

A critical security flaw in the Bricks theme for WordPress is being actively exploited by threat actors to run arbitrary PHP code on susceptible installations.

The flaw, tracked as CVE-2024-25600 (CVSS score: 9.8), enables unauthenticated attackers to achieve remote code execution. It impacts all versions of the Bricks up to and including 1.9.6.

It has been addressed by the theme developers in version 1.9.6.1 released on February 13, 2024, merely days after WordPress security provider Snicco reported the flaw on February 10.

While a proof-of-concept (PoC) exploit has not been released, technical details have been released by both Snicco and Patchstack, noting that the underlying vulnerable code exists in the prepare_query_vars_from_settings() function.

Specifically, it concerns the use of security tokens called “nonces” for verifying permissions, which can then be used to pass arbitrary commands for execution, effectively allowing a threat actor to seize control of a targeted site.

The nonce value is publicly available on the frontend of a WordPress site, Patchstack said, adding there are no adequate role checks applied.

“Nonces should never be relied on for authentication, authorization, or access control,” WordPress cautions in its documentation. “Protect your functions using current_user_can(), and always assume nonces can be compromised.”

WordPress security company Wordfence said it detected over three dozen attack attempts exploiting the flaw as of February 19, 2024. Exploitation attempts are said to have commenced on February 14, a day after public disclosure.

A majority of the attacks are from the following IP addresses –

• 200.251.23[.]57
• 92.118.170[.]216
• 103.187.5[.]128
• 149.202.55[.]79
• 5.252.118[.]211
• 91.108.240[.]52

Bricks is estimated to have around 25,000 currently active installations. Users of the plugin are recommended to apply the latest patches to mitigate potential threats.

Feb 07, 2024NewsroomDevice Security / Vulnerability

The maintainers of shim have released version 15.8 to address six security flaws, including a critical bug that could pave the way for remote code execution under specific circumstances.

Tracked as CVE-2023-40547 (CVSS score: 9.8), the vulnerability could be exploited to achieve a Secure Boot bypass. Bill Demirkapi of the Microsoft Security Response Center (MSRC) has been credited with discovering and reporting the bug.

“The shim’s http boot support (httpboot.c) trusts attacker-controlled values when parsing an HTTP response, leading to a completely controlled out-of-bounds write primitive,” Oracle’s Alan Coopersmith noted in a message shared on the Open Source Security mailing list oss-security.

Demirkapi, in a post shared on X (formerly Twitter) late last month, said the vulnerability “exists in every Linux boot loader signed in the past decade.”

shim refers to a “trivial” software package that’s designed to work as a first-stage boot loader on Unified Extensible Firmware Interface (UEFI) systems.

Firmware security firm Eclypsium said CVE-2023-40547 “stems from HTTP protocol handling, leading to an out-of-bounds write that can lead to complete system compromise.”

In a hypothetical attack scenario, a threat actor on the same network could leverage the flaw to load a vulnerable shim boot loader, or by a local adversary with adequate privileges to manipulate data on the EFI partition.

“An attacker could perform a MiTM (Man-in-the-Middle) attack and intercept HTTP traffic between the victim and the HTTP server used to serve files to support HTTP boot,” the company added. “The attacker could be located on any network segment between the victim and the legitimate server.”

That said, obtaining the ability to execute code during the boot process – which occurs before the main operating system starts – grants the attacker carte blanche access to deploy stealthy bootkits that can give near-total control over the compromised host.

The five other vulnerabilities fixed in shim version 15.8 are below –

• CVE-2023-40546 (CVSS score: 5.3) – Out-of-bounds read when printing error messages, resulting in a denial-of-service (DoS) condition
• CVE-2023-40548 (CVSS score: 7.4) – Buffer overflow in shim when compiled for 32-bit processors that can lead to a crash or data integrity issues during the boot phase
• CVE-2023-40549 (CVSS score: 5.5) – Out-of-bounds read in the authenticode function that could permit an attacker to trigger a DoS by providing a malformed binary
• CVE-2023-40550 (CVSS score: 5.5) – Out-of-bounds read when validating Secure Boot Advanced Targeting (SBAT) information that could result in information disclosure
• CVE-2023-40551 (CVSS score: 7.1) – Out-of-bounds read when parsing MZ binaries, leading to a crash or possible exposure of sensitive data

“An attacker exploiting this vulnerability gains control of the system before the kernel is loaded, which means they have privileged access and the ability to circumvent any controls implemented by the kernel and operating system,” Eclypsium noted.