Apr 16, 2024NewsroomSupply Chain / Software Security

Security researchers have uncovered a “credible” takeover attempt targeting the OpenJS Foundation in a manner that evokes similarities to the recently uncovered incident aimed at the open-source XZ Utils project.

“The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails,” OpenJS Foundation and Open Source Security Foundation (OpenSSF) said in a joint alert.

According to Robin Bender Ginn, executive director of OpenJS Foundation, and Omkhar Arasaratnam, general manager at OpenSSF, the email messages urged OpenJS to take action to update one of its popular JavaScript projects to remediate critical vulnerabilities without providing any specifics.

The email author(s) also called on OpenJS to designate them as a new maintainer of the project despite having little prior involvement. Two other popular JavaScript projects not hosted by OpenJS are also said to have been at the receiving end of similar activity.

That said, none of the people who contacted OpenJS were granted privileged access to the OpenJS-hosted project.

The incident brings into sharp focus the method by which the lone maintainer of XZ Utils was targeted by fictitious personas that were expressly created for what’s believed to be a social engineering-cum-pressure campaign designed to make Jia Tan (aka JiaT75) a co-maintainer of the project.

This has raised the possibility that the attempt to sabotage XZ Utils may not be an isolated incident and that it’s part of a broader campaign to undermine the security of various projects, the two open source groups said. The names of the JavaScript projects were not disclosed.

Jia Tan, as it stands, has no other digital footprints outside of their contributions, indicating that the account was invented for the sole purpose of gaining the credibility of the open-source development community over years and ultimately push a stealthy backdoor into XZ Utils.

It also serves to pinpoint the sophistication and patience that has gone behind planning and executing the campaign by targeting an open-source, volunteer-run project that’s used in many Linux distributions, putting organizations and users at risk of supply chain attacks.

The XZ Utils backdoor incident also highlights the “fragility” of the open-source ecosystem and the risks created by maintainer burnout, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said last week.

“The burden of security shouldn’t fall on an individual open-source maintainer — as it did in this case to near-disastrous effect,” CISA officials Jack Cable and Aeva Black said.

“Every technology manufacturer that profits from open source software must do their part by being responsible consumers of and sustainable contributors to the open source packages they depend on.”

The agency is recommending that technology manufacturers and system operators that incorporate open-source components should either directly or support the maintainers in periodically auditing the source code, eliminating entire classes of vulnerabilities, and implementing other secure by design principles.

“These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them,” Bender Ginn and Arasaratnam said.

“Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack.”

Mar 14, 2024NewsroomContainer Security / Vulnerability

Details have been made public about a now-patched high-severity flaw in Kubernetes that could allow a malicious attacker to achieve remote code execution with elevated privileges under specific circumstances.

“The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster,” Akamai security researcher Tomer Peled said. “To exploit this vulnerability, the attacker needs to apply malicious YAML files on the cluster.”

Tracked as CVE-2023-5528 (CVSS score: 7.2), the shortcoming impacts all versions of kubelet, including and after version 1.8.0. It was addressed as part of updates released on November 14, 2023, in the following versions –

• kubelet v1.28.4
• kubelet v1.27.8
• kubelet v1.26.11, and
• kubelet v1.25.16

“A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes,” Kubernetes maintainers said in an advisory released at the time. “Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.”

Successful exploitation of the flaw could result in a complete takeover of all Windows nodes in a cluster. It’s worth noting that another set of similar flaws was previously disclosed by the web infrastructure company in September 2023.

The issue stems from the use of “insecure function call and lack of user input sanitization,” and relates to feature called Kubernetes volumes, specially leveraging a volume type known as local volumes that allow users to mount disk partition in a pod by specifying or creating a PersistentVolume.

“While creating a pod that includes a local volume, the kubelet service will (eventually) reach the function ‘MountSensitive(),'” Peled explained. “Inside it, there’s a cmd line call to ‘exec.command,’ which makes a symlink between the location of the volume on the node and the location inside the pod.”

This provides a loophole that an attacker can exploit by creating a PersistentVolume with a specially crafted path parameter in the YAML file, which triggers command injection and execution by using the “&&” command separator.

“In an effort to remove the opportunity for injection, the Kubernetes team chose to delete the cmd call, and replace it with a native GO function that will perform the same operation ‘os.Symlink(),” Peled said of the patch put in place.

The disclosure comes as a critical security flaw discovered in the end-of-life (EoL) Zhejiang Uniview ISC camera model 2500-S (CVE-2024-0778, CVSS score: 9.8) is being exploited by threat actors to drop a Mirai botnet variant called NetKiller that shares infrastructure overlaps with a different botnet named Condi.

“The Condi botnet source code was released publicly on Github between August 17 and October 12, 2023,” Akamai said. “Considering the Condi source code has been available for months now, it is likely that other threat actors […] are using it.”

Feb 07, 2024NewsroomCybersecurity / Software Security

JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors to take over susceptible instances.

The vulnerability, tracked as CVE-2024-23917, carries a CVSS rating of 9.8 out of 10, indicative of its severity.

“The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” the company said.

The issue impacts all TeamCity On-Premises versions from 2017.1 through 2023.11.2. It has been addressed in version 2023.11.3. An unnamed external security researcher has been credited with discovering and reporting the flaw on January 19, 2024.

Users who are unable to update their servers to version 2023.11.3 can alternately download a security patch plugin to apply fixes for the flaw.

“If your server is publicly accessible over the internet and you are unable to take one of the above mitigation steps immediately, we recommend temporarily making it inaccessible until mitigation actions have been completed,” JetBrains advised.

While there is no evidence that the shortcoming has been abused in the wild, a similar flaw in the same product (CVE-2023-42793, CVSS score: 9.8) came under active exploitation last year within days of public disclosure by multiple threat actors, including ransomware gangs and state-sponsored groups affiliated with North Korea and Russia.