Mar 06, 2024NewsroomSoftware Security / Vulnerability

VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws that could lead to code execution.

Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs in the XHCI USB controller. They carry a CVSS score of 9.3 for Workstation and Fusion, and 8.4 for ESXi systems.

“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company said in a new advisory.

“On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”

Multiple security researchers associated with the Ant Group Light-Year Security Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Security researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.

Also patched by the Broadcom-owned virtualization services provider are two other shortcomings –

• CVE-2024-22254 (CVSS score: 7.9) – An out-of-bounds write vulnerability in ESXi that a malicious actor with privileges within the VMX process could exploit to trigger a sandbox escape.
• CVE-2024-22255 (CVSS score: 7.9) – An information disclosure vulnerability in the UHCI USB controller that an attacker with administrative access to a virtual machine may exploit to leak memory from the vmx process.

The issues have been addressed in the following versions, including those that have reached end-of-life (EoL) due to the severity of these issues –

As a temporary workaround until a patch can be deployed, customers have been asked to remove all USB controllers from the virtual machine.

“In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle, will not be available for use by the virtual machine,” the company said. “In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS.”

Mar 01, 2024NewsroomLinux / Cyber Threat

Cybersecurity researchers have discovered a new Linux variant of a remote access trojan (RAT) called BIFROSE (aka Bifrost) that uses a deceptive domain mimicking VMware.

“This latest version of Bifrost aims to bypass security measures and compromise targeted systems,” Palo Alto Networks Unit 42 researchers Anmol Maurya and Siddharth Sharma said.

BIFROSE is one of the long-standing threats that has been active since 2004. It has been offered for sale in underground forums for up to $10,000 in the past, according to a report from Trend Micro in December 2015.

The malware has been put to use by a state-backed hacking group from China tracked as BlackTech (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp.Overboard), which has a history of striking organizations in Japan, Taiwan, and the U.S.

It’s suspected that the threat actor purchased the source code or gained access to it around 2010, and repurposed the malware for use in its own campaigns via custom backdoors like KIVARS and XBOW.

Linux variants of BIFROSE (aka ELF_BIFROSE) have been observed since at least 2020 with capabilities to launch remote shells, download/upload files, and perform file operations.

“Attackers typically distribute Bifrost through email attachments or malicious websites,” the researchers said. “Once installed on a victim’s computer, Bifrost allows the attacker to gather sensitive information, like the victim’s hostname and IP address.”

What makes the latest variant noteworthy is that it reaches out to a command-and-control (C2) server with the name “download.vmfare[.]com” in an attempt to masquerade as VMware. The deceptive domain is resolved by contacting a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1.

Unit 42 said it detected a spike in Bifrost activity since October 2023, identifying no less than 104 artifacts in its telemetry. It further discovered an Arm version of the malware, suggesting the threat actors are likely looking to expand their attack surface.

“With new variants that employ deceptive domain strategies like typosquatting, a recent spike in Bifrost activity highlights the dangerous nature of this malware,” the researchers said.

The development comes as McAfee Labs detailed a new GuLoader campaign that propagates the malware through malicious SVG file attachments in email messages. The malware has also been observed being distributed via VBS scripts as part of a multi-stage payload delivery.

“This recent surge highlights its evolving tactics for broader reach and evasion,” Trustwave SpiderLabs said in a post on X earlier this week.

The Bifrost and GuLoader attacks coincide with the release of a new version of the Warzone RAT, which recently had two of its operators arrested and its infrastructure dismantled by the U.S. government.

Feb 21, 2024NewsroomActive Directory / Vulnerability

VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) following the discovery of a critical security flaw.

Tracked as CVE-2024-22245 (CVSS score: 9.6), the vulnerability has been described as an arbitrary authentication relay bug.

“A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs),” the company said in an advisory.

EAP, deprecated as of March 2021, is a software package that’s designed to allow direct login to vSphere’s management interfaces and tools through a web browser. It’s not included by default and is not part of vCenter Server, ESXi, or Cloud Foundation.

Also discovered in the same tool is a session hijack flaw (CVE-2024-22250, CVSS score: 7.8) that could permit a malicious actor with unprivileged local access to a Windows operating system to seize a privileged EAP session.

Ceri Coburn from Pen Test Partners has been credited with discovering and reporting the twin vulnerabilities.

It’s worth pointing out that the shortcomings only impact users who have added EAP to Microsoft Windows systems to connect to VMware vSphere via the vSphere Client.

The Broadcom-owned company said the vulnerabilities will not be addressed, instead recommending users to remove the plugin altogether to mitigate potential threats.

“The Enhanced Authentication Plugin can be removed from client systems using the client operating system’s method of uninstalling software,” it added.

The disclosure comes as SonarSource disclosed multiple cross-site scripting (XSS) flaws (CVE-2024-21726) impacting the Joomla! content management system. It has been addressed in versions 5.0.3 and 4.4.3.

“Inadequate content filtering leads to XSS vulnerabilities in various components,” Joomla! said in its own advisory, assessing the bug as moderate in severity.

“Attackers can leverage the issue to gain remote code execution by tricking an administrator into clicking on a malicious link,” security researcher Stefan Schiller said. Additional technical specifics about the flaw have been currently withheld.

In a related development, several high- and critical-severity vulnerabilities and misconfigurations have been identified in the Apex programming language developed by Salesforce to build business applications.

At the heart of the problem is the ability to run Apex code in “without sharing” mode, which ignores a user’s permissions, thereby allowing malicious actors to read or exfiltrate data, and even provide specially crafted input to alter execution flow.

“If exploited, the vulnerabilities can lead to data leakage, data corruption, and damage to business functions in Salesforce,” Varonix security researcher Nitay Bachrach said.

Feb 08, 2024NewsroomCyber Threat / Network Security

Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices.

The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks.

All the issues, which were found during internal security testing, stem from insufficient CSRF protections for the web-based management interface that could permit an attacker to perform arbitrary actions with the privilege level of the affected user.

“If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts,” Cisco said about CVE-2024-20252 and CVE-2024-20254.

On the other hand, successful exploitation of CVE-2024-20255 targeting a user with administrative privileges could enable the threat actor to overwrite system configuration settings, resulting in a denial-of-service (DoS) condition.

Another crucial difference between the two sets of flaws is that while the former two affect Cisco Expressway Series devices in the default configuration, CVE-2024-20252 only impacts them if the cluster database (CDB) API feature has been enabled. It’s disabled by default.

Patches for the vulnerabilities are available in Cisco Expressway Series Release versions 14.3.4 and 15.0.0.

Fortinet, for its part, has released a second round of updates to address what are bypasses for a previously disclosed critical flaw (CVE-2023-34992, CVSS score: 9.7) in FortiSIEM supervisor that could result in the execution of arbitrary code, according to Horizon3.ai researcher Zach Hanley.

Tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS scores: 9.8), the flaws “may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.”

It’s worth noting that Fortinet resolved another variant of CVE-2023-34992 by closing out CVE-2023-36553 (CVSS score: 9.3) in November 2023. The two new vulnerabilities are/will be plugged in the following versions –

• FortiSIEM version 7.1.2 or above
• FortiSIEM version 7.2.0 or above (upcoming)
• FortiSIEM version 7.0.3 or above (upcoming)
• FortiSIEM version 6.7.9 or above (upcoming)
• FortiSIEM version 6.6.5 or above (upcoming)
• FortiSIEM version 6.5.3 or above (upcoming), and
• FortiSIEM version 6.4.4 or above (upcoming)

Completing the trifecta is VMware, which has warned of five moderate-to-important severity flaws in Aria Operations for Networks (formerly vRealize Network Insight) –

• CVE-2024-22237 (CVSS score: 7.8) – Local privilege escalation vulnerability that allows a console user to gain regular root access

• CVE-2024-22238 (CVSS score: 6.4) – Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code into user profile configurations

• CVE-2024-22239 (CVSS score: 5.3) – Local privilege escalation vulnerability that allows a console user to gain regular shell access

• CVE-2024-22240 (CVSS score: 4.9) – Local file read vulnerability that allows a malicious actor with admin privileges to access sensitive information

• CVE-2024-22241 (CVSS score: 4.3) – Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code and take over the user account

To mitigate the risks, all users of VMware Aria Operations for Networks version 6.x are being recommended to upgrade to version 6.12.0.

Considering the history of exploitation when it comes to Cisco, Fortinet, and VMware flaws, patching is a necessary and crucial first step that organizations need to take to handle the shortcomings.

Jan 20, 2024NewsroomZero Day / Cyber Espionage

An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been linked to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021.

“UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities,” Google-owned Mandiant said in a Friday report.

The vulnerability in question is CVE-2023-34048 (CVSS score: 9.8), an out-of-bounds write that could be put to use by a malicious actor with network access to vCenter Server. It was fixed by the Broadcom-owned company on October 24, 2023.

The virtualization services provider, earlier this week, updated its advisory to acknowledge that “exploitation of CVE-2023-34048 has occurred in the wild.”

UNC3886 first came to light in September 2022 when it was found to leverage previously unknown security flaws in VMware to backdoor Windows and Linux systems, deploying malware families like VIRTUALPITA and VIRTUALPIE.

The latest findings from Mandiant show that the zero-day weaponized by the nation-state actor targeting VMware was none other than CVE-2023-34048, allowing it to gain privileged access to the vCenter system, and enumerate all ESXi hosts and their respective guest virtual machines attached to the system.

The next phase of the attack involves retrieving cleartext “vpxuser” credentials for the hosts and connecting to them in order to install the VIRTUALPITA and VIRTUALPIE malware, thereby enabling the adversary to directly connect to the hosts.

This ultimately paves for the exploitation of another VMware flaw, (CVE-2023-20867, CVSS score: 3.9), to execute arbitrary commands and transfer files to and from guest VMs from a compromised ESXi host, as revealed by Mandiant in June 2023.

VMware vCenter Server users are recommended to update to the latest version to mitigate any potential threats.

In recent years, UNC3886 has also taken advantage of CVE-2022-41328 (CVSS score: 6.5), a path traversal flaw in Fortinet FortiOS software, to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a remote server and exfiltrating sensitive data.

These attacks specifically single out firewall and virtualization technologies owing to the fact that they lack support for endpoint detection and response (EDR) solutions in order to persist within target environments for extended periods of time.

Jan 17, 2024NewsroomVulnerability / Cyber Threat

Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild.

The flaws are listed below –

• CVE-2023-6548 (CVSS score: 5.5) – Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management interface access)
• CVE-2023-6549 (CVSS score: 8.2) – Denial-of-service (requires that the appliance be configured as a Gateway or authorization and accounting, or AAA, virtual server)

The following customer-managed versions of NetScaler ADC and NetScaler Gateway are impacted by the shortcomings –

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
• NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
• NetScaler ADC 13.1-FIPS before 13.1-37.176
• NetScaler ADC 12.1-FIPS before 12.1-55.302, and
• NetScaler ADC 12.1-NDcPP before 12.1-55.302

“Exploits of these CVEs on unmitigated appliances have been observed,” Citrix said, without sharing any additional specifics. Users of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version that patches the flaws.

It’s also advised to not expose the management interface to the internet to reduce the risk of exploitation.

In recent months, multiple security vulnerabilities in Citrix appliances (CVE-2023-3519 and CVE-2023-4966) have been weaponized by threat actors to drop web shells and hijack existing authenticated sessions.

VMware Fixes Critical Aria Automation Flaw

The disclosure comes as VMware alerted customers of a critical security vulnerability in Aria Automation (previously vRealize Automation) that could allow an authenticated attacker to gain unauthorized access to remote organizations and workflows.

The issue has been assigned the CVE identifier CVE-2023-34063 (CVSS score: 9.9), with the Broadcom-owned virtualization services provider describing it as a “missing access control” flaw.

Commonwealth Scientific and Industrial Research Organization’s (CSIRO) Scientific Computing Platforms team has been credited with discovering and reporting the security vulnerability.

The versions impacted by the vulnerability are provided below –

“The only supported upgrade path after applying the patch is to version 8.16,” VMware said. “If you upgrade to an intermediate version, the vulnerability will be reintroduced, requiring an additional round of patching.”

Atlassian Discloses Critical Code Execution Bug

The development also follows Atlassian’s release of patches for over two dozen vulnerabilities, including a critical remote code execution (RCE) flaw impacting Confluence Data Center and Confluence Server.

The vulnerability, CVE-2023-22527, has been assigned a CVSS score of 10.0, indicating maximum severity. It affects versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3. It’s worth noting that 7.19.x LTS versions are not affected by the vulnerability.

“A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version,” the Australian company said.

The issue has been addressed in versions 8.5.4, 8.5.5 (Confluence Data Center and Server), 8.6.0, 8.7.1, and 8.7.2 (Data Center only). Users who are on out-of-date instances are recommended to update their installations to the latest version available.