Overview of the Vulnerability

Tinyproxy, a minimalist, open-source HTTP proxy, is designed for simplicity and efficiency, making it popular in environments where lightweight proxies are required. The vulnerability in question arises in the parsing of HTTP Connection headers—a fundamental component meant to specify which headers are persistent during an HTTP session.

According to the Cisco Talos vulnerability report (TALOS-2023-1889), specific versions of Tinyproxy, namely 1.11.1 and 1.10.0, are affected. The flaw exists in the remove_connection_headers function of Tinyproxy, where a use-after-free error can occur. This kind of software bug is particularly dangerous as it can lead to memory corruption, providing an attacker with a pathway for executing arbitrary code on the host machine.

Technical Breakdown

The issue arises when Tinyproxy handles HTTP headers that are supposed to be removed according to the Connection header’s directives. If the Connection or Proxy-Connection headers are manipulated by an attacker, it can lead to the reuse of previously freed memory. This use-after-free scenario is triggered as follows:

• Tinyproxy iterates over the headers specified in the Connection or Proxy-Connection header.
• Each specified header is removed from a key-value store (hashofheaders), and its memory is subsequently freed.
• However, due to an error in the management of these headers, the freed memory can be reused before the function completes, leading to memory corruption.

This vulnerability is particularly concerning because it can be exploited with a simple malformed HTTP request, making it easy for an attacker to leverage and potentially take over the system running Tinyproxy.

Exploitability and Impact

The CVSSv3 score for this vulnerability is 9.8 (Critical), which underscores its severity. An attacker does not need authenticated access to the target system, making it accessible to any malicious entity that can send HTTP requests to the affected proxy. The potential impacts include unauthorized access, data breaches, service disruption, and in severe cases, complete system compromise.

A use-after-free issue occurs when an application continues to use a memory reference (pointer) after it has freed the memory to which the pointer refers. This can lead to unpredictable behavior, including application crashes, data corruption, and the execution of arbitrary code.

Exploitation Example for CVE-2023-49606

Scenario Setup: Imagine a scenario where a server is running Tinyproxy version 1.11.1. This version is known to have a use-after-free vulnerability in the way it processes HTTP Connection headers.

Step-by-Step Exploitation:

1. Initial HTTP Request by Attacker:
   • The attacker crafts an HTTP request that includes specially designed Connection headers. The goal is to manipulate these headers to trigger the use-after-free condition.
   • Example HTTP request:
     • GET / HTTP/1.1
     • Host: vulnerable-proxy.com
     • Connection: keep-alive, maliciousHeader
     • maliciousHeader: freeThis
2. Processing the Request:
   • Tinyproxy receives the request and parses the headers. According to the specifications, it must remove headers listed in the Connection header after processing the request.
   • The remove_connection_headers function is called to handle this task.
3. Triggering the Use-After-Free:
   • During the processing, Tinyproxy removes maliciousHeader and frees the memory associated with it. However, due to a flaw in the proxy’s memory management, this freed memory could be reallocated for new data while still being referenced by the ongoing process.
   • Suppose the freed memory is quickly reallocated and filled with attacker-controlled data through another part of the application (or another request processed concurrently).
4. Exploiting the Freed Memory:
   • The attacker anticipates that Tinyproxy will access this freed (and now reallocated) memory again before the function completes. If this memory now contains executable code or data crafted by the attacker, it might be executed or wrongly used by the application.
   • For instance, if the memory location is used to store a function pointer, the attacker could overwrite this pointer with the address of their malicious code.
5. Executing Arbitrary Code:
   • When Tinyproxy tries to access the “freed” memory as part of its usual operations (e.g., to log details or continue processing headers), it inadvertently executes the code pointed to by the overwritten pointer.
   • This could allow the attacker to execute arbitrary code on the server running Tinyproxy, potentially giving them full control over the server.

Example of Malicious Impact:

• The attacker could install backdoors, exfiltrate confidential data, launch further attacks from the compromised server, or disrupt the server’s operations.

Mitigation and Response

As of the last update from Cisco Talos, there has been no official patch or maintenance release from the maintainers of Tinyproxy to correct this vulnerability. Organizations using Tinyproxy are advised to monitor their systems closely for unusual activity and implement additional safeguards until a patch is available. This may include:

• Deploying web application firewalls (WAFs) to filter out malicious HTTP headers.
• Isolating the proxy server from critical internal networks.
• Regularly updating all software to the latest versions where possible.

For users and administrators of Tinyproxy, understanding the technical mechanics of this vulnerability and staying vigilant about monitoring their network traffic is crucial. Immediate action is recommended to mitigate the risks associated with this critical vulnerability until a permanent fix is issued.

The post How Safe is Your TinyProxy? Step-by-Step Guide to Exploiting Tinyproxy’s Zero Day Vulnerability appeared first on Information Security Newspaper | Hacking News.

Overview of CVE-2024-3400

CVE-2024-3400 is categorized as an unauthenticated remote code execution vulnerability that could allow attackers to execute arbitrary code on the affected device without needing prior authentication. The flaw is particularly concerning because it can be exploited remotely, potentially giving attackers deep access to network defenses.

The CVE-2024-3400 vulnerability in Palo Alto Networks’ PAN-OS, targeted by Operation MidnightEclipse, has recently been leveraged for more sophisticated exploits, including the deployment of the UPSTYLE backdoor and the creation of malicious cronjobs. This detailed examination highlights the current scope of the attack, with insights derived from ongoing cybersecurity investigations.

Current Scope of the Attack

The exploitation of CVE-2024-3400 has evolved into a multi-faceted attack vector, primarily utilized by sophisticated threat actors. These actors employ a combination of direct command execution and advanced persistence mechanisms to maintain access and control over compromised systems. The UPSTYLE backdoor and associated cronjob activities represent two of the most critical components of this attack:

1. UPSTYLE Backdoor Deployment: In observed attacks, malicious actors have used crafted HTTP requests to exploit the vulnerability, subsequently running shell commands to download and execute the UPSTYLE backdoor script from remote servers. This script is often hosted on compromised web servers, with addresses like 144.172.79[.]92/update.py being involved in the distribution.
2. Cronjob Creation for Persistent Access: Furthering their control, attackers have also been observed creating cronjobs on compromised systems. These cronjobs are designed to automatically execute commands at regular intervals, fetching instructions from URLs like hxxp://172.233.228[.]93/policy | bash. This method ensures that even if the initial backdoor is detected and removed, the attackers retain a method of re-entry.

Technical Insights into UPSTYLE and Cronjob Activities

The technical execution of these components involves several sophisticated techniques:

• Command Execution: The initial exploit allows attackers to execute arbitrary shell commands remotely. This capability is used to install the UPSTYLE backdoor, modify system configurations, and set up new network routes to exfiltrate data securely.
• File Manipulation: Post-exploitation activities include modifying system files to hide the presence of malicious software. This often involves altering logs and other digital footprints that could be used to detect the intrusion.
• Automated Persistence: The cronjobs are set to run every minute, a tactic that provides the attackers with near-constant system access and the ability to push updates or new commands to the compromised system swiftly.

Active Exploitation and PoC Release

Reports from various cybersecurity firms, including Kroll and Zscaler, have highlighted active and opportunistic exploitation of this vulnerability by numerous threat actors. The ease of the exploit, compounded by the release of a PoC, has made CVE-2024-3400 a preferred target for malicious activities aimed at infiltrating and compromising enterprise networks.

Exploit details shared on platforms like GitHub reveal how attackers can utilize path traversal techniques combined with crafted HTTP requests to manipulate the firewall’s operating system, leading to unauthorized remote code execution. The ability of these attacks to bypass traditional security layers underscores the severity of the vulnerability.

Exploitation Mechanism: The exploitation of CVE-2024-3400 involves a series of sophisticated steps that allow attackers to bypass authentication and execute arbitrary code. Here are the key technical elements involved:

• Path Traversal: The initial vector for the attack utilizes a path traversal flaw in the web management interface. Attackers craft malicious HTTP requests that manipulate the file system to access areas that are normally restricted. This is typically achieved through inputs that include “../” sequences or similar methods to navigate the file system.
• Command Injection: After gaining access to restricted areas, attackers exploit command injection vulnerabilities. By inserting malicious commands into scripts or command lines that the system erroneously executes, attackers can initiate unauthorized actions on the device.
• Remote Code Execution (RCE): The culmination of the exploit allows attackers to run arbitrary code with the same privileges as the operating system of the firewall. This can lead to full system control, data manipulation, and initiation of further attacks from the compromised device.

Proof-of-Concept (PoC) Exploitation

The proof-of-concept that circulated in cybersecurity circles demonstrated a practical application of the aforementioned exploit techniques. The PoC is typically a script or set of instructions that exploit the vulnerability to prove its existence and potential for damage. In the case of CVE-2024-3400, the PoC details are as follows:

• Exploit Script: Publicly available scripts show how attackers can automatically perform the exploit using simple HTTP requests. These scripts are often shared on coding platforms like GitHub or cybersecurity forums.
• HTTP Request Manipulation: The PoC often includes examples of HTTP requests that induce the vulnerability. For example, an HTTP request might include a path traversal combined with a command injection like:vbnetCopy codePOST /ssl-vpn/hipreport.esp HTTP/1.1 Host: vulnerable-host Cookie: SESSID=../../../../../../var/cmd; command-to-execute
• Malicious Payloads: These payloads are crafted to perform specific actions on the compromised device, such as opening a reverse shell, modifying firewall rules, or exfiltrating confidential data.

Response from Palo Alto Networks

In response to the escalating threat, Palo Alto Networks has issued several security updates and detailed guidance for mitigation. The company has acknowledged the PoC and its implications, urging all users of the affected PAN-OS versions to update their systems immediately to the latest firmware.

Persistent Threats Despite Remediation

1. Persistent Rootkits: The researcher indicates that they have developed a payload that can survive not only operational resets but also factory resets. This type of malware, often referred to as a rootkit, embeds itself deeply within the system such that standard cleanup processes do not erase it. Rootkits can intercept and alter standard operating system processes to hide their presence, making detection and removal particularly challenging.
2. Post-Exploitation Persistence: There is mention of post-exploit persistence techniques that remain effective even after the device has been reset or firmware upgrades have been applied. This means that merely resetting the device to factory settings or updating its firmware isn’t sufficient to ensure that it is free from compromise. The persistence techniques developed can withstand these typical remedial actions.
3. Low Barrier to Entry: The researcher points out that creating such a persistent rootkit does not require advanced skills, suggesting that even less sophisticated attackers could deploy similar threats. This lowers the barrier to entry for executing highly effective and persistent attacks on vulnerable systems.
4. Physical Hardware Replacement Needed: Due to the rootkit’s resilience and deep integration into the system, the researcher recommends a full physical swap of the affected hardware or a thorough offline inspection and validation of the firmware and BIOS by a specialist. This is suggested as the only sure way to remove such entrenched malware, highlighting the severity and depth of the potential security breach.

Updated PSIRT Guidance

• Persistence Acknowledgement: The Palo Alto Networks Product Security Incident Response Team (PSIRT) has updated their guidance to acknowledge that malware can persist through updates and factory resets. This is an important admission that helps users understand the potential for ongoing risks even after applying what are typically considered comprehensive mitigation steps.
• Safety After Patching: While early patching is critical, the updated guidance suggests that simply having patched early does not guarantee safety against sophisticated attackers who may have enabled persistence mechanisms. Users who patched their systems immediately after the vulnerability was disclosed may still need to consider additional measures to ensure their systems are secure.

Recommendations

Given the nature of this persistent threat, organizations and individuals using affected Palo Alto Networks products should consider the following actions:

1. Physical Replacement: Where feasible, replace potentially compromised hardware to eliminate any chance of lingering threats.
2. Specialist Review: Engage with cybersecurity specialists to conduct thorough offline checks of the firmware and BIOS to ensure no elements of the rootkit or other malware remain.
3. Enhanced Monitoring: Implement enhanced monitoring and logging to detect any signs of rootkit activity or other unusual behaviors that indicate a compromised system.
4. Comprehensive Security Practices: Continue applying security best practices, including regular updates, strict access controls, and frequent security audits to identify and mitigate threats.

The exploitation of CVE-2024-3400 has significant implications for network security, particularly for enterprises that rely on Palo Alto firewalls to protect their critical infrastructure. The vulnerability exposes these networks to potential espionage, data breaches, and other malicious activities if not addressed promptly.

Security experts recommend implementing a multi-layered defense strategy that includes regular updates, monitoring for unusual network activity, and employing advanced threat detection solutions. Additionally, companies are advised to review and strengthen their incident response plans to quickly react to any breaches that might occur.

The discovery and subsequent exploitation of CVE-2024-3400 highlight ongoing challenges in cybersecurity defense mechanisms, particularly in widely used infrastructure components like firewalls. It also stresses the importance of timely patches and the dangers posed by publicly available exploit codes. As the digital landscape evolves, so too does the necessity for robust, proactive security measures to safeguard critical data and systems from emerging cyber threats.

The post Eternal Malware: CVE-2024-3400 Rootkits Persist Through Palo Alto Firewalls Updates and Resets appeared first on Information Security Newspaper | Hacking News.

The Vulnerability Explained

The core of the issue lies in how ECDSA (Elliptic Curve Digital Signature Algorithm) nonces are generated within these versions of PuTTY. The nonces, which should be random to ensure the security of the cryptographic process, were found to be “heavily biased”. This bias in the nonce generation process means that it does not provide the cryptographic randomness required, thereby exposing the private keys to potential recovery by malicious entities.

The specific target of this vulnerability is the NIST P-521 elliptic curve, a standard that is commonly used for securing sensitive communications. The flaw was detailed in various security advisories and databases, which highlighted the risk of attackers being able to exploit this vulnerability to gain unauthorized access to encrypted communications.

Exploiting CVE-2024-31497: A Deep Dive into the PuTTY Vulnerability

CVE-2024-31497 has identified a critical security flaw within versions 0.68 through 0.80 of PuTTY, a popular SSH and Telnet client, specifically targeting its ECDSA nonce generation process. This vulnerability exposes the potential for attackers to recover the NIST P-521 secret keys, posing severe risks to encrypted communications.

The Mechanism of the Exploit

The vulnerability arises from the way PuTTY generates ECDSA nonces. In cryptographic protocols, nonces (numbers used once) are crucial for ensuring the security of the encryption process. Ideally, these should be unpredictable and randomly generated. However, in the affected versions of PuTTY, the ECDSA nonces were found to be “heavily biased”, meaning they do not offer the randomness necessary to securely encrypt data.

This bias in nonce generation makes it theoretically possible for an attacker with sufficient resources and access to encrypted communications to use statistical methods to infer the private key associated with a particular set of communications. Specifically, the bias could allow attackers to perform a side-channel attack where they could deduce the private keys after observing a large number of cryptographic operations.

To exploit this vulnerability, an attacker would need to intercept the cryptographic operations performed by a victim using the compromised versions of PuTTY. The attacker could then apply advanced cryptanalytic techniques to exploit the biased nonce values. This would involve complex mathematical calculations and possibly significant computational resources to effectively “guess” the private key through patterns observed in the biased nonces.

Example of Exploiting CVE-2024-31497: Simulated Attack Scenario

To illustrate how CVE-2024-31497 could be exploited, let’s consider a hypothetical attack scenario:

Scenario Background:

Alice is an administrator who uses PuTTY version 0.70 to manage remote servers for her organization. She connects to these servers using an SSH key pair, where the private key is secured on her local machine.

Step 1: Gathering Information

An attacker, Bob, learns that Alice’s organization still uses a vulnerable version of PuTTY. He decides to target her to gain unauthorized access to the secure servers. Bob begins by intercepting Alice’s SSH sessions to the server. This is typically done using a network sniffer on a compromised network or through a man-in-the-middle attack.

Step 2: Intercepting Cryptographic Operations

During each of Alice’s SSH sessions, Bob captures the encrypted data packets, focusing on extracting the ECDSA nonce values used in the cryptographic operations. Since these nonces are biased (due to the CVE-2024-31497 vulnerability), they do not vary as randomly as they should.

Step 3: Exploiting the Bias

Bob uses a custom-developed script to analyze the captured nonces. The script employs statistical algorithms to detect patterns and irregularities in the nonces that should be random. These patterns indicate the biased nature of the nonce generation in PuTTY, making the private key more predictable.

Step 4: Cracking the Private Key

Using the patterns observed, Bob applies a series of advanced mathematical calculations designed to reverse-engineer Alice’s private key. This type of cryptanalysis exploits the weaknesses inherent in the biased nonces, gradually narrowing down the possible values of the private key.

Step 5: Gaining Unauthorized Access

Once Bob successfully deduces Alice’s private key, he uses it to authenticate himself on the SSH server as if he were Alice. He can now execute commands, access confidential information, and potentially implant further malware to maintain access or affect other parts of the network.

Digital Signature Exploit Mechanism in SSH and Git

1. Digital Signature Creation and Verification:
   • Digital Signature Creation: A digital signature is created using a user’s private key. This process involves the private key signing data (in this case, a Git commit), which effectively “seals” the data with proof that it was signed by the holder of the private key.
   • Digital Signature Verification: The corresponding public key, which is known to others, can be used to verify that the signature was made by the matching private key without exposing the private key itself. This process confirms the identity of the user and ensures the integrity and authenticity of the signed data.

Exploitation Explained

2. Collecting Signatures for Exploitation:
   • Via SSH Server Logs: If an attacker controls or compromises an SSH server, they can collect the digital signatures generated during user logins. These signatures, when created using compromised or weak cryptographic methods, can be analyzed to reveal patterns or weaknesses.
   • Via Signed Git Commits: A more practical approach, as mentioned, involves collecting signatures from signed Git commits. If Git is configured to use SSH keys for signing commits and these commits are pushed to a public repository (like GitHub), the signatures are easily accessible to anyone.
3. Exploiting Vulnerabilities in Signature Generation:
   • In the context of PuTTY and Pageant, if there is a vulnerability in how these tools generate signatures (such as using biased nonces as in CVE-2024-31497), an attacker can potentially exploit this to deduce the private key used for signing.
   • Calculation of Private Key: According to the provided information, attackers might need around 58 signatures to calculate a target’s private key accurately. This calculation is likely based on the ability to exploit flaws in the nonce generation process during signature creation.

Specific Use Case: PuTTY and Pageant with Git

4. PuTTY and Pageant Setup for Git:
   • Configuration: Users might configure Git to use Pageant as an SSH agent, where Pageant manages their SSH keys. When making Git commits, these commits are signed using the SSH key provided by Pageant.
   • Vulnerability Risk: If Pageant is using a version of PuTTY affected by CVE-2024-31497, then the signatures it generates for Git commits might be vulnerable to being exploited, allowing attackers to eventually recover the private key.

Implications of the Exploit

The recovery of NIST P-521 secret keys via this exploit could allow unauthorized parties to decrypt sensitive information, impersonate legitimate users, or perform a range of other malicious activities. Given PuTTY’s extensive use in managing secure communications for critical infrastructure, this vulnerability could have widespread implications, potentially affecting a wide array of sectors including government, finance, and healthcare.

Security Responses and Fixes

CVE-2024-31497 specifically affects PuTTY software versions 0.68 through 0.80. The vulnerability is tied to the implementation of the ECDSA nonce generation within these specific versions of PuTTY. As such, other software products are not directly impacted by this CVE unless they somehow incorporate the same flawed code or similar nonce generation mechanisms that were used in PuTTY.

However, here’s a broader perspective on other software types that could potentially be impacted by similar vulnerabilities:

1. SSH Clients:
   • Other SSH clients might also suffer from similar vulnerabilities if they use flawed or biased ECDSA nonce generation methods. Users should ensure they use up-to-date versions and apply patches regularly.
2. Cryptographic Libraries:
   • Libraries that implement ECDSA and other cryptographic algorithms could be vulnerable if they have similar issues with nonce generation. Examples include OpenSSL, Libgcrypt, and others which have previously had vulnerabilities related to cryptographic nonce handling.
3. VPN Software:
   • VPNs that use custom or outdated cryptographic implementations may be vulnerable to similar issues if they do not use secure, random nonce generation methods in their cryptographic protocols.
4. Secure Communication Applications:
   • Applications that facilitate secure messaging and data transmission, relying on ECDSA for encryption, could potentially be exposed if their nonce generation is biased or predictable.
5. Financial Transaction Systems:
   • Systems that handle e-commerce and financial transactions using ECDSA for transaction signing could be at risk if they inherit or fail to properly implement secure nonce generation practices.

Best Practices for Prevention:

• Regular Updates and Patching: Regularly updating all software to the latest version is critical. This not only applies to PuTTY but to all software that involves cryptographic operations.
• Security Audits: Regularly conduct security audits of the cryptographic practices and implementations used within your organization’s software stack.
• Vulnerability Scanning: Use vulnerability scanners and penetration testing tools to identify and mitigate risks associated with cryptographic implementations.

By keeping an eye on updates related to cryptographic practices and implementing robust security measures, organizations can safeguard against vulnerabilities similar to CVE-2024-31497 and protect their data integrity and privacy.

The post Compromising Cryptographic Key Security Through PuTTY: A Deep Dive into CVE-2024-31497 appeared first on Information Security Newspaper | Hacking News.

Understanding CVE-2023-5528

Akamai’s security researcher, Tomer Peled, has uncovered a critical vulnerability in Kubernetes, designated as CVE-2023-5528, with a CVSS score of 7.2. This vulnerability is particularly alarming as it allows for remote code execution with SYSTEM privileges across all Windows endpoints within a Kubernetes cluster. The exploitation mechanism involves the application of malicious YAML files to the cluster, posing a severe security threat that could lead to a full takeover of all Windows nodes in the affected cluster.

CVE-2023-5528 can be exploited in default installations of Kubernetes versions earlier than 1.28.4. This vulnerability has been verified against both on-premises deployments and Azure Kubernetes Service (AKS). The blog post provides a proof-of-concept YAML file and an Open Policy Agent (OPA) rule to help block this vulnerability, emphasizing the critical nature of this security flaw.

Technical Details and Proof of Concept of CVE-2023-5528

The vulnerability CVE-2023-5528, discovered by Akamai security researcher Tomer Peled, is a high-severity flaw in Kubernetes with a CVSS score of 7.2. It allows for remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster. This section delves into the technical specifics and provides a proof of concept to understand the vulnerability’s exploitation mechanism.

Vulnerability Origin

The root cause of CVE-2023-5528 lies in the insecure handling of the subPath parameter in YAML files that create pods with volumes in Kubernetes. This lack of user input sanitization opens the door for command injection vulnerabilities. The specific focus for CVE-2023-5528 is on Kubernetes clusters running on Windows nodes, where the exploitation of this vulnerability can lead to full control over all Windows nodes in a cluster.

Kubernetes Volumes and PersistentVolumes

Kubernetes volumes support the sharing of data between pods or storing it persistently outside of a pod’s lifecycle. Local volumes and hostPath volumes are two types that are relevant to this vulnerability. Local volumes allow users to mount disk partitions inside a pod, while hostPath volumes enable the mounting of directories from the node into a pod.

The exploitation process involves creating a pod that includes a local volume. During this process, the kubelet service eventually calls the MountSensitive() function, which includes a command line call to exec.command. This call creates a symlink between the volume’s location on the node and inside the pod. By manipulating this process, an attacker can inject malicious commands.

Proof of Concept

The proof of concept involves manipulating the local.path parameter inside the persistentVolume YAML file to include a malicious command. This command is then executed during the volume mounting process. For demonstration purposes, a benign command like &calc.exe&& is used, which opens a calculator on the node. However, this method can be adapted to execute more malicious commands.

When this YAML file is applied to the cluster, the malicious command is executed, demonstrating the vulnerability’s potential for exploitation.

Mitigation and Patch Analysis

The Kubernetes team addressed this vulnerability by replacing the vulnerable command line call in the MountSensitive() function with a native Go function, os.Symlink(), which securely performs the symlink operation without the possibility of command injection.

To determine vulnerability, administrators can check their Kubernetes version and the presence of Windows nodes in their cluster. The vulnerability affects default installations of Kubernetes earlier than version 1.28.4.

CVE-2023-5528 highlights the critical importance of input sanitization in Kubernetes and the potential for severe security implications when vulnerabilities are exploited. By understanding the technical details and proof of concept, administrators and security professionals can better assess their systems’ vulnerability and apply necessary patches and mitigations to protect their Kubernetes clusters.

Broader Implications for Kubernetes Security

The discovery of CVE-2023-5528 highlights the ongoing security challenges facing Kubernetes environments. As organizations increasingly adopt containerization and Kubernetes for their operational needs, the security of these systems becomes paramount. This incident serves as a reminder of the importance of maintaining rigorous security practices, staying informed about emerging vulnerabilities, and promptly addressing identified threats.

The exploitation of the high-severity Kubernetes vulnerability CVE-2023-5528 poses a significant threat to organizations using Kubernetes on Windows platforms. The potential for arbitrary code execution with system privileges underscores the need for immediate and comprehensive security measures. By following the recommendations provided by cybersecurity experts and entities like Akamai, organizations can mitigate the risks associated with this vulnerability and safeguard their Kubernetes environments against potential threats. As the cybersecurity landscape continues to evolve, staying vigilant and proactive in addressing vulnerabilities will be key to maintaining the security and integrity of critical systems.

The post CVE-2023-5528: Kubernetes Flaw Jeopardizing Windows Node That Can’t Be Ignored appeared first on Information Security Newspaper | Hacking News.

Overview of the Vulnerability (CVE-2024-23897)

The critical vulnerability in Jenkins, CVE-2024-23897, allows unauthenticated attackers with ‘overall/read’ permission to read data from arbitrary files on the Jenkins controller file system. This flaw poses a severe risk as it enables attackers to gain access to sensitive information, potentially leading to further exploitation of the system.

The exploit for the Jenkins vulnerability, identified as CVE-2024-23897, is a critical security flaw that has significant implications. To understand this exploit, it’s important to break down its components and how it operates:

Nature of the Vulnerability

• Jenkins System: Jenkins is an open-source automation server widely used in continuous integration and continuous delivery (CI/CD) pipelines. It helps automate various aspects of software development, such as building, testing, and deploying applications.
• Vulnerability Type: CVE-2024-23897 is a Remote Code Execution (RCE) vulnerability. RCE vulnerabilities are particularly severe because they allow an attacker to execute arbitrary code on the victim’s system remotely.

How the Exploit Works

1. Exploitation of Permissions: The vulnerability allows unauthenticated attackers with ‘overall/read’ permissions to read data from arbitrary files on the Jenkins controller file system. This means that even without full administrative privileges, attackers can access sensitive information.
2. Reading Arbitrary Files: The exploit enables attackers to read the first few lines of arbitrary files on the Jenkins controller. This could include configuration files, source code, credentials, or any other sensitive data stored on the server.
3. Potential for Further Exploitation: While the primary capability is to read files, the exposure of sensitive data could lead to further exploitation. For instance, if credentials are obtained, attackers could escalate their access privileges.

The Criticality of the Exploit

• Unauthenticated Access: The fact that the exploit can be triggered by unauthenticated users makes it particularly dangerous. It lowers the barrier for attackers, as they do not need to compromise an account before exploiting this vulnerability.
• Ease of Execution: The release of a Proof of Concept (PoC) means that the exploit can be replicated easily by attackers who have access to this PoC. This increases the likelihood of widespread exploitation.

Mitigation and Response

• Patch Availability: Jenkins has released a patch to address this vulnerability. It is crucial for users and administrators of Jenkins to apply this patch immediately to mitigate the risk.
• Security Best Practices: Regularly updating software, monitoring systems for unusual activities, and following security best practices are essential steps in protecting against such exploits.

Security experts have developed curated Sigma rules to detect exploitation attempts of this vulnerability. These rules are crucial for organizations using Jenkins, as they provide a way to identify and respond to any malicious activities related to CVE-2024-23897.

The Severity of the Issue

Rated as critical, this vulnerability has garnered attention due to the ease with which it can be exploited and the potential damage it can cause. The publication of the PoC exploit has escalated the situation, as it provides attackers with a ready-made tool to exploit this vulnerability.

Response from the Jenkins Community

The Jenkins community has been quick to respond to this threat. A patch has been released to address the vulnerability, and users are strongly advised to update their Jenkins installations as soon as possible. The prompt release of the patch highlights the community’s commitment to security and its proactive approach to addressing such critical issues.

Real-World Implications

There have been reports of the PoC exploits for the Jenkins vulnerability being targeted in the wild. This real-world exploitation underscores the importance of immediate action by organizations using Jenkins. Delaying the application of the patch could leave systems vulnerable to attacks, which could lead to severe consequences.

The discovery and subsequent publication of the PoC exploit for the critical Jenkins vulnerability, CVE-2024-23897, serve as a stark reminder of the importance of cybersecurity vigilance. Organizations using Jenkins must prioritize the application of the latest patch to protect their systems from potential exploitation. The situation also highlights the need for continuous monitoring and rapid response mechanisms to address emerging cybersecurity threats.

The post Exploit code: How the New Jenkins Vulnerability Could Compromise Your Data appeared first on Information Security Newspaper | Hacking News.

Stepping into 2024, Open XDR innovator Stellar Cyber is reflecting on 2023.

Stellar Cyber’s CEO and Co-Founder, Changming Liu, writes:

“Going into 2023, we had four clear objectives: 

1. Deliver an exceptional customer experience from day one.
2. Strive for continuous product innovation. 
3. Expand our “routes-to-market” worldwide.
4. Champion the value and power of Open XDR.”

Let’s break down these four objectives with the company’s results in 2023. How did they do, and what are their plans for 2024?

#1 Exceptional Customer Service

Stellar Cyber licenses its platform to a large portfolio of Managed Security Service Providers. According to Changming Liu, “relentless pursuit of customer excellence directly led to doubling our top 250 MSSP customer base, now up to nearly 50.”

MSSPs have recognized their impact. In the 2023s survey, they rated Stellar Cyber as one of the top three Open XDR vendors.

Beyond licensing, Stellar Cyber provides necessary education and resources for vendors and users.

The company launched two new programs in 2023:

1. The interSTELLAR program for partners
2. The University program for universities, students, and underserved communities

The role of the InterSTELLAR program is to offer the partners sales support, materials, and access to experts.

The purpose of the University program is to train the cyber professionals of tomorrow. At the same time, this program helps communities that lack the resources to protect themselves against a growing number of cyber attacks.

Improved Experience for Users

The company introduced a new feature — Stellar Cyber Chat- to further facilitate the use of their intuitive platform.

This is the company’s first GenAI feature. It helps the users to get answers to their questions faster.

The company is just starting its development in this area and plans to dedicate more time to GenerativeAI in the future.

#2 Continuous Innovation

Stellar Cyber has been developing its Open XDR solution since 2015. Starting, their main goal was to provide security teams with a less complex way of analyzing the overwhelming volume of security data.

Today, their Open XDR platform achieves this. It relies on AI and machine learning to integrate, analyze, and correlate the insights from multiple security tools.

Every year, they improve their Open XDR solution to provide businesses of all sizes with more thoughtful and accurate findings.

The year 2023 was the year of innovation for Stellar Cyber.

For security teams that use the insights from the company’s extended detection and response platform, this means that they can rely on the product that is faster and better at responding to threats.

Role of Partnerships in Innovation

To truly evolve and innovate, they also recognized that they needed to partner up. In 2023, they announced multiple collaborations.

Some of the cybersecurity companies that teamed up with Stellar Cyber are Blackberry, SentileOne, Oracle, and Hitachi.

#3 Expanding Global RTM

One of the set objectives for the company was to widen its route to market all over the globe.

After one year, Stellar Cyber can say that it has important global clients. 

Some of them are from Thailand (Vintcom), Malaysia (PROVINTELL), and the Philippines (NEXTGEN Group, NTT Data Solutions).

#4 Spreading the Word

In 2023, Gartner listed Stellar Cyber as one of the top 10 vendors that offer Open XDR solutions in the cybersecurity market.

Gartner included it in their 2023 Market Guide for XDR, where their services are represented among some of the top cybersecurity vendors.

“Additionally, our company was recognized by Gartner in several other reports (Hype Cycle for XDR solutions for midsized companies, NDR Voice of Customer, SecOps Vendor Hype Cycle,” adds Changming Liu.

Another route the company took to show more people the value and capabilities of its cybersecurity solution is through education.

With recent programs, Stellar Cyber introduces its platform to future cybersecurity experts as well. For example, they launched a University Program that helps future security professionals and underserved universities.

Normally, they wouldn’t have the funds to give their students real-life experiences in cyber security. This program gives them access to Open XDR technology, and it connects them with cyber experts in the field.

As a result, even future security professionals can see the value of Stellar Cyber’s platform. 

The Role of Open XDR in the Future

Going into 2024, businesses are acutely aware of increasing hacking threats. Over the last couple of years, they kept reading about more and more data breaches, and ransomware cases. 

The record-breaking cost of data breaches and ransomware was recorded in 2023. This made it more clear that businesses needed solutions such as Open XDR. They help them detect critical threats within the unique content of their infrastructure.

As hackers change their tactics and target companies of all sizes, it’s important to have a security platform built to keep you one step ahead of ever-evolving cyber threats.

Organizations are aware that they need actionable and accurate insights to protect their architecture constantly.

Open XDR has a key role in this. It’s built to prevent overloading teams with alerts and offers insights that help them focus on critical threats instead.

Stellar Cyber’s Objectives for 2024

Stellar has a busy year ahead. The company plans to continue to look for new and innovative ways to deliver its Open XDR platform to MSSPs and enterprise clients. 

Then, they intend to further improve their security product and streamline how data sources are integrated.

In addition, they will improve AI and machine learning-powered correlation and detection of possible threats for even more accurate insights — to minimize false positives.

In 2024, this cybersecurity company will hone automation that continually responds to high-risk exploits.

Similar to 2023, their objectives are aligned to make a detection and response solution as accurate as possible.

The post Stellar Cyber: A Year in Review appeared first on Information Security Newspaper | Hacking News.

The nature of CVE-2023-35628 allows a remote, unauthenticated attacker to execute arbitrary code on the victim’s system. The exploit can be initiated by sending a specially crafted email, and it has been noted that ransomware gangs and other malicious entities are likely to find this vulnerability an attractive target. Although the exploit code maturity for CVE-2023-35628 is currently unproven, which means there might not yet be a reliable method for exploiting this vulnerability in the wild, the potential for remote code execution makes it a critical issue for all Windows users​​.

MSHTML platform

The vulnerability in the MSHTML platform, specifically CVE-2023-35628, can be attributed to several factors that are commonly found in software vulnerabilities:

1. Parsing and Rendering of HTML Content: MSHTML, being a component used for parsing and rendering HTML content in applications like Microsoft Outlook, processes a large amount of untrusted input. This input, which often includes complex HTML and scripting content, can contain flaws or unexpected sequences that are not properly handled by the software.
2. Memory Management Issues: Vulnerabilities often arise due to memory management issues such as buffer overflows, use-after-free errors, or other similar problems. These issues can occur when the software does not correctly allocate, manage, or free memory when processing HTML content. Attackers can exploit these weaknesses to execute arbitrary code.
3. Insufficient Input Validation: Software vulnerabilities can also stem from insufficient input validation. If MSHTML does not properly validate or sanitize the HTML content it processes, malicious input could be used to trigger an exploit. This could include specially crafted scripts or malformed HTML structures designed to take advantage of the parser’s weaknesses.
4. Complexity of Web Standards: The complexity of modern web standards can also contribute to vulnerabilities. As standards evolve and become more complex, it becomes increasingly challenging to ensure that every aspect of the parsing and rendering process is secure against all potential attack vectors.
5. Integration with Email Clients: The integration of MSHTML with email clients like Outlook adds another layer of complexity. Emails are a common vector for delivering malicious content, and the automatic processing of emails (including the rendering of HTML content) can make it easier for attackers to exploit vulnerabilities without direct interaction from the user.

The No-Click Exploit

An exploit for the CVE-2023-35628 vulnerability in the Windows MSHTML platform would typically involve a few key steps, tailored to leverage the specific nature of this flaw. Here’s a generalized overview of how such an exploit could work:

1. Crafting a Malicious Email: The attacker starts by creating a specially crafted email. This email would contain malicious code or a payload designed to exploit the vulnerability in the MSHTML platform. The precise nature of this code depends on the specifics of the vulnerability and would be tailored to trigger the flaw in MSHTML.
2. Email Delivery and Automatic Processing: The crafted email is then sent to the target. In the case of CVE-2023-35628, the critical aspect is that the vulnerability is triggered when Microsoft Outlook retrieves and processes the email. This processing happens automatically, often before the email is even displayed in the Outlook Preview Pane.
3. Remote Code Execution: Upon processing the malicious email, the exploit code is executed. This code execution occurs within the context of the MSHTML platform, which is a key component used by Outlook for rendering HTML content in emails.
4. Taking Control or Damaging the System: Once the code is executed, it can perform various malicious activities. This could range from taking control of the user’s system, stealing sensitive information, installing malware, or performing other harmful actions. The extent of the damage or control depends on the nature of the payload and the permissions available to the MSHTML process.

Memory shaping is an advanced exploitation technique often used in sophisticated cyber attacks, particularly those involving complex software systems and secure environments. It’s a method used by attackers to manipulate the layout or state of memory in a target application to facilitate the exploitation of vulnerabilities. Memory shaping can be a part of exploiting vulnerabilities like buffer overflows, use-after-free errors, or other memory corruption issues.

Here’s a simplified example to illustrate how memory shaping and its exploitation might work:

1. Identifying a Vulnerability: First, the attacker finds a vulnerability in the target application that can be exploited to corrupt memory. For instance, this could be a buffer overflow, where the application fails to check the length of input, allowing an attacker to write more data to a buffer than it can hold.
2. Analyzing Memory Layout: The attacker then studies the application’s memory layout to understand how data is stored and managed. This involves identifying where in memory different types of data are located and how they are accessed by the application.
3. Memory Shaping: Once the attacker has a good understanding of the memory layout, they begin the process of memory shaping. This involves crafting inputs or actions that modify the application’s memory in a controlled way. For example, they might allocate and free memory in a specific pattern to arrange chunks of memory in a desired layout.
4. Exploiting the Vulnerability: With the memory shaped to their advantage, the attacker then exploits the identified vulnerability. Using the buffer overflow example, they might overflow a buffer with data that includes malicious code (the payload) and carefully calculated addresses or commands that redirect the application’s execution flow to the payload.
5. Executing Arbitrary Code: If successful, the exploit allows the attacker’s code to be executed with the privileges of the target application. This could lead to various malicious outcomes, such as data theft, installation of malware, or gaining control over the system.

It’s important to note that memory shaping is a complex and technical process that requires in-depth knowledge of both the target application and general exploitation techniques. It’s typically used in scenarios where standard exploitation methods are not effective, often due to security measures like Address Space Layout Randomization (ASLR) or other protections.

Due to the complexity and potential for misuse, specific exploit code or detailed methodologies for memory shaping are not shared publicly. The goal of cybersecurity research in this area is to understand and mitigate such advanced threats, ensuring software and systems are secure against potential attacks.

It’s important to note that the complexity of the exploit for CVE-2023-35628 is considered high. It requires specific knowledge and techniques, particularly related to memory shaping, to successfully exploit the vulnerability. This complexity might limit the exploitation to more skilled attackers.

The attack complexity is considered high due to the reliance on complex memory-shaping techniques to successfully exploit the vulnerability. Despite this complexity, the high impact of the vulnerability necessitates prompt attention and action. Microsoft has addressed this flaw in their December 2023 Patch Tuesday updates, recommending users to update their systems as a preventative measure​​.

It’s important to note that CVE-2023-35628 is just one of several vulnerabilities addressed in the December 2023 Patch Tuesday updates. Other notable vulnerabilities include CVE-2023-35630 and CVE-2023-35641, which are remote code execution vulnerabilities affecting Microsoft Internet Connection Sharing (ICS) with a CVSS score of 8.8, and a critical spoofing vulnerability in Microsoft Power Platform Connector (CVE-2023-36019) with a CVSS score of 9.6​​.

Mitigation & Scope

The CVE-2023-35628 vulnerability, which is a critical remote code execution flaw in the Windows MSHTML platform, affects a range of Microsoft products, including Office 365 and on-premises versions. This vulnerability is significant due to its potential to allow exploitation as soon as Outlook retrieves and processes a specially crafted malicious email, even before the user interacts with the email. This means that exploitation could occur without any action from the user, not even requiring the Preview Pane in Outlook.

In terms of impact on Office 365 and on-premises environments, it’s important to note that the MSHTML proprietary browser engine, which is the component affected by this vulnerability, is used by Outlook among other applications to render HTML content. The fact that this engine remains installed within Windows, regardless of the status of Internet Explorer 11, means that systems where Internet Explorer 11 has been fully disabled are still vulnerable until patched.

For addressing this vulnerability, Microsoft released patches as part of their December 2023 Patch Tuesday. These patches are essential for mitigating the risk posed by this vulnerability and are available for various versions of Windows and related software components. Given the critical nature of this vulnerability and its potential impact on confidentiality, integrity, and availability, it’s strongly recommended for users and administrators of both Office 365 and on-premises environments to apply these updates promptly.

The December 2023 Patch Tuesday from Microsoft addressed a total of 34 vulnerabilities, including this critical RCE vulnerability in MSHTML. It’s noteworthy that there were no security patches for Exchange, SharePoint, Visual Studio/.NET, or SQL Server in this particular update cycle.

The details about the patches and the specific versions they apply to can be found in Microsoft’s security bulletins and support documentation. For users and administrators, it is crucial to review these resources and ensure that all applicable security updates are applied to protect against potential exploits of this vulnerability​

Given the severity and the ease with which this vulnerability can be exploited, it is crucial for Windows users, particularly those using Microsoft Outlook, to ensure their systems are updated with the latest security patches provided by Microsoft. Regular review of patching strategies and overall cybersecurity methods is advisable to maintain a robust security posture.

The post Silent Email Attack CVE-2023-35628 : How to Hack Without an Email Click in Outlook appeared first on Information Security Newspaper | Hacking News.

These vulnerabilities were discovered by the Binarly Research team and have far-reaching consequences:

1. Discovery and Impact: LogoFAIL vulnerabilities affect various vendors’ system firmware during the device boot process, not being specific to any silicon type. They impact the entire firmware ecosystem, including Independent BIOS vendors (IBVs) like AMI, Insyde, and Phoenix. This implies that a broad range of consumer and enterprise devices could be at risk​​. Imagine a scenario where a large electronics manufacturer uses firmware from an Independent BIOS Vendor (IBV) like AMI for its laptops. If this firmware contains the vulnerable image parsing libraries identified in LogoFAIL, then all these laptops, regardless of their specific models or configurations, could potentially be at risk. This would mean millions of devices across the globe could be vulnerable to these security flaws.
2. Operation of Vulnerabilities: These vulnerabilities enable attackers to store malicious logo images on the EFI System Partition (ESP) or in unsigned sections of a firmware update. During the boot process, when these images are parsed, the vulnerability can be triggered, allowing attackers to execute arbitrary payloads. This can lead to the bypassing of critical security features like Secure Boot and hardware-based Verified Boot mechanisms, including Intel Boot Guard, AMD Hardware-Validated Boot, or ARM TrustZone-based Secure Boot​​. For example, an attacker could craft a malicious logo image and insert it into the EFI System Partition on a victim’s laptop. When the laptop is booted, the firmware parses this image, unknowingly triggering the vulnerability. This could allow the attacker to bypass the laptop’s Secure Boot mechanism, effectively undermining one of the key security features that is supposed to ensure only trusted software is loaded during the boot process.
3. Implications: LogoFAIL vulnerabilities can completely compromise the system’s security, making “below-the-OS” security measures like Secure Boot ineffective. This level of compromise allows attackers to gain deep control over affected systems. The vulnerabilities offer a different attack surface on the ESP partition, allowing for data-only exploitation by modifying the logo image​​.Consider a highly secure workstation used in a government facility, which relies on Secure Boot for security. If this workstation is affected by LogoFAIL, an attacker could exploit these vulnerabilities to gain control over the system even before the operating system loads. This could potentially allow the attacker to manipulate or disable other security measures, essentially gaining unrestricted access to the system and the sensitive data it contains.

Exploitation

Threat actors can exploit the LogoFAIL vulnerabilities in the following ways:

1. Malicious Logo Images: Attackers can craft malicious logo images and place them on the EFI System Partition (ESP) or within unsigned sections of a firmware update. Since these images are parsed during the boot process, the malicious code within the images gets executed.
2. Bypassing Security Mechanisms: By exploiting these vulnerabilities, attackers can bypass critical security features like Secure Boot, Intel Boot Guard, and other hardware-validated boot mechanisms. This allows them to execute unauthorized code at a fundamental level of the device.
3. System Compromise: Once they bypass these security measures, attackers can potentially gain deep control over the system, undermining its security and potentially accessing sensitive information or installing further malware. This level of access can be particularly damaging as it occurs below the operating system level, making detection and remediation more challenging.

Mitigation

To mitigate the risks associated with the LogoFAIL vulnerabilities, several steps can be taken:

1. Firmware Updates: Regularly updating firmware is crucial. Manufacturers often release patches and updates to address known vulnerabilities. Keep all devices updated with the latest firmware versions provided by the manufacturer.
2. Vendor Communication: Stay informed about any security advisories or updates from device manufacturers. This can include checking for updates on their websites or subscribing to their security bulletins.
3. Security Solutions: Employ security solutions that monitor firmware integrity and detect anomalies at the firmware level.
4. Regular Audits: Conduct regular security audits of firmware to identify and mitigate potential vulnerabilities.
5. Best Practices: Follow cybersecurity best practices, including maintaining a secure and updated environment, and educating users about the importance of security in preventing malware infections.

These steps can significantly reduce the risk of exploitation of these vulnerabilities. This research underscores the seriousness of these vulnerabilities and their potential to affect a vast range of devices, highlighting the need for comprehensive security measures in firmware development and maintenance.

The post Inside LogoFAIL: The UEFI Firmware Flaw Compromising Millions of Devices appeared first on Information Security Newspaper | Hacking News.

Discovery of Advanced Attack Techniques

Bitdefender’s research team, working in conjunction with their in-house research institute Bitdefender Labs, has identified previously unknown methods that cybercriminals could use to escalate a breach from a single endpoint to a network-wide level. These techniques, if exploited, could lead to severe consequences such as ransomware attacks or massive data exfiltration.

The attack progression involves several key stages, starting from a single compromised machine. Once inside the system, attackers could potentially:

• Move across cloned machines within the network, especially if they are equipped with GCPW.
• Gain unauthorized access to the Google Cloud Platform through custom permissions.
• Decrypt locally stored passwords, extending their reach beyond the initially compromised machine.

These findings were responsibly disclosed to Google. However, Google has stated that these issues will not be addressed directly, as they fall outside their designated threat model. This decision reflects Google’s risk assessment and security priorities.

The Dual Role of Google Credential Provider for Windows (GCPW)

At the heart of these vulnerabilities is the Google Credential Provider for Windows (GCPW), a tool designed to streamline access and management within Google’s ecosystem. GCPW serves two primary functions:

1. Remote Device Management: Similar to Mobile Device Management (MDM) systems like Microsoft Intune, GCPW allows administrators to remotely manage and control Windows devices connected to Google Workspace. This includes enforcing security policies, deploying software updates, and managing device settings without needing a VPN connection or domain registration.
2. Single-Sign On (SSO) Authentication: GCPW facilitates SSO for Windows devices using Google Workspace credentials. This integration provides a seamless login experience, enabling users to access their devices with the same credentials used for Google services like Gmail, Google Drive, and Google Calendar.

The Operational Mechanism of GCPW

Understanding GCPW’s functioning is crucial in comprehending the vulnerabilities. Here’s a breakdown of its operational process:

• Local Service Account Creation: Upon installing GCPW, a new user account named ‘gaia’ is created. This account, not intended for regular user interactions, serves as a service account with elevated privileges.
• Credential Provider Integration: GCPW integrates a new Credential Provider into the Windows Local Security Authority Subsystem Service (lsass), a critical component responsible for handling security operations and user authentication in Windows.
• Local User Account Creation: GCPW facilitates the creation of new local user accounts linked to Google Workspace accounts whenever a new user authenticates with the system.
• Logon Procedure: These Google Workspace users are logged in using their newly created local profiles, where a refresh token is stored to ensure continuous access without repeated authentication prompts.

Uncovered Attack Methods

Bitdefender’s research sheds light on specific attack vectors that exploit the functionalities of GCPW:

Golden Image Lateral Movement:

• Virtualized Environment Challenge: In environments that use cloned virtual machines (VMs), such as Virtual Desktop Infrastructure (VDI) or Desktop as a Service (DaaS) solutions, the installation of GCPW on a base machine means that the ‘gaia’ account and its password are cloned across all VMs.
• Attack Implication: If an attacker discovers the password of one ‘gaia’ account, they can potentially access all machines that have been cloned from the same base image.
• Scenario: Imagine a company, “Acme Corp,” uses a Virtual Desktop Infrastructure (VDI) where multiple virtual machines (VMs) are cloned from a single ‘golden image’ for efficiency. This image has Google Credential Provider for Windows (GCPW) pre-installed for ease of access.
  • Attack Example:
• An attacker, Alice, manages to compromise one of Acme Corp’s VMs. During her exploration, she discovers that the VM has GCPW installed.
• She learns that the ‘gaia’ account password created during the GCPW setup is identical across all cloned VMs because they were derived from the same golden image.
• By extracting the ‘gaia’ account password from the compromised VM, Alice can now access all other VMs cloned from the same image. This allows her to move laterally across the network, potentially accessing sensitive information or deploying malware.

Unauthorized Access Token Request:

• Exploitation of OAuth Tokens: GCPW stores an OAuth 2.0 refresh token within the user’s session, maintaining access to the broader Google ecosystem. Attackers gaining access to this token can request new Access Tokens with varied permissions.
• Scope of Abuse: The permissions granted by these tokens can enable attackers to access or manipulate a wide range of user data and Google services, effectively bypassing multi-factor authentication (MFA) processes.
• Scenario: At a different company, “Beta Ltd.,” employees use their Google Workspace credentials to log into their Windows machines, facilitated by GCPW.

Attack Example:

• Bob, a cybercriminal, gains initial access to a Beta Ltd. employee’s computer through a phishing attack.
• Once inside the system, Bob finds the OAuth 2.0 refresh token stored by GCPW. This token is meant to maintain seamless access to Google services without repeated logins.
• With this token, Bob crafts a request to Google’s authentication servers pretending to be the legitimate user. He requests new Access Tokens with broad permissions, like access to emails or cloud storage.
• Using these tokens, Bob can now access sensitive data in the employee’s Google Workspace environment, like emails or documents, bypassing any multi-factor authentication set up by the company.

Password Recovery Threat:

• Plaintext Credential Risk: GCPW’s mechanism of saving user passwords as encrypted LSA secrets, intended for password resetting, presents a vulnerability. Skilled attackers could decrypt these credentials, allowing them to impersonate users and gain unrestricted account access.

Scenario: A small business, “Gamma Inc.,” uses GCPW for managing their Windows devices and Google Workspace accounts.

Attack Example:

• Carla, an experienced hacker, targets Gamma Inc. She successfully breaches one of the employee’s systems through a malware-laden email attachment.
• After gaining access, Carla locates the encrypted LSA secret stored by GCPW, which contains the user’s Google Workspace password.
• Using advanced decryption techniques, she decrypts this password. Now, Carla has the same access privileges as the employee, not just on the local machine but across all Google services where the employee’s account is used.
• This enables Carla to impersonate the employee, access company emails, manipulate documents, or even transfer funds if the employee has financial privileges.

Google’s Stance and Security Implications

Google’s decision not to address these findings, citing their exclusion from the company’s specific threat model, has stirred a debate in the cybersecurity community. While Google’s risk

The post Your Google Cloud Security Might Be at Risk. Hacking GCP via Google Workspace flaw appeared first on Information Security Newspaper | Hacking News.

The flaw is a buffer overflow that can be exploited by a local attacker using specially crafted GLIBC_TUNABLES environment variables when launching binaries with Set-UID (SUID) permissions, which could potentially allow the execution of code with elevated privileges. The Qualys Threat Research Unit has been credited with discovering this vulnerability.

This vulnerability has been given a severity score of 7.8, which classifies it as high severity. Exploitation of this flaw could enable an attacker to gain root permission on a Linux system that is running a vulnerable version of GLIBC, specifically version 2.34 or similar.

The issue has been noted to impact major Linux distributions, and organizations that use Linux systems, especially in cloud environments, are advised to patch this vulnerability promptly to mitigate the risks associated with it.

Exploit

To exploit CVE-2023-4911, threat actors would typically follow a sequence of steps that hinge on local access to a vulnerable system. The exploitation process can generally be broken down into the following stages:

1. Initial Access: First, the attacker needs local access to a system that runs a vulnerable version of the GNU C Library, specifically where ld.so is affected by the buffer overflow. This access could be obtained through various means, such as compromising a low-privileged user account.
2. Crafting Malicious Input: The attacker crafts a malicious GLIBC_TUNABLES environment variable. This variable is meant to be used for tuning performance and behavior aspects of the GNU C Library, but when crafted maliciously, it can trigger a buffer overflow.
3. Exploiting the Buffer Overflow: By triggering the buffer overflow, the attacker aims to overwrite certain areas of memory. This could be the stack, the heap, or other memory locations, depending on how the dynamic loader (ld.so) is handling the environment variable.
4. Injecting Code or Redirecting Execution: The overwritten memory could include the injection of malicious code, or it might alter the execution flow of the process to jump to code that the attacker controls. Typically, this would be shellcode—a small piece of code that launches a shell or another control mechanism.
5. Elevating Privileges: If the process being exploited has SUID permissions, it runs with the privileges of the owner of the file, often root. By exploiting such a process, the attacker can execute their code with elevated privileges, effectively gaining root access to the system.

Here’s a hypothetical example:

• Alice is a system administrator for a cloud service provider that uses Linux servers.
• Bob is a threat actor who has managed to gain access to a low-privileged account on one of the Linux servers due to a weak password.
• The server runs a version of GLIBC that is vulnerable to CVE-2023-4911.
• Bob writes a malicious GLIBC_TUNABLES variable and uses it in conjunction with a vulnerable application that has SUID set to run as root.
• When the application runs, the malicious variable causes a buffer overflow in ld.so, which Bob exploits to redirect the application’s execution flow to his shellcode.
• Bob’s shellcode is executed with root privileges, giving him full control over the server.
• Now with root access, Bob could install persistent backdoors, exfiltrate data, or use the compromised server for further attacks.

It’s important to note that exploitation of CVE-2023-4911, like many vulnerabilities, requires specific conditions to be met and often sophisticated knowledge of software internals, memory layout, and exploitation techniques. The exact details of the exploit can vary based on the system’s configuration, the attacker’s goals, and the environment variables involved.

The Aqua Nautilus team documented an attack by the Kinsing malware that exploited CVE-2023-4911 to elevate permissions on a compromised machine. Here’s how they described the exploitation process:

1. Initial Access: The attackers gained initial access by exploiting a PHPUnit vulnerability (CVE-2017-9841), allowing them to download and execute a Perl script to open a reverse shell on the compromised machin.
2. Manual Testing: The Kinsing attackers manually tested shell commands on the compromised systems. These commands included gathering system information, starting an interactive shell session, and creating a directory in /tmp.
3. Downloading Exploits: They downloaded a script named gnu-acme.py, which was an exploit for the Looney Tunables vulnerability (CVE-2023-4911), allowing for local privilege escalation by exploiting a buffer overflow in the handling of the GLIBC_TUNABLES environment variable by ld.so.
4. Executing Additional Exploits: After this, they fetched and executed an obfuscated PHP exploit, which, upon de-obfuscation, turned out to be a JavaScript designed for further exploitative activities. This resulted in a web shell backdoor that allowed them to maintain unauthorized access to the server.

This attack demonstrates the attackers’ sophisticated capabilities in chaining vulnerabilities to penetrate cloud environments, gain unauthorized access, and elevate privileges within the system.

Kinsing aims to gather CSP credentials, potentially exposing sensitive data, like AWS instance identity, which poses risks in cloud environments.

Here below, we have mentioned all the types of credentials and data that could be exposed:-

• Temporary Security Credentials
• IAM Role Credentials
• Instance Identity Tokens

Mitigation

To mitigate an attack exploiting CVE-2023-4911, you should take the following steps:

1. Patch the Vulnerability: Update the GNU C Library (glibc) to the latest version that includes a fix for CVE-2023-4911.
2. Limit Access: Restrict local access to essential personnel and services, minimizing the number of users who can potentially exploit the vulnerability.
3. Monitor for Suspicious Activity: Implement monitoring tools to detect unusual activity, such as unexpected changes to environment variables or unauthorized processes trying to gain elevated privileges.
4. Harden Your Environment: Follow best practices for system hardening, such as disabling unnecessary services, closing open ports, and using tools like SELinux or AppArmor for enhanced security.
5. Regular Security Audits: Conduct regular security audits to identify and remediate misconfigurations or unnecessary privileges that could be exploited.
6. Use Security Tools: Employ security solutions such as intrusion detection systems, firewalls, and anti-malware tools that can detect and prevent exploitation attempts.
7. Educate Staff: Train staff to recognize phishing attempts and other forms of social engineering that could lead to local access being compromised.
8. Incident Response Plan: Have an incident response plan in place that includes procedures for dealing with suspected breaches, including how to contain and eradicate threats.
9. Backup Regularly: Maintain regular backups of critical data to ensure that you can restore systems to a secure state if necessary.

By following these steps, you can significantly reduce the risk of exploitation and mitigate potential damage from attacks like those involving CVE-2023-4911.

The post Hackers’ new favorite: CVE-2023-4911 targeting Debian, Ubuntu and Fedrora servers in the Cloud appeared first on Information Security Newspaper | Hacking News.

1. Nature of the Breach

• Okta’s support system was compromised in a security breach. Hackers were able to break into its support case management system and steal sensitive data. This data could potentially be used to impersonate valid users.

2. Detection and Notification

• BeyondTrust, a cybersecurity firm, detected an identity-centric attack on an in-house Okta administrator account. They notified Okta of the breach on October 2, 2023.

3. Affected Parties

• BeyondTrust was identified as one of the customers affected by this breach. The breach had an internal impact on Okta, affecting its security leadership and other operational aspects.

4. Method of Attack

• The attackers breached Okta’s support system using stolen credentials. This allowed them unauthorized access to sensitive customer data and internal resources.

5. Market Impact

• Following the news of the cyber breach, Okta’s shares experienced a significant slump. This reflects the market’s reaction to the security incident and its potential implications .

6. Official Statements

• Okta’s security leadership has confirmed the breach, acknowledging the compromise of their internal systems and the impact on their customers.

The fallout from the breach saw a slump in Okta’s shares and an approximate 1% of Okta’s customers being affected, although Okta did not disclose the exact number of affected customers. This incident also casts a spotlight on Okta’s security measures, especially coming after a similar breach in 2022 where hackers managed to steal some of Okta’s source code and gained access to the company’s internal network.

Below is a summary of known breaches:

1. Lapsus$ Incident (January 2022): In January 2022, Okta suffered a breach when a hacking group known as Lapsus$ infiltrated its third-party support provider, Sitel. Okta faced criticism for not disclosing the breach promptly​.
2. Source Code Theft: In an undisclosed timeline, Okta confirmed a major security incident where a hacker accessed its source code following a breach of its GitHub repositories​​.
3. January 2022 Data Breach: A separate incident in late January 2022 was confirmed by Okta CEO Todd McKinnon, where some customer data might have been exposed. The exact details of this breach were not provided​.
4. October 20, 2023 Breach: Hackers gained unauthorized access to Okta’s support case management system and stole sensitive data that could be used to impersonate valid users on October 20, 2023​.
5. Lapsus$ Incident (Undisclosed Date): In a different encounter with Lapsus$, hundreds of Okta customers were possibly affected by a security breach, and Okta faced backlash for its slow response to the incident​.

These incidents reflect the challenges even established identity management providers face in ensuring the security and privacy of their systems and customer data.

The breach is a stark reminder of the sophisticated threats that modern enterprises face, and the critical importance of robust cybersecurity measures to safeguard sensitive data and systems from unauthorized access. The breach at Okta underscores the vulnerabilities that even identity services providers face in the realm of cybersecurity. The incident has led to the compromise of sensitive data, affecting both Okta and its customers, and has had noticeable market repercussions.

The post From Trusted to Busted: Okta Hacked again. Epic tale of security nightmares, 4 times in 2 years appeared first on Information Security Newspaper | Hacking News.

The security glitch, identified as CVE-2023-4966, predominantly pertains to sensitive information disclosure. The appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server to be susceptible to this vulnerability. The core of the issue lies in the Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119), with a CVSS score of 9.4, highlighting its critical nature​.

Real-world Exploitation

Mandiant shed light on the active exploitation of this vulnerability since August, emphasizing the criticality of the situation. The exploitation entailed unauthenticated buffer-related vulnerabilities, underscoring the urgency of mitigation measures beyond mere patching​.

Countermeasures Undertaken:

In a bid to curb the exploitation, Citrix rolled out a patch on October 10, 2023. However, the patch proved to be a half measure, as organizations that had patched their systems continued to face hacks. This revelation underscored the necessity for additional actions alongside patching to thoroughly address the vulnerability​​. The Cybersecurity and Infrastructure Security Agency (CISA) further accentuated the need for users and administrators to review the Citrix security bulletins and apply the requisite updates to barricade against potential exploits​.

Citrix, on October 10, 2023, disseminated a security bulletin concerning the sensitive information disclosure vulnerability, urging users to take remedial actions. Mandiant identified zero-day exploitation of this vulnerability in the wild, which commenced in late August 2023. Successful exploitation could spell significant security implications, thereby necessitating prompt remedial actions​​.

The vulnerable devices affected by CVE-2023-4966 include:

1. NetScaler ADC and NetScaler Gateway versions 14.1-8.50 and later releases.
2. NetScaler ADC and NetScaler Gateway versions 13.1-49.15 and later releases of 13.1.
3. NetScaler ADC and NetScaler Gateway versions 13.0-92.19 and later releases of 13.0.
4. NetScaler ADC 13.1-FIPS versions 13.1-37.164 and later releases of 13.1-FIPS​​.

The emergence of CVE-2023-4966 unveils the incessant security challenges beleaguering the digital landscape. The vulnerability not only underscores the imperative for robust security frameworks but also for the proactive identification and remediation of security loopholes. As organizations grapple with this security menace, the collaborative efforts between vendors, cybersecurity agencies, and the user community will be pivotal in fostering a more secure digital ecosystem.

The post The Terrifying Reality of Citrix’s CVE-2023-4966 Vulnerability “Patching can’t help” appeared first on Information Security Newspaper | Hacking News.