These problems were found by researchers at NCC Group, who mention that the flaws exist due to the lack of user input validation in two PHP scripts. Vulnerabilities include a command injection in grel.php and a command injection in hw_view.php, and their successful exploitation would allow actors to execute remote code threats without authentication.

Because there are no protections during inclusion, threat actors could activate the script without prior authentication by calling it directly. This would allow them to take control of the device as if they had logged in directly through a secure shell.

According to experts, successful exploitation allows hackers to obtain limited user privileges on the machine as a ‘www-data’ user; however, it should be noted that the Kernel on the system that NCC Group found is very outdated, allowing hackers to escalate their privileges to the system’s administrative root user.

Researchers at NCC Group discovered these problems while applying pentesting to a customer’s systems. These findings were reported to Fujitsu, which addressed the flaws shortly thereafter and notified its users that no active exploitation attempts had been detected, plus there do not appear to be proof-of-concept (PoC) exploits for these attacks.

Although hacking attempts are unlikely to occur, users are advised to upgrade to the latest version of the software to mitigate the risks related to these flaws.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post <strong>Two critical command injection vulnerabilities in Fujitsu cloud storage system allow remote encryption or deletion of files</strong> appeared first on Information Security Newspaper | Hacking News.

After the flaw, dubbed as Follina, was publicly disclosed and various exploits were released, Microsoft acknowledged the bug and assigned it the CVE-2022-30190 tracking key, describing it as a remote code execution (RCE) error.

Security specialist Kevin Beaumont explained that malicious documents use Word’s remote template feature to retrieve an HTML file from a remote web server, which in turn uses the MSProtocol ms-msdt URI scheme to load code and run PowerShell. Beaumont also explains that the Follina error can also be exploited using ms-search MSProtocol.

Vulnerable PDF tools

Although this was already a considerable security risk, things did not stop there, as it was recently confirmed that the vulnerability could also be activated in Foxit PDF Reader. Through their Twitter account, user @j00sean mentioned: “While testing PDF readers, I found a way to trigger error CVE-2022-30190, also known as #Follina, in Foxit PDF Reader. This doesn’t work in Adobe because of sandbox protections.”

The user shared a video of their proof of concept (PoC), showing that the tests were performed on Foxit PDF Reader v11.2.2.53575, the latest version of the tool. At the moment, the developers of the PDF reader have not released security updates to address the bug or issued security alerts about it.

The researcher also posted the payload to trigger the bug in Foxit, adding that successful exploitation requires the target user to allow connection in the pop-up window of a security warning.

Known exploitation

Groups of allegedly Chinese threat actors have been actively exploiting this vulnerability. The reports specifically point to TA413, an advanced persistent threat (APT) group that launches ongoing hacking campaigns against the Tibetan community.

Finally, a Report by Proofpoint details how various officials in Europe and the United States have fallen victim to this campaign, receiving malicious documents through phishing emails allegedly sent by legitimate entities.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Follina, Microsoft Office vulnerability, also affects Foxit PDF Reader; no patches available appeared first on Information Security Newspaper | Hacking News.

The researchers described it as a zero-day flaw in Confluence Server and Data Center. Volexity does not plan to publish its proof of concept (PoC), as Atlassian has not issued an official patch yet. The flaw was discovered when researchers identified suspicious activity on their Atlassian Confluence servers, being able to verify that the error exists because a threat actor launched an RCE exploit against their infrastructure.

In continuing its investigation, Volexity identified bash shells launched from Confluence’s web application processes: “We believe that the attacker launched a single exploit attempt on each of the Confluence server systems, which in turn loaded a malicious class file into memory. This allowed the threat actor to effectively have a webshell that they could interact with through subsequent requests.”

A successful attack would allow actors to facilitate access to the affected server and execute commands without the need to use a backdoor on the compromised system disk or redeploy an attack whenever hackers wish to access the target system.

At the moment there is no list of all the versions of Confluence Server affected, although the researchers assure that the flaw can be exploited even in implementations with the latest patches installed. Simply put, it is likely that all versions in use of Confluence Server can be exploited.

Successful attacks would allow hackers to deploy a copy in the BEHINDER implant memory and thus access memory-only webshells and built-in support for interaction with tools such as Meterpreter and Cobalt Strike. This is a functional attack method, not to mention that it does not require writing files to the target disk and does not allow persistence, so restarting the system will remove any traces of the attack.

When the BEHINDER implant is deployed, threat actors use the in-memory webshell to deploy two additional webshells to disk.

Active security risk

As mentioned above, the vulnerabilities have not been fixed by Atlassian, so administrators of affected deployments are advised to consider some alternative security measures. Volexity’s recommendations include:

• Restrict access to Confluence Server and Data Center instances from the Internet
• Disable Confluence Server and Data Center instances

For users who cannot apply any of these recommendations, we recommend that you implement a Web Application Firewall (WAF) rule to block URLs with the characters ${, which should reduce the risk of attack.  

In addition to these recommendations, Atlassian Confluence administrators can apply the following actions:

• Block external access to Confluence Server and Data Center systems
• Verify that Internet-facing web services have robust monitoring capabilities and log retention policies
• Sending relevant log files from Internet-connected web servers to a SIEM or Syslog server

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post CVE-2022-26134: Zero-day remote code execution vulnerability affecting Confluence Server and Data Center appeared first on Information Security Newspaper | Hacking News.

While UNISOC is a major chip producer, its technology has been little analyzed by mobile security specialists, so it is difficult to know what the security risks are present in devices with these chips and there are not even references to any vulnerability detected in their firmware.

A recent research effort was led by Check Point Research, and focuses on the modem of smartphones with UNISOC chips could be a very attractive attack target for cybercriminals, as this component can be accessed remotely and relatively easily, with the potential to deploy denial of service (DoS) attacks and block the communications of the affected devices.

Basic attack concepts

The Long-Term Evolution (LTE) network is made up of a dozen protocols and components, and you need to understand it to understand how the UNISOC modem works. The 3GPP Group introduced the Evolved Packet System (EPS), an LTE technology architecture consisting of three key interconnected components:

• User equipment (UE)
• Evolved UMTS terrestrial radio access network (E-UTRAN)
• Evolved Packet Core (EPC)

E-UTRAN has only one stack, the eNodeB station, which controls radio communications between the EU and the EPC. A UE can be connected to one eNodeB at a time.

The EPC component consists of four stacks, one of which is the Mobility Management Entity (MME). The MME controls the high-level operations of mobile devices on the LTE network. This component sends signaling messages related to security control, management of tracking areas, and mobility maintenance.

Check Point Research’s tests, conducted by a smartphone with a UNISOC modem, focus on communications between MME and UE stacks, which occur via EPS session management (ESM) and mobility management (EMM) protocols. The following screenshot shows the protocol stack of the modem. The no-access stratum (NAS) level hosts EPS and EMM signaling messages.

The NAS protocol operates with high-level structures, which would allow threat actors to create specially crafted EMM packets and send them to a vulnerable device, whose modem will analyze it and create internal objects based on the information received.

A bug in the scanning code would allow hackers to lock the modem and even perform remote code execution (RCE) attacks.

Security flaws in NAS handlers

Most NAS message analyzers have three arguments: an output buffer, which is an object of the appropriate message structure, the NAS message data blob for decoding, and the current offset in the message blob.

The unified function format allows you to easily implement the harness to fuzz the NAS analysis functions. Check Point experts used the classic combination of AFL and QEMU to fuzz the modem binary on a PC, patching the modem binary to redirect malloc calls to the libc equivalent. The fuzzer swapped the NAS message data and passed it as an input buffer to the analysis function.

One of the optional fields ATTACH_ACCEPT is mobile identity. The modem firmware implements an unpacking function such as liblte_mme_unpack_mobile_id_ie of srsRAN to extract the mobile identity from the NAS message. The identity data block begins with the length of the identity; if the device is represented by an International Mobile Subscriber Identity (IMSI), the 2-byte length of message data is copied to the output buffer as the IMSI number.

The check is bypassed to ensure that the provided length value is greater than one. Therefore, if the value of the length field is zero, 0-2 = 0xFFFFFFFE bytes of the NAS message are copied to the heap memory, leading to a DoS condition.

In the following screenshot, you can see the message ATTACH_ACCEPT, which causes the overflow.

Conclusions

The highlighted 0x23 value indicates that the following data is the identity block of the message, where the first 0x01 is the length and the second 0x01 is the IMSI type.

UNISOC is aware of this condition, and has already been assigned the identification key CVE-2022-20210. While the hacking variants described by Check Point are not easy to exploit and require great resources and planning, the possibility of exploitation is real and should not be dismissed.

Errors will be properly addressed, protecting millions of smart device users. Google is also aware of the report and will issue some additional protections for the Android system. 

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Millions of Android smartphones exposed to remote hacking due to vulnerability in UNISOC baseband chips appeared first on Information Security Newspaper | Hacking News.

This malware, loaded from Belarus to the VirusTotal platform, was analyzed by expert Kevin Beaumont, who reports that this document uses Word’s remote template function to retrieve an HTML file from a remote web server that uses MSProtocol ms-msdt to load code and execute PowerShell code.

Beaumont mentions that the code runs regardless of whether macros are disabled on the target system, not to mention that Microsoft Defender can’t seem to prevent the attack: “Although the protected view is activated if you change the document to RTF format, the malicious code will run without even opening the document.”  

The flaw was dubbed “Follina,” as a nod to the malicious file referencing 0438, the area code of a small Italian town. The researcher, and other members of the cybersecurity community, confirmed that the known exploit allows remote code to run on some versions of Windows and Office, including Office Pro Plus, Office 2013, Office 2016, and Office 2021.

The exploit doesn’t appear to work in recent versions of Office and in Windows Insider deployments, which could mean Microsoft is already working to address this issue. Beaumont also believes that the exploit could work on these versions with some modifications.

A hacking group hosted a web domain on Namecheap to use as a C&C server; the hosting company quickly shut down this website. The cybersecurity community has proposed some mitigation mechanisms, so a wave of active exploitation is very unlikely.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Zero-day vulnerability in Microsoft Office Pro Plus, Office 2013, Office 2016, and Office 2021 allows remote network hacking with just a single click appeared first on Information Security Newspaper | Hacking News.

Flux is an open and extensible CD solution to keep Kubernetes clusters in sync with configuration sources, and is used by firms across all industries, including Maersk, SAP, Volvo, and Grafana Labs, among many others. In its most recent version (Flux2), multi-tenant support was introduced, among other features.

The vulnerability was described as a remote code execution (RCE) error that exists due to improper validation of kubeconfig files, which define commands that will be executed to generate on-demand authentication tokens: “Flux2 can reconcile the state of a remote cluster when a kubeconfig file exists with the correct access rights,” points a report posted on GitHub.

Paulo Gomes, a software engineer who collaborates at the Cloud Native Computing Foundation (CNCF), which originated GitOps and provides support for Flux and Kubernetes, mentions: “The tool can synchronize the declared state defined in a Git repository with the cluster in which it is installed, which is the most commonly used approach, or it can target a remote group.”

Gomes adds that the access required to target remote clusters depends largely on the intended scope. This is completely flexible and is based on the fact that Kubernetes RBAC has a wide range of granularity. This behavior allows a malicious user with write access to a Flux source or direct access to the target cluster to create a specially crafted kubeconfig file to execute arbitrary code in the controller container.

When analyzed according to version 2 of the Common Vulnerability Scoring System (CVSS), this vulnerability was considered of medium severity and received a score of 6.8/10, because in single-tenant deployments, the error is less dangerous and the attackers obtain almost the same privileges required for exploitation.

However, the flaw receives a score of 9.9/10 according to CVSS v3.1, as this release includes a metric around ‘scope’ changes, which means that the flaw can affect resources beyond the security scope managed by the developers of the vulnerable component.

The flaw has already been addressed by the creators of the tool, so users of affected deployments are advised to upgrade as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Critical vulnerability in Flux2, a Kubernetes continuous delivery tool, enables hacking between neighboring deployments appeared first on Information Security Newspaper | Hacking News.

These features have access to Secure Element, which stores sensitive device information and remains active on the latest iPhone models even with the phone turned off. According to specialists at the Technical University of Darmstadt, Germany, this would allow malware to be loaded onto a Bluetooth chip running on an inactive device.

The compromise of these features would allow threat actors to access protected information, including payment card details, banking information and other sensitive data. While this risk is considered real and active, the researchers acknowledge that exploiting these flaws is complex, as hackers would require loading malware onto a target iPhone when it’s turned on, which mandatory requires a remote code execution (RCE) tool.

According to the report, the bug exists because of the way Low Power Mode (LPM) is implemented on Apple’s wireless chips: “The LPM setting is triggered when the user turns off their phone or when the iOS system automatically shuts down due to lack of battery.”

Experts believe that, in addition to its obvious advantages, the current implementation of LPM created new attack vectors. LPM support is based on iPhone hardware, so bugs like this can’t be fixed with software updates.

One attack scenario, tested by the researchers, describes how the smartphone’s firmware would allow attackers to have system-level access for remote code execution using a known Bluetooth vulnerability, such as the popular Braktooth flaw. The research was shared with Apple before its publication. Although the company did not comment on it, experts proposed that Apple add a hardware-based switch to disconnect the battery, preventing functions related to the error from receiving power with the device turned off.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Researchers find new way to hack any iPhone even when it’s turned off appeared first on Information Security Newspaper | Hacking News.

Many languages use serialization and deserialization to pass complex objects to servers and between processes. If the deserialization process is not secure, attackers will be able to exploit it to send malicious objects and execute them on the server. Nguyễn Tiến Giang, a security researcher at StarLabs, found that when servers are configured in a certain way, they are prone to deserialization attacks, which would eventually lead to code execution.

In his blog, the expert explains that hackers can exploit the bug by creating a SharePoint List on the server and loading a string of malicious devices with the deserialization payload as a PNG attachment. By sending a processing request for the uploaded file, the attacker will trigger the error and execute the payload on the affected deployment.

The good news is that the flaw can only be exploited by authenticated threat actors, plus a default disabled setting is required. This variant of the vulnerability, tracked as CVE-2022-29108, was addressed in Microsoft’s May patch.

The expert found the flaw while analyzing CVE-2022-22005, finding that there was another way to trigger the attack: “Actually, this error is very easy to detect. There was a publication about it March; you just have to follow the instructions in that post and people can easily detect the new variant of CVE-2022-22005. It’s like drinking an old wine from a new bottle,” the expert joked.

Finally, the researcher known as hir0ot, who had published a detailed analysis on CVE-2022-22005, mentions that there are two main ways to correct deserialization failures: by limiting the endpoints that deserialize untrusted data, or by using a folder of a type based on a whitelist.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Security researcher finds new way to exploit CVE-2022-22005, recently patched deserialization bug in Microsoft SharPoint appeared first on Information Security Newspaper | Hacking News.

According to the report, successful exploitation would allow unauthenticated threat actors with network access to the BIG-IP system to execute arbitrary commands, making it a critical security risk for organizations using these deployments.

The company announced the release of the corresponding security patches on May 4, just days before two security firms began developing a pair of proof-of-concept (PoC) exploits. Although these companies did not reveal their code, the PoCs were leaked this weekend.

Although the public disclosure of these exploits undoubtedly increases the risk of exploitation, specialist Kevin Beaumont claims to have detected active exploitation attempts even before the PoC leak: “If you configured your F5 implementation as a load balancer and a firewall through your own IP, you are also vulnerable to attack,” he mentioned.

On the other hand, on Monday morning the researcher Germán Fernández reported the detection of a massive exploitation campaign of the vulnerability, with hackers trying to install a webshell that gives them access to the target system in the same way that the installation of a backdoor would.

The reported vulnerability resides in all versions of F5 BIG-IP between v11 and v17. At the time of the report, the company confirmed that BIG-IP 11 and 12 would not receive updates, as they reached the end of their useful life; versions 13.1.5, 14.1.4.6, 15.1.5.1, 16.1. 2.2 and 17.0.0 did receive security patches.

Attempts to exploit vulnerabilities in BIG-IP days after their fix are not unusual. Between 2020 and 2021, multiple cases of vulnerability exploitation were reported just a couple of days after affected products were updated, demonstrating that these computers can be highly sensitive to hacking even after updates are available.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Exploitation code for CVE-2022-1388 available: Critical remote code execution vulnerability in F5 Network management tools appeared first on Information Security Newspaper | Hacking News.

Researchers at security firm Armis dubbed this set of flaws as TLStorm 2.0, mentioning that the bugs exist due to some security weaknesses in NanooSSL, a TLS library developed by Mocana and employed by vulnerable network teams.

Barak Hadad, in charge of the research, mentions that the flaws affect about 10 million devices in HPE’s Aruba and Extreme Networks’ Avaya switch portfolio, and received scores between 9/10 and 9.8/10 according to the Common Vulnerability Scoring System (CVSS).

If exploited, the vulnerabilities would allow threat actors to alter the behavior of affected devices for side-moving attacks and theft of sensitive information. So far, no active exploitation attempts have been detected, which allowed the updates to be developed properly.

On security flaws, Aruba switches are affected by CVE-2022-23677, with a CVSS score of 9/10. This flaw exists due to a bug in NanoSSL, which can be exploited through a captive portal. A second bug in Aruba switches (CVE-202-23676) was described as a customer memory corruption in RADIUS, which received a CVSS score of 9.1/10.

The list of affected Aruba switches includes:

• Aruba 5400R Series
• Aruba 3810 Series
• Aruba 2920 Series
• Aruba 2930F Series
• Aruba 2930M Series
• Aruba 2530 Series
• Aruba 2540 Series

Moreover, Avaya products are affected by CVE-2022-29860, a TLS reassembly heap overflow bug that received a CVSS score of 9.8/10. In addition, CVE-2022-29861 could cause a stack overflow during HTTP header scanning, which can be leveraged to execute arbitrary malicious code remotely on Avaya switches.

TLStorm 2.0 flaws exist in the following Avaya products:

• ERS3500 Series
• ERS3600 Series
• ERS4900 Series
• ERS5900 Series

Administrators of affected deployments are encouraged to address detected vulnerabilities promptly to mitigate exploit risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Thousands of airports, hospitals and hotels affected by critical vulnerabilities in Aruba and Avaya switches appeared first on Information Security Newspaper | Hacking News.

Below are brief descriptions of the reported flaws, as well as their respective security keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2022-25922: An authentication flaw in a critical function would allow unexpected diagnostic functions to be invoked when brake controllers play J2497 messages.

This is a medium severity vulnerability and received a CVSS score of 6.1/10.

CVE-2022-2613: Inadequate protections against electromagnetic injection errors make controllers vulnerable to radio frequency signal emission attacks.

This is a critical severity vulnerability and received a CVSS score of 9.3/10.

The report of these flaws was attributed to Ben Gardiner, a researcher at the National Motor Freight Traffic Association (NMFTA) and researchers Chris Poore, Dan Salloum and Eric Thayer of the security firm Assured Information Security. The report includes some mitigation methods such as:

• Install a LAMP ON firewall for each vulnerable deployment
• Use LAMP detection circuits with each trailer
• Change directions dynamically on each tractor in response to the detection of a transmitter in its current direction

These flaws were publicly disclosed through the Cybersecurity and Infrastructure Security Agency (CISA), which recommends users take a proactive stance to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to drive the implementation of constant impact analysis and risk assessments to know how best to mitigate exploitation risk.

The Agency also provides a guide to recommended safety practices for control systems such as these. Users of these deployments are encouraged to review the guidelines for constant improvement to their security practices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 2 critical vulnerabilities exploitable remotely in trailer brake controllers can cause accidents on highways appeared first on Information Security Newspaper | Hacking News.

The Zero Day Initiative (ZDI) posted a message thanking those involved in the event: “Thank you again to all competitors and participating suppliers for their cooperation and for fixing the errors revealed.” Affected product vendors have 120 days to release patches for the reported flaws in Pwn2Own.

The main winners of the Pwn2Own Miami 2022 event are Daan Keuper and Thijs Alkemade of Computest Sector 7. During the first day, the team earned $20,000 USD by demonstrating a code execution attack on the Inductive Automation Ignition SCADA solution, exploiting a missing authentication flaw. During this day Computest Sector 7 also demonstrated a remote code execution (RCE) attack on AVEVA Edge HMI/SCADA, receiving a reward of $20,000 USD.

On the second day, the researchers exploited an infinite loop error to trigger a denial of service (DoS) condition against Unified Automation’s C++ demo server, earning $5,000 USD, in addition to demonstrating an authentication evasion attack on OPC Foundation OPC UA .NET Standard, earning $40,000 USD more.

Computest Sector 7 won the Master of Pwn title after winning a total of $90,000 over the three days of the contest and taking first place on the leaderboard with a total of 90 points.

This year’s Pwn2Own Miami was held in person and also allowed the remote participation of some researchers. During the first edition of Pwn2Own Miami, with the theme of ICS, held in January 2020, ZDI awarded $280,000 for the reporting of 24 zero-day vulnerabilities in ICS and SCADA products.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Pwn2Own Miami paid $400,000 USD for 26 zero-day exploits on ICS and SCADA products appeared first on Information Security Newspaper | Hacking News.