Tag Archive for: Vulnerability

RCE Vulnerability In UnRAR Library Affected Zimbra Platform


A severe remote code execution vulnerability affected the Zimbra email client. The bug typically existed in the UnRAR library that could trigger RCE on the Zimbra platform. Thankfully, the bug received a fix before malicious exploitation.

Zimbra UnRAR Library Vulnerability

Researchers from Sonar recently shared insights about a severe security flaw affecting the Zimbra email platform.

Specifically, the researchers found a zero-day vulnerability in a third-party UnRAR utility used in Zimbra that could trigger RCE. Exploiting the bug didn’t even require authentication. Describing the bug, CVE-2022-30333, the file write vulnerability in the RarLab’s unrar binary, the researchers stated,

An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive. If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system.

Although, the bug didn’t directly affect Zimbra. Nonetheless, exploiting it could let an attacker access the sent and received emails on the compromised email server. An adversary could also deploy backdoors on compromised servers, steal credentials and other data, and gain access to other unauthorized areas on the network. Such explicit access became possible due to the unhindered permissions to UnRar utility for Zimbra.

The researchers have shared the technical details of the vulnerability in their post.

Patch Deployed

Following this discovery, Sonar researchers reported the matter to RarLab, and “gave a heads-up” to Zimbra for an upcoming fix.

Eventually, RarLab patched the vulnerability with UnRar binary version 6.12. Hence, all UnRar utility users should get this patched version or later to receive the fix.

Besides, Zimbra also addressed the glitch by configuring 7z as default for extracting RAR archives by Amavis instead of UnRar.

Let us know your thoughts in the comments.

Source…

Many businesses still exposed to hacking vulnerability discovered last year, cyber firm finds


A widespread cyber vulnerability overwhelming businesses and governments remains unresolved since its discovery last year.

Software security firm Rezilion said almost 60% of software packages affected by problems in the open-source logging platform, Log4J, were not patched four months after its discovery and the Biden administration is warning that hackers are continuing to exploit the flaw.

Rezilion said active exploitation attempts of the software’s vulnerability, Log4Shell, are ongoing and pointed to advanced persistent threats (APT) from China and Iran as among the cyberattackers who are using the flaw.

Yotam Perkal, Rezilion head of research, said his team is seeing a pattern of people not paying attention to the risks posed by the security flaw in the widely used computer code, despite warnings from the private and public sectors, including the Cybersecurity and Infrastructure Security Agency.

Source…

Hacker selling access to 50 vulnerable networks through Atlassian vulnerability


A hacker is selling access to 50 vulnerable networks on a cybercriminal forum after breaking into systems through the recently-discovered Atlassian Confluence zero-day.

The Rapid7 Threat Intelligence team told The Record that it found an access broker on the Russian-language forum XSS selling root access to 50 vulnerable networks – all allegedly within the United States. 

Erick Galinkin, principal AI Researcher at Rapid7, said the access was gained through CVE-2022-26134, a widely-discussed unauthenticated remote code execution vulnerability. A patch for the bug was released earlier this month after the zero-day was discovered in May.

Galinkin explained that Rapid7 has seen an uptick in patching but noted that the sale underscores the critical need to patch and protect internet-facing servers specifically.

He shared a screenshot of the XSS post but censored the companies that are listed. 

A screenshot of the XSS post. (Erick Galinkin/Rapid7)

The broker selling access to the 50 networks also claims to have a list of 10,000 additional vulnerable but unexploited machines that they are also willing to sell.

“Our telemetry suggests that the 10,000 number is high, but the seller has a good reputation on the forum and so we are inclined to believe their claims,” Galinkin said. 

“Organizations should also analyze their environment to determine if there was an earlier compromise.” 

Galinkin and other analysts at Rapid7 are working to identify and notify the 50 companies directly. 

He recommended that companies put their Confluence servers behind a VPN as soon as possible to limit exposure and to patch the Confluence bug as soon as possible. Organizations should also look for signs that a successful compromise has already occurred.

“The thing that has made this particularly attractive as a target is that the affected application is often internet-facing, since it is used by employees across a company, and sometimes needs to be accessible to contractors and external partners. Ideally, it should be protected at least behind a VPN,” Galinkin explained. 

“I definitely anticipate forum posts like this to be used by ransomware groups, and there is good reason to believe…

Source…

Does your organization need both vulnerability scanning and penetration testing?


By Katie Taisey
vCIO

The short answer is: Yes! We hear in the news almost daily about organizations that have fallen victim to Ransomware attacks.  During a ransomware attack, a hacker, or hacking organization, has gained access to a computer network and has encrypted data making it unusable.  The hackers then demand payment for the key, which can be used to unlock the data.  The consequences of a ransomware attack for businesses can be dire, as it has been estimated that half of the small businesses that suffer a cyber-attack go out of business within six months as a result.  It is important, though, to understand that not every cybersecurity breach results in catastrophic ransomware attacks.  Other attacks might involve infecting your computers with malware that turns the device into a bot (short for robot) which is then used as part of a Botnet (network of bots) to perform coordinated larger attacks.  These larger coordinated attacks can be used to launch distributed denial of service (DDOS) attacks or even massive phishing campaigns targeted at much larger organizations.  While a company might not be the direct target of these attacks, being a victim of the malware/bot attack can severely impact both computer and network performance.  So, how do hackers gain access or infect devices with malware?  Hackers often use known vulnerabilities or flaws in systems to launch their attack.  

SO, WHAT EXACTLY IS A VULNERABILITY AND WHY DOES IT MATTER?

Vulnerabilities are the gateway for hackers-in-the-wild to gain access to a system. To answer this question, we need to take a step back and understand what exactly a cybersecurity vulnerability is.   According to the National Institute of Standards and Technology (NIST), a vulnerability is “a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”  In 1999 MITRE corporation launched what is known as the common vulnerabilities and exposures (CVE) List.  The CVE List is a list of records – each containing an…

Source…