Tag Archive for: Vulnerability

Recently Patched TeamCity Vulnerability Exploited to Hack Servers

/in


In-the-wild exploitation of a critical vulnerability in JetBrains’ TeamCity continuous integration and continuous deployment (CI/CD) server started just days after the availability of a patch was announced.

The vulnerability, tracked as CVE-2023-42793, impacts the on-premises version of TeamCity and it allows an unauthenticated attacker with access to a targeted server to achieve remote code execution and gain administrative control of the system. 

JetBrains announced the release of TeamCity 2023.05.4, which patches the flaw, on September 21. 

Sonar, the code security firm whose researchers discovered the issue, released some limited information the same day, and published technical details roughly a week later after a proof-of-concept (PoC) exploit was made public.

Sonar warned in its initial blog post that in-the-wild exploitation would likely be observed soon due to how easily the flaw can be exploited.

Threat intelligence firm GreyNoise started seeing the first exploitation attempts on September 27, with a peak seen the following day. The company has seen attack attempts coming from 56 unique IP addresses as of October 1.

A different threat intelligence company, Prodaft, reported seeing “many popular ransomware groups” targeting CVE-2023-42793. 

Advertisement. Scroll to continue reading.

The Shadowserver Foundation, a non-profit cybersecurity organization, has scanned the internet for vulnerable TeamCity servers and identified nearly 1,300 unique IPs, with the highest percentage located in the United States, followed by Germany, Russia and China. 

Organizations using TeamCity should update their installation as soon as possible. For customers who cannot immediately install the update, JetBrains has provided a security patch plugin that can be used to mitigate the issue on servers running TeamCity 8.0 and later. TeamCity Cloud customers do not need to take any action.

Related: CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks

Related: Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks

Related: Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product 

Source…

Zero-Day Security Vulnerability Found in Chrome, Firefox and Other Browsers

/in


Updates are now available to patch a Chrome vulnerability that would allow attackers to run malicious code.

Closeup on the screen with depth of field and focus on the padlock.
Image: ktsdesign/Adobe Stock

It’s time to update Google Chrome, Mozilla’s Firefox or Thunderbird, Microsoft Edge, the Brave browser or Tor Browser; web development news site StackDiary has reported a zero-day vulnerability in all six browsers that could allow threat actors to execute malicious code.

Jump to:

Vulnerability originates in WebP reader

Users of the affected browsers should update to the most up-to-date version in order to ensure the zero-day vulnerability is patched on their machines. The problem isn’t with the browsers — the vulnerability originates in the WebP Codec, StackDiary discovered.

Other affected applications include:

  • Affinity.
  • Gimp.
  • Inkscape.
  • LibreOffice.
  • Telegram.
  • Many Android applications.
  • Cross-platform apps built with Flutter.

Apps built on Electron may also be affected; Electron released a patch.

Many applications use the WebP codec and libwebp library to render WebP images, StackDiary noted.

SEE: Check Point Software finds that cybersecurity attacks are coming from both the new school (AI) and the old school ( mysteriously dropped USBs). (TechRepublic) 

In more detail, a heap buffer overflow in WebP allowed attackers to perform an out-of-bounds memory write, NIST said. A heap buffer overflow allows attackers to insert malicious code by “overflowing” the amount of data in a program, StackDiary explained. Since this particular heap buffer overflow targets the codec (essentially a translator that lets a computer render WebP images), the attacker could create an image in which malicious code is embedded. From there, they could steal data or infect the computer with malware.

The vulnerability was first detected by the Apple Security Engineering and Architecture team and The Citizen Lab at The University of Toronto on September 6, StackDiary said.

What steps should users take?

Google, Mozilla, Brave, Microsoft and Tor have released security patches for this vulnerability. Individuals running those apps should update to the latest version. In the case of other applications, this is an ongoing…

Source…

This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack

/in


Curl was recently notified of a CVE, CVE-2020-19909, rated at a hair-raising 9.8 on the CVSS scale. And PostgreSQL has CVE-2020-21469, clocking in with a 7.5 severity. You may notice something odd about those two vulnerabilities, but I promise the 2020 date is only the tip of the iceberg here.

Let’s start with PostgreSQL. That vulnerability was only present in version 12.2, which released in February of 2020, and was fixed with the 12.3 release in May of that same year. The problem is a stack buffer overflow, which doesn’t seem to enable code execution, but does cause a denial of service situation. To trigger the bug? Repeatedly send the PostgreSQL daemon the SIGHUP signal.

If you’re familiar with Linux signals, that might sound odd. See, the SIGHUP signal technically indicates the end of a user session, but most daemons use it to indicate a restart or reload request. And to send this signal, a user has to have elevated privileges — elevated enough to simply stop the daemon altogether. Put simply, it’s not a security vulnerability, just a minor bug.

And now on to curl — This one is just bizarre. The issue is a integer overflow in the --retry-delay argument, which specifies in seconds how often curl should retry a failing download. The value is multiplied by 1000 to convert to milliseconds, resulting in an overflow for very large values. The result of that overflow? A smaller value for the retry delay.

[Daniel Stenberg] makes the point that this tale is a wonderful demonstration of the brokenness of the CVE system and NVD’s handling of it. And in this case, it’s hard not to see this as negligence. We have to work really hard to construct a theoretical scenario where this bug could actually be exploited. The best I’ve been able to come up with is an online download tool, where the user can specify part of the target name and a timeout. If that tool had a check to ensure that the timeout was large enough to avoid excess traffic, this bug could bypass that check. Should we be assigning CVEs for that sort of convoluted, theoretical attack?

But here’s the thing, that attack scenario should rate something like a CVSS of 4.8 at absolute worst. NVD assigned…

Source…

Suspected PRC Cyber Actors Continue to Globally Exploit Barracuda ESG Zero-Day Vulnerability

/in


As a part of the FBI investigation into the exploitation of CVE-2023-2868, a zero-day vulnerability in Barracuda Network’s Email Security Gateway (ESG) appliances, the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability. For more details regarding malware found to date related to this exploit and learn more about Barracuda backdoors, please visit CISA Releases Malware Analysis Reports on Barracuda Backdoors. The cyber actors utilized this vulnerability to insert malicious payloads onto the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting, and data exfiltration. The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately. https://go.fbinet.fbi/news/Pages/Bringing-Private-Sector-to-the-Fight-Against-CyberAdversaries.aspx

CVE-2023-2868 is a remote command injection vulnerability that allows for unauthorized execution of system commands with administrator privileges on the ESG product. This vulnerability is present in the Barracuda ESG (appliance form factor only) versions 5.1.3.001- 9.2.0.006, and relates to a process that occurs when the appliance screens email attachments. The vulnerability allows cyber actors to format TAR file attachments in a particular manner and send them to an email address affiliated with a domain that has an ESG appliance connected to it. The malicious file’s formatting, when scanned, results in a command injection into the ESG that leads to system commands being executed with the privileges of the ESG. As the vulnerability exists in the scanning process, emails only need to be received by the ESG to trigger the vulnerability.

The earliest evidence of exploitation of Barracuda ESG appliances was observed in October 2022. Initially, suspected PRC cyber actors sent emails to victims containing TAR file attachments designed to exploit the vulnerability. In the earliest emails,…

Source…