Tag Archive for: it security

Elmar Geese

Supposedly pro-Russian hackers try to exploit Sharepoint vulnerability

Update from 2023-12-06:

Last week, we reported on pro-Russian hacktivists scanning for vulnerable SharePoint Servers to exploit a critical vulnerability (CVE-2023-29357).

New findings suggest that the group, calling themselves “Zarya”, is undertaking various exploit-attempts, including directory traversal and targeting specific vulnerabilities in systems such as OpenWRT-Routers. The IP address 212.113.106.100, associated with these activities, has been observed in several different exploit attempts. In addition to simple reconnaissance, specific attacks on configuration files and Admin-APIs have been detected. This case re-emphasizes the importance of securing systems against such threats and shows, how unprotected or poorly configured systems can become targets of such attacks.

A critical vulnerability for Sharepoint (CVE-2023-29357), is being targeted by presumably pro-Russian attackers who are trying to exploit this vulnerability.

The Internet Storm Center has discovered corresponding activity on its honeypots. The severity for this vulnerability is critical (a score of 9.8 out of 10), and the attack complexity is very low, making this vulnerability particularly dangerous. Greenbone customers can benefit from the automatic detection of this vulnerability in our Enterprise Feed. Microsoft offers a security update since June 12, 2023, Microsoft customers who missed the update should install it now.


Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

IT security update November 2023: Critical vulnerabilities and threats

In the November 2023 commVT Intelligence Update, several critical vulnerabilities and security threats have come to light. Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI) was found to be vulnerable to two actively exploited critical vulnerabilities, allowing attackers to execute arbitrary code remotely. The curl command-line tool, widely used across various platforms, faced a serious vulnerability that could result in arbitrary code execution during SOCKS5 proxy handshakes. VMware is urging immediate updates for its vCenter Server due to a critical vulnerability potentially leading to remote code execution. Multiple vulnerabilities were found in versions of PHP 8; one is a particularly critical deserialization vulnerability in the PHAR extraction process. Additionally, SolarWinds Access Rights Manager (ARM) was found susceptible to multiple critical vulnerabilities, emphasizing the urgency to update to version 2023.2.1. Lastly, two F5 BIG-IP vulnerabilities were discovered to be actively exploited, with mitigation options available and outlined below.

Cisco IOS XE: Multiple Critical Vulnerabilities

Two actively exploited critical CVSS 10 vulnerabilities were discovered in Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI); CVE-2023-20198 and CVE-2023-20273. Combined, they allow an attacker to remotely execute arbitrary code as the system user and are estimated to have been used to exploit tens of thousands of vulnerable devices within the past few weeks. Greenbone has added detection for both the vulnerable product by version [1], and another aimed at detecting the BadCandy implanted configuration file [2]. Both are VTs included in Greenbone’s Enterprise vulnerability feed.

Cisco IOS was created in the 1980s and used as the embedded OS in the networking technology giant’s routers. Fast forward to 2023, IOS XE is a leading enterprise networking full-stack software solution that powers Cisco platforms for access, distribution, core, wireless, and WAN. IOS XE is Linux-based, and specially optimized for networking and IT infrastructure, routing, switching, network security, and management. Cisco devices are pervasive in global IT infrastructure and used by organizations of all sizes, including large-scale enterprises, government agencies, critical infrastructure, and educational institutions.

Here’s how the two recently disclosed CVEs work:

CVE-2023-20198 (CVSS 10 Critical): Allows a remote, unauthenticated attacker to create an account [T1136] on an affected system with privilege level 15 (aka privileged EXEC level) access [CWE-269]. Privilege level 15 is the highest level of access to Cisco IOS. The attacker can then use that account to gain control of the affected system.
CVE-2023-20273 (CVSS 7.2 High): A regular user logged into the IOS XE web UI, can inject commands [CWE-77] that are subsequently executed on the underlying system with the system (root) privileges. This vulnerability is caused by insufficient input validation [CWE-20]. CVE is also associated with a Lua-based web-shell [T1505.003] implant dubbed “BadCandy”. BadCandy consists of an Nginx configuration file named `cisco_service.conf` that establishes a URI path to interact with the web-shell implant but requires the webserver to be restarted.

Cisco has released software updates for mitigating both CVEs in IOS XE software releases, including versions 17.9, 17.6, 17.3, and 16.12 as well as available Software Maintenance Upgrades (SMUs) and IT security teams are strongly advised to urgently install them. Cisco has also released associated indicators of compromise (IoC), Snort rules for detecting active attacks, and a TAC Technical FAQs page. Disabling the web UI prevents exploitation of these vulnerabilities and may be suitable mitigation until affected devices can be upgraded. Publicly released proof of concept (PoC) code [1][2] and a Metasploit module further increase the urgency to apply the available security updates.

Critical Vulnerability In The Curl Tool

A widespread vulnerability has been discovered in the popular curl command line tool, libcurl, and the many software applications that leverage them across a wide number of platforms. Tracked as CVE-2023-38545 (CVSS 9.8 Critical), the flaw makes curl overflow a heap-based buffer [CWE-122]] in the SOCKS5 proxy handshake that can result in arbitrary code execution [T1203]. Greenbone’s community feed includes several NVTs [1] to detect many of the affected software products and will add additional detections for CVE-2023-38545 as more vulnerable products are identified.

CVE-2023-38545 is a client-side vulnerability exploitable when passing a hostname to the SOCKS5 proxy that exceeds the maximum length of 255 bytes. If supplied with an excessively long hostname, curl is supposed to use local name resolution and pass it on to the resolved address only. However, due to the CVE-2023-38545 flaw, curl may actually copy the overly long hostname to the target buffer instead of copying just the resolved address there. The target buffer, being a heap-based buffer, and the hostname coming from the URL results in the heap-based overflow.

While the severity of the vulnerability is considered high because it can be exploited remotely and has a high impact to the confidentiality, integrity, and availability (CIA) of the underlying system, the SOCKS5 proxy method is not the default connection mode and must be declared explicitly. Additionally, for an overflow to happen an attacker also needs to cause a slow enough SOCKS5 handshake to trigger the bug. All versions of curl are affected between v7.69.0 (released March 4th, 2020) until v8.3.0. The vulnerable code was patched in v8.4.0 commit 4a4b63daaa.

VMware vCenter Server: Multiple Vulnerabilities

CVE-2023-34048 is a critical severity vulnerability that could allow a malicious actor with network access to vCenter Server to cause an out-of-bounds write [CWE-787] potentially leading to remote code execution (RCE). The affected software includes VMware vCenter Server versions 6.5, 6.7, 7.0, and 8.0. VMWare has issued a security advisory to address both vulnerabilities which states that there are no known mitigations other than installing the provided updates. Both vulnerabilities can be detected by Greenbone’s enterprise vulnerability feed [1]. The vCenter Server patch also fixes CVE-2023-34056, a medium-severity information disclosure resulting from improper authorization [CWE-285].

Although there are no reports that CVE-2023-34048 is being actively exploited in the wild attackers have proven adept at swiftly converting threat intelligence into exploit code. Research by Palo Alto Networks Unit 42 threat research group shows that on average an exploit is published 37 days after a security patch is released.

Here are some brief details on both CVEs:

CVE-2023-34048 (CVSS 9.8 Critical): vCenter Server contains an out-of-bounds write [CWE-787] vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability to achieve remote code execution (RCE). The Distributed Computing Environment Remote Procedure Call (DCERPC) protocol facilitates remote procedure calls (RPC) in distributed computing environments, allowing applications to communicate and invoke functions across networked systems.
CVE-2023-34056 (CVSS 4.3 Medium): vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.

Multiple Vulnerabilities Discovered In PHP 8

Several vulnerabilities were identified in PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3. Although the group of vulnerabilities does include one critical and two high-severity vulnerabilities, these require particular contexts to be present for exploitation; either deserializing PHP applications using PHAR or else using PHP’s core path resolution functions on untrusted input. Greenbone’s enterprise VT feed includes multiple detection tests for these vulnerabilities across multiple platforms.

Here are brief descriptions of the most severe recent PHP 8 vulnerabilities:

CVE-2023-3824 (CVSS 9.8 Critical): A PHAR file (short for PHP Archive) is a compressed packaging format in PHP, which is used to distribute and deploy complete PHP applications in a single archive file. While reading directory entries during the PHAR archive loading process, insufficient length checking may lead to a stack buffer overflow [CWE-121], potentially leading to memory corruption or remote code execution (RCE).
CVE-2023-0568 (CVSS 8.1 High): PHP’s core path resolution function allocates a buffer one byte too small. When resolving paths with lengths close to the system `MAXPATHLEN` setting, this may lead to the byte after the allocated buffer being overwritten with NULL value, which might lead to unauthorized data access or modification. PHP’s core path resolution is used for the `realpath()` and `dirname()` functions, when including other files using the `include()`, `include_once()`, `require()`, and `require_once()`, and during the process of resolving PHP’s “magic” constants” such as `__FILE__` and `__DIR__`.
CVE-2023-0567 (CVSS 6.2 Medium): PHP’s `password_verify()` function may accept some invalid Blowfish hashes as valid. If such an invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid [CWE-287]. Notably, this vulnerability has been assigned different CVSS scores by NIST (CVSS 6.2 Medium) and the PHP group CNA (CVSS 7.7 High), the difference being that the PHP Group CNA considers CVE-2023-0567 a high risk to confidentiality while NIST does not. CNAs are a group of independent vendors, researchers, open source software developers, CERT, hosted service, and bug bounty organizations authorized by the CVE Program to assign CVE IDs and publish CVE records within their own specific scopes of coverage.

SolarWinds Access Rights Manager (ARM): Multiple Critical Vulnerabilities

SolarWinds Access Rights Manager (ARM) prior to version 2023.2.1 is vulnerable to 8 different exploits; one critical and two additional high-severity vulnerabilities (CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187). These include authenticated and unauthenticated privilege escalation [CWE-269], directory traversal [CWE-22], and remote code execution (RCE) at the most privileged “SYSTEM” level. Greebone’s Enterprise vulnerability feed includes both local security check (LSC) [1] and remote HTTP detection [2].

SolarWinds ARM is an enterprise access control software for Windows Active Directory (AD) networks and other resources such as Windows File Servers, Microsoft Exchange services, and Microsoft SharePoint as well as virtualization environments, cloud services, NAS devices, and more. The widespread use of ARM and other SolarWinds software products means that its vulnerabilities have a high potential to impact a wide range of large organizations including critical infrastructure.

These and more recent vulnerabilities are disclosed in SolarWinds’ security advisories. Although no reports of active exploitation have been released, mitigation is highly recommended and available by installing SolarWinds ARM version 2023.2.1.

F5 BIG-IP: Unauthenticated RCE And Authenticated SQL Injection Vulnerabilities

Two RCE vulnerabilities in F5 BIG-IP, CVE-2023-46747 (CVSS 9.8 Critical) and CVE-2023-46748 (CVSS 8.8 High), have been observed by CISA to be actively exploited in the wild soon after PoC code was released for CVE-2023-46747. A Metasploit exploit module has also since been published. F5 BIG-IP is a family of hardware and software IT security products for ensuring that applications are always secure and perform the way they should. The platform is produced by F5 Networks, and it focuses on application services ranging from access and delivery to security. Greenbone has added detection for both CVEs [1][2].

CVE-2023-46747 is a remote authentication bypass [CWE-288] vulnerability while CVE-2023-46748 is a remote SQL injection vulnerability [CWE-89] that can only be exploited by an authenticated user. The affected products include the second minor release (X.1) for major versions 14-17 of BIG-IP Advanced Firewall Manager (AFM) and F5 Networks BIG-IP Application Security Manager (ASM).

If you are running an affected version you can eliminate this vulnerability by installing the vendor-provided HOTFIX updates [1][2]. The term “hotfix” implies that the patch can be applied to a system while it is running and operational, without the need for a shutdown or reboot. If updating is not an option, CVE-2023-46747 can be mitigated by downloading and running a bash script that adds or updates the `requiredSecret` attribute in the Tomcat configuration, which is used for authentication between Apache and Tomcat, and CVE-2023-46748 can be mitigated by restricting access to the Configuration utility to allow only trusted networks or devices, and ensuring only trusted user accounts exist thereby limiting the attack surface.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

CVE News: Critical vulnerabilities Atlassian and F5 Big vulnerability tests released by Greenbone

Our developers have provided vulnerability tests for two critical vulnerabilities in widely used enterprise software. Within a very short time, tests for CVE 2023-22518 und CVE 2023-46747 were integrated, and customers of Greenbone’s Enterprise Feed were protected.

Knowledge management tools Confluence and Jira from Australian vendor Atlassian have been hit by a serious security vulnerability, rated 9.8 out of 10 on the CERT scale. Since November 8, CVE 2023-22518 has been actively exploited by attackers gaining unauthorized access to company data, according to media reports.

According to the company, the “authentication flaw” affects all versions of Confluence Data Center and Server, but not the cloud version at Atlassian itself. For anyone else, including users of Jira, but especially all publicly accessible Confluence servers, there is a “high risk and need to take immediate action”, writes Atlassian.

We reacted quickly and provided our customers with appropriate tests before ransomware attacks could be successful. Customers of the Greenbone Enterprise Feed were warned and reminded of the patch via update.

Remote code execution: F5 BIG-IP allows request smuggling

Also at the end of October, security researchers from Praetorian Labs discovered a serious vulnerability (CVE-2023-46747) in the products of application security expert F5. The American company’s solutions are designed to protect large networks and software environments; the software, which was launched in 1997 as a load balancer, is primarily used in large enterprises.

However, according to the experts, attackers can remotely execute code on the BIG-IP servers by adding arbitrary system commands to the administration tools via manipulated URLs. Details can be found at Praetorian; patches are available, and a long list of BIG-IP products of versions 13, 14, 15, 16, and 17 are affected, both in hardware and software.

We reacted quickly and integrated tests into its vulnerability scanners on the same day, which test the BIG-IP installations at Greenbone Enterprise for vulnerable versions and, if necessary, point to the patches listed at F5.

Our vulnerability management products, the Greenbone Enterprise Appliances, offer the best protection.

Professional vulnerability management is an indispensable part of IT security. It enables the early detection of risks and provides valuable instructions for their elimination.
The Greenbone Enterprise Feed is updated daily to detect new vulnerabilities. We therefore recommend that you regularly update and scan all your systems. Please also read this article on IT security and the timeline of common attack vectors.


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

Current Report on the State of IT Security in Germany 2023

On November 2, Federal Minister of the Interior Nancy Faeser and Claudia Plattner, President of the Federal Office for Information Security (BSI), presented the latest report on the state of IT security in Germany. Attacks with ransomware represent the largest and most frequent risk, but by far not the only one. As long as these attacks cannot be completely prevented, systems must become more secure in order to prevent or at least reduce damage.

In Germany, there are a number of initiatives to improve vulnerability management. These include the National IT Security Act (IT-SiG) and the BSI’s IT-Grundschutz Compendium. The “nationwide situation picture” rightly called for by BSI President Claudia Plattner can thus map the threat situation to the situation of vulnerable systems, thereby helping to warn in advance and respond quickly and effectively in the specific event of an attack.

“Digitization makes many things in our everyday lives easier. At the same time, it creates new areas of attack,” says Federal Minister of the Interior Nancy Faeser. We need to counter the growing risks posed by progressive networking with automated tools and processes. By using them, companies and organizations can better protect their IT systems and reduce the probability of a successful cyber attack.

Insecure systems make it easier for attackers to cause damage. Improving vulnerability management is therefore an important step toward increasing IT security in Germany.Insecure systems make it easier for attackers to wreak havoc. Improving vulnerability management is therefore an important step towards increasing IT security in Germany.

Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

Critical vulnerability in Citrix Netscaler: Greenbone provides tests.

On October 10th, Citrix officially informed about the vulnerability in the Netscaler software, CVE-2023-4966, which is categorized as “critical” according to CVSS with a score of 9.4 and allows unauthorized access to corporate networks.

Greenbone has reacted to these vulnerabilities and implemented vulnerability tests at an early stage. Greenbone customers using the Citrix Netscaler Gateway, or ADC, are therefore on the safe side.

Nevertheless, the vulnerability is serious, which is why the BSI issues an urgent warning:

“The vulnerability allows attackers to disclose sensitive information without authentication. This allows authenticated sessions to be hijacked and multifactor authentication (MFA) or other means of authentication to be bypassed”.

The vulnerability, which has been actively exploited since the end of August, has been reported in numerous media outlets. Users should install the patches provided by Citrix as soon as possible. Citrix’s NetScaler ADC and NetScaler Gateway products, versions 13 and 14, and versions 12 and 13 of NetScaler ADC are affected. In addition to CVE-2023-4966, an advisory has been issued for CVE-2023-4967, which allows a Denial of Service (DoS).

Keep your IT networks secure!

Vulnerability management is a key tool in securing IT networks. It enables you to identify and eliminate potential risks in your systems. The Greenbone Enterprise Feed is updated daily to detect new vulnerabilities. Therefore, we recommend regular updates and scans for all your systems. Please also read this article about IT security and the timeline of common attack vectors.

The Greenbone Enterprise Appliances are offered as hardware, virtual appliances, or on premise (Greenbone Cloud Service). Greenbone works GDPR-compliant and offers an open-source solution. This means the best data protection compliance and is thus guaranteed to be completely free of backdoors.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Greenbone tests your web applications

Reduce the risk of an attack from the internet on your servers: Take advantage of Greenbone’s latest offer: With our Pentesting Web Applications, we help you to get the best possible security for your web applications.

The numbers speak for themselves: attacks on web applications are on the rise, have been for years, and there is no end in sight. The complexity of modern web presences and services requires a high level of security measures and cannot be managed without testing by experts.

The only thing that helps here is the technique of so-called “pentesting” of web applications, or more precisely “web application penetration testing”. With this attempt to penetrate protected systems from the outside (“penetration”), Greenbone’s experts create an active analysis of vulnerabilities and can thus evaluate the security of a web application. Although there are guidelines such as the highly recommended one from the German Federal Office for Information Security (BSI), which describes the procedure for testing, nothing can replace the expert who puts your system under the microscope himself. In this video you will get a first impression of the work of our security experts. 

Greenbone acts strictly according to the regulations of the DSGVO, is certified according to ISO 27001/9001. As with its vulnerability management products, with the web application pentests you also receive detailed reports on your security situation with clear instructions for action, which the Greenbone experts are happy to help you implement. The offer covers both the client and server side of your web applications and is based on the most modern and up-to-date guidelines, for example the OWASP Top 10 or the OWASP Risk Assessment Framework (RAF). Whether it is cross-site scripting (XSS), SQL injection, information disclosure or command injection, whether there are gaps in the authentication mechanisms of your servers or websockets are the source of danger – Greenbone’s experts will find the vulnerabilities.

As the world’s leading provider of open source vulnerability management products, Greenbone always has the latest expertise in dealing with vulnerabilities and security risks, including here in “black box testing”, when our experts take a close look at your systems from the outside, just as an attacker would: with the perspective of a potential attacker, you will ideally find every existing vulnerability in your IT infrastructure and can take care of fixing them. Only those who know their vulnerabilities can implement security measures in a targeted manner. Find out more about Greenbone AG’s products and services here.

Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Outlook Zero Day: Greenbone vulnerability management helps

At its latest patchday, software manufacturer Microsoft patched a severe zero-day vulnerability that had been exploited by intelligence agencies and Russian hacker groups, among others, in the summer of 2022. Early on, Greenbone was able to provide a test in the process, helping companies find unpatched systems and secure data centers and clients.

The CVE-2023-23397 was discovered by the Ukrainian Computer Emergency Response Team (CERT-UA), affects all versions of Microsoft Outlook on Windows and allows attackers to access SMB servers via emails with extended MAPI commands.

Fully automated attack in the background

This, Microsoft warns urgently, can happen fully automatically and in the background, without the user having opened or even previewed the malicious mail: The dangerous commands would be executed directly upon arrival – no credentials entered or careless mouse clicks done by the user are necessary.

Even though all users of Outlook for Windows are affected; systems with Android, iOS or macOS are not vulnerable. Attackers can only exploit this vulnerability if the (old) NTLM authentication is used, web interfaces such as Office 365 are also safe, as Microsoft explains.


Mitigation: Block SMB connections, add users to AD groups

Due to the high potential for damage, the vendor strongly urges customers to apply the appropriate patch. As intermediate, temporary solution, users should be included in the group of protected users in Active Directory and all outgoing SMB connections should be blocked.

Greenbone customers had been provided with an examined test shortly after Microsoft’s patchday. Details of our vulnerability test are available to Greenbone customers here – it is already integrated into Greenbone’s Security Feed and the vulnerability detection of our products.

Incidentally, in a blog post, Microsoft states that previous attacks via this vulnerability have been of limited scope, mostly targeting a “limited number of government, transportation, energy and military organizations in Europe” in 2022 and carried out by Russian-based actors. Media outlets such as Bleeping Computer, which first obtained the internal information from Microsoft, reported attacks from April to December 2022, also carried out by the well-known APT-28 group, for example.

Test Greenbone Vulnerability Management for free

As a “Trial” the Greenbone Enterprise Appliances are free of charge for 14 days. Users can try it out quickly, without special know-how directly in the web browser. A direct upgrade to a valid subscription is possible at any time. All Greenbone Enterprise Appliances use the daily updated Greenbone Enterprise Feed which helps to automatically test your IT network and all connected devices for more than 100,000 vulnerabilities and provides a daily updated, accurate status of the security situation in your company. Because the vulnerability check also provides information on the severity, you can easily prioritize the identified vulnerabilities and the measures to be taken.

Vulnerability management that inspects your IT infrastructure from the outside is indispensable in modern companies. Ideally, by acting like a potential attacker, you can find all vulnerabilities in your IT infrastructure the attacker could exploit. so to speak, and take care of its elimination. Only those who know their vulnerabilities can implement the right security measures.


Contact Free Trial Buy Here Back to Overview

/by