30,000 websites at risk: Check yours ASAP! (800 Million Ostriches Can’t Be Wrong.)

The post WordPress Plugin Supply Chain Attack Gets Worse appeared first on Security Boulevard.

Several vulnerabilities patched recently in Siemens Sicam products could be exploited in attacks aimed at the energy sector.

The post Siemens Sicam Vulnerabilities Could Facilitate Attacks on Energy Sector appeared first on SecurityWeek.

Security analysts at Google are developing a framework that they hope will enable large language models (LLMs) to eventually be able to run automated vulnerability research, particularly analyses of malware variants. The analysts with Google’s Project Zero – a group founded a decade ago whose job it is to find zero-day vulnerabilities – have been..

The post Google’s Project Naptime Aims for AI-Based Vulnerability Research appeared first on Security Boulevard.

A security threat has surfaced on dark web forums: a zero-day exploit targeting a use-after-free (UAF) vulnerability in the Linux Kernel, specifically version 6.6.15-amd64. This use-after-free vulnerability, advertised for sale by an actor known as Cas, promises capabilities that include privileged code execution and potential access to sensitive data. According to the post, which has garnered attention from cybersecurity communities, the Linux Kernel vulnerability exploit is being offered for $150,000 in either Monero or Bitcoin. The threat actor Cas has specified that interested buyers must demonstrate proof of sufficient funds before any transaction can proceed, highlighting the illicit nature and high stakes of such transactions.

Use-After-Free Vulnerability Targets Linux Kernel

[caption id="attachment_78815" align="alignnone" width="1553"] Source: Dark Web[/caption] The Linux Kernel vulnerability, if successfully deployed, could allow malicious actors to escalate their privileges locally within affected systems, potentially executing code with root-level permissions. This type of vulnerability poses severe risks to both individual users and organizations relying on Linux-based systems. Selling Oday Use-after free in the Linux Kernel, you can use it to do a Privileged Code Execution (LPE (Local Privilege Escalation), or execute code with root privileges), (Data Leakage )..etc Affected version: 6.6.15-amd64. Environment arch: 64-bit and Price: 150k Monero & BTC", reads the threat actor post. Moderators on these forums have highlighted another individual, known as IntelBroker, who claims to have verified the proof-of-concept (PoC) behind the exploit privately. This endorsement adds credibility to Cas's offer, despite the lack of publicly available evidence.

Previous Instances and Industry Impact

Earlier, cybersecurity firm Rewterz reported a similar instance involving CVE-2024-36886, where a use-after-free flaw in the Linux Kernel (version 4.1) could be exploited by remote attackers to execute arbitrary code. This use-after-free vulnerability, triggered by fragmented TIPC messages, highlights ongoing challenges in securing Linux environments against sophisticated exploits. A use-after-free (UAF) vulnerability occurs when a program continues to access memory that has already been deallocated. This issue arises when dynamic memory allocation, typically managed by functions like free() in languages such as C or C++, is mishandled.  The program may inadvertently reference this freed memory, leading to unpredictable behavior such as crashes or security vulnerabilities. Exploitation of UAF vulnerabilities can allow attackers to manipulate the program's behavior, potentially executing arbitrary code or escalating privilege Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A new supply chain attack has impacted several plugins hosted on WordPress.org. This WordPress vulnerability, discovered on June 24th, 2024, by the Wordfence Threat Intelligence team, initially centered around the Social Warfare plugin. The plugin was found to have been compromised with malicious code inserted as early as June 22nd, 2024, according to a forum post by the WordPress.org Plugin Review team. Upon identifying the malicious file within Social Warfare, the Wordfence team promptly uploaded it to their internal Threat Intelligence platform for analysis. Subsequently, their investigation revealed that the same malicious code had infected four additional plugins. Despite efforts to notify the WordPress plugins team about these compromised plugins, the response has been limited, although the affected plugins have since been delisted from the official repository.

WordPress Plugin Vulnerability Leads to Supply Chain Attack

According to Wordfence researchers, the listed plugins leading to supply chain attacks include 5 popular names. Among them, Social Warfare versions 4.4.6.4 to 4.4.7.1 were compromised, but a patched version (4.4.7.3) has since been released. Blaze Widget versions 2.2.5 to 2.5.2 and Wrapper Link Element versions 1.0.2 to 1.0.3 were also affected, with no available patched versions. Interestingly, although the malicious code appears removed in Wrapper Link Element version 1.0.0, this version is lower than the infected ones, complicating the update process. Users are advised to uninstall the plugin until a properly tagged version is issued. Similarly impacted were Contact Form 7 Multi-Step Addon versions 1.0.4 to 1.0.5 and Simply Show Hooks version 1.2.1, with no patched versions currently released for either plugin. The injected malware's primary function involves attempting to create unauthorized administrative user accounts on affected websites. These accounts are then leveraged to exfiltrate sensitive data back to servers controlled by the attackers. Additionally, the attackers embedded malicious JavaScript into the footers of compromised websites, potentially impacting SEO by introducing spammy content.

Ongoing Investigation and Recovery

Despite the malicious code's discovery, it was noted for its relative simplicity and lack of heavy obfuscation, featuring comments throughout that made it easier to trace. The attackers appear to have begun their activities as early as June 21st, 2024, and were actively updating plugins as recently as a few hours before detection. The Wordfence team is currently conducting a thorough analysis to develop malware signatures aimed at detecting compromised versions of these plugins. They advise website administrators to utilize the Wordfence Vulnerability Scanner to check for vulnerable plugins and take immediate action—either by updating to patched versions or removing affected plugins altogether. Key indicators of compromise include the IP address 94.156.79.8, used by the attackers' server, and specific unauthorized administrative usernames such as 'Options' and 'PluginAuth'. To mitigate risks, administrators are urged to conduct comprehensive security audits, including checking for unauthorized accounts and conducting thorough malware scans.

A newly discovered vulnerability, CVE-2024-0762, dubbed "UEFIcanhazbufferoverflow," has recently come to light in the Phoenix SecureCore UEFI firmware, impacting various Intel Core desktop and mobile processors. The UEFIcanhazbufferoverflow vulnerability, disclosed by cybersecurity researchers, exposes a critical buffer overflow issue within the Trusted Platform Module (TPM) configuration, potentially allowing malicious actors to execute unauthorized code. Eclypsium, a firm specializing in supply chain security, identified the vulnerability through its automated binary analysis system, Eclypsium Automata. They reported that the flaw could be exploited locally to escalate privileges and gain control over the UEFI firmware during runtime. This exploitation bypasses higher-level security measures, making it particularly concerning for affected devices.

Decoding the UEFIcanhazbufferoverflow Vulnerability and its Impact

The affected Phoenix SecureCore UEFI firmware is utilized across multiple generations of Intel Core processors, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. Given the widespread adoption of these processors by various OEMs, the UEFIcanhazbufferoverflow vulnerability has the potential to impact a broad array of PC products in the market. According to Eclypsium researchers, the vulnerability arises due to an insecure variable handling within the TPM configuration, specifically related to the TCG2_CONFIGURATION variable. This oversight could lead to a scenario where a buffer overflow occurs, facilitating the execution of arbitrary code by an attacker. Phoenix Technologies, in response to the disclosure, promptly assigned CVE-2024-0762 to the UEFIcanhazbufferoverflow vulnerability and released patches on May 14, 2024, to mitigate the issue. The severity of the vulnerability is reflected in its CVSS score of 7.5, indicating a high-risk threat.

The Importance of UEFI Architecture Security 

In practical terms, the exploitation of UEFI firmware vulnerabilities like "UEFIcanhazbufferoverflow" highlights the critical role of firmware in device security. The UEFI architecture serves as the foundational software that initializes hardware and manages system runtime operations, making it a prime target for attackers seeking persistent access and control. This incident also highlights the challenges associated with supply chain security, where vulnerabilities in upstream components can have cascading effects across multiple vendors and products. As such, organizations are advised to leverage comprehensive scanning tools to identify affected devices and promptly apply vendor-supplied firmware updates. For enterprises relying on devices with potentially impacted firmware, proactive measures include deploying solutions to continuously monitor and assess device integrity. This approach helps mitigate risks associated with older devices and ensures ongoing protection against active exploitation of firmware-based vulnerabilities.

Hundreds of PC and server models may be affected by CVE-2024-0762, a privilege escalation and code execution flaw in Phoenix SecureCore UEFI firmware.

The post Hundreds of PC, Server Models Possibly Affected by Serious Phoenix UEFI Vulnerability appeared first on SecurityWeek.

Atlassian has released Confluence, Crucible, and Jira updates to address multiple high-severity vulnerabilities.

The post Atlassian Patches High-Severity Vulnerabilities in Confluence, Crucible, Jira appeared first on SecurityWeek.

Google has released a Chrome 126 security update with six fixes, including four for externally reported high-severity flaws.

The post Chrome 126 Update Patches Vulnerability Exploited at Hacking Competition appeared first on SecurityWeek.

Or junk it if EOL: Two nasty vulnerabilities need an update—pronto.

The post ASUS Router User? Patch ASAP! appeared first on Security Boulevard.

Researchers have targeted the MTE security feature in Arm CPUs and showed how attackers could bypass protections.

The post New TikTag Attack Targets Arm CPU Security Feature  appeared first on SecurityWeek.

The Cyber Express, in collaboration with Cyble Research & Intelligence Labs (CRIL), is dedicated to providing the latest and most comprehensive information on security vulnerabilities. Each week, we deliver actionable insights for IT administrators and security professionals, crafted by highly skilled dark web and threat intelligence researchers at Cyble. Cyble has identified several important bugs in its Weekly Vulnerability Report that require urgent attention. The full report covers these vulnerabilities, along with details and discussion around exploits found on the dark web, industrial control system (ICS) vulnerability intelligence, and cybersecurity defenses. Cyble security analysts have also conducted scans of customer environments to alert them of any exposures.  These vulnerabilities, highlighted from June 05, 2024, to June 11, 2024, include critical issues that could be easily exploited. Failure to patch these vulnerabilities could result in unauthorized access, data breaches, and significant operational disruptions.  Cyble researchers found over 1 million internet-facing assets exposed to these vulnerabilities, highlighting the urgency of addressing these security flaws.

Critical Vulnerabilities and Their Impact

Here are details and analysis of five of the most critical vulnerabilities identified by Cyble.

GitHub Access Token (CVE-2024-37051)

Overview: Exposed access tokens have been identified, which could allow unauthorized individuals to access GitHub accounts. This can lead to the manipulation or theft of code, posing a severe threat to software integrity and security.  Impact: Unauthorized access to repositories can result in the leakage of sensitive information, insertion of malicious code, and potential compromise of projects dependent on the affected repositories. 

FortiOS SSL-VPN (CVE-2022-42475)

Overview: A critical heap-based buffer overflow vulnerability in FortiOS SSL-VPN has been actively exploited in cyber-espionage campaigns. This vulnerability allows attackers to execute arbitrary code on the affected systems.  Impact: Successful exploitation can lead to full control over the compromised system, enabling data theft, network breaches, and service disruptions. 

PHP Remote Code Execution (CVE-2024-4577) 

Overview: Multiple versions of PHP have been found vulnerable to remote code execution. This vulnerability has been exploited to deploy ransomware, affecting web servers running the compromised PHP versions.  Impact: Exploitation can result in the complete compromise of web servers, data exfiltration, and file encryption for ransom. 

Netgear Authentication Bypass (CVE-2024-36787)

Overview: A vulnerability in Netgear routers allows attackers to bypass authentication mechanisms, granting unauthorized access to router settings.  Impact: Unauthorized access can modify network settings, intercept data, and further network compromises. 

Veeam Backup Enterprise Manager (CVE-2024-29849)

Overview: A critical vulnerability in Veeam Backup Enterprise Manager allows unauthenticated users to log in, posing a high risk of data theft and manipulation.  Impact: Unauthorized access to backup systems can result in data breaches, loss of critical backup data, and potential operational disruptions. 

Weekly Vulnerability Report: Highlights

CVE-2024-37051 

Impact Analysis: A critical vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform affects all IntelliJ-based IDEs, leading to the exposure of GitHub access tokens. TAs can leverage the vulnerability by using exposed tokens to gain unauthorized access to user GitHub accounts and repositories and possibly deploy malicious code or delete the repositories.  Internet Exposure: No  Patch: Available 

CVE-2022-42475 

Impact Analysis: A critical heap-based buffer overflow vulnerability in FortiOS SSL-VPN and FortiProxy SSL-VPN allows remote unauthenticated attackers to execute arbitrary code or commands via specially crafted requests. Reports suggest that Chinese TAs weaponized this vulnerability in cyber-espionage campaigns targeting government institutions for a few months between 2022 and 2023 to deploy malware on vulnerable Fortigate network security appliances.  Internet Exposure: Yes  Patch: Available 

CVE-2024-4577 

Impact Analysis: A critical remote code execution (RCE) vulnerability affecting PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 when using Apache and PHP-CGI on Windows. PHP is a widely used open-source scripting language designed for web development, and the vulnerability can reveal the source code of scripts and enable TAs to run arbitrary PHP code on the server. Recently, researchers observed that the TellYouThePass ransomware gang has been exploiting the vulnerability to deliver webshells and execute the encryptor payload on target systems.  Internet Exposure: Yes  Patch: Available 

CVE-2024-4610 

Impact Analysis: A use-after-free vulnerability in Arm Ltd Bifrost GPU Kernel Driver and Arm Ltd Valhall GPU Kernel Driver allows local non-privileged users to gain access to already freed memory through improper GPU memory processing operations.  Internet Exposure: No  Patch: Available 

CVE-2024-36787 

Impact Analysis: This vulnerability in Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 allows attackers to bypass authentication and access the administrative interface, posing a severe threat to network security and sensitive user data.  Internet Exposure: Yes  Patch: Not specified 

CVE-2024-29849 

Impact Analysis: A vulnerability in Veeam Backup Enterprise Manager (VBEM) allows unauthenticated attackers to log in as any user to the enterprise manager web interface. This poses a high risk due to the global use of Veeam products and the availability of publicly available proof-of-concept (PoC).  Internet Exposure: Yes  Patch: Available 

CVE-2019-9082 & CVE-2018-20062 

Impact Analysis: These vulnerabilities impact ThinkPHP, an open-source PHP framework with an MVC structure, leading to remote code execution (RCE). Chinese threat actors have leveraged these vulnerabilities to install a persistent web shell named Dama.  Internet Exposure: No  Patch: Not specified 

CVE-2024-24919 

Impact Analysis: This vulnerability impacts Check Point Remote Access VPN and allows attackers to read information from Internet-connected gateways with remote access VPN or mobile access enabled. It has been exploited in zero-day attacks since April 30, enabling lateral movement through victim networks by stealing Active Directory data.  Internet Exposure: Yes  Patch: Available 

CVE-2024-30080 

Impact Analysis: A critical remote code execution vulnerability in Microsoft’s Message Queuing (MSMQ) can be exploited by unauthenticated attackers via specially crafted malicious MSMQ packets. Microsoft addressed the flaw in its monthly Patch Tuesday update. Internet Exposure: Yes  Patch: Available 

Industrial Control Systems (ICS) Vulnerabilities 

The report also highlights vulnerabilities in Industrial Control Systems (ICS), which are critical to sectors such as healthcare, emergency services, and energy. The majority of these vulnerabilities are categorized as high and critical severity, emphasizing the importance of securing ICS environments. 

Recommended Mitigation Strategies 

To mitigate the risks associated with these vulnerabilities, the following strategies are recommended: 

• Regular Software and Hardware Updates: Ensure all systems and devices are up to date with the latest security patches and firmware updates. 
• Patch Management: Implement a comprehensive patch management process to promptly address and apply patches for known vulnerabilities. 
• Network Segmentation: Segment networks to limit the spread of attacks and reduce the attack surface. 
• Incident Response and Recovery Plans: Develop and regularly update incident response and recovery plans to ensure swift action in the event of a breach. 
• Monitoring and Logging Solutions: Deploy advanced monitoring and logging solutions to detect and respond to suspicious activities in real time. 
• Regular Vulnerability Assessments and Penetration Testing: Conduct regular vulnerability assessments and penetration tests to identify and remediate security weaknesses. 
• Strong Password Policies and Multi-Factor Authentication: Enforce strong password policies and implement multi-factor authentication to enhance access control.

The report also notes the active discussion and sharing of several vulnerabilities on underground forums. These include vulnerabilities affecting popular platforms such as WordPress and macOS, which cybercriminals are exploiting. 

Conclusion 

The findings of the Weekly Vulnerability Intelligence Report highlight the critical need for continuous vigilance and proactive cybersecurity measures. Organizations must prioritize patch management, conduct regular security audits, and maintain incident response plans to protect against emerging threats.  Stay ahead of cyber threats with the Weekly Vulnerability Intelligence Report by Cyble, brought to you by The Cyber Express. Subscribe now for the latest insights powered by Cyble's advanced AI-driven threat intelligence.

Rockwell Automation has patched three high-severity vulnerabilities in its FactoryTalk View SE HMI software.

The post Rockwell Automation Patches High-Severity Vulnerabilities in FactoryTalk View SE appeared first on SecurityWeek.

Protect AI warns of a dozen critical vulnerabilities in open source AI/ML tools reported via its bug bounty program.

The post Easily Exploitable Critical Vulnerabilities Found in Open Source AI/ML Tools appeared first on SecurityWeek.

Analysis and insights on the prevalence and impact of password exposure vulnerabilities in ICS and other OT products.

The post Prevalence and Impact of Password Exposure Vulnerabilities in ICS/OT  appeared first on SecurityWeek.

Check Point has issued an alert regarding a critical zero-day vulnerability identified in its Network Security gateway products. As per the Check Point warning This vulnerability, tracked as CVE-2024-24919 with a CVSS score of 8.6, has been actively exploited by threat actors in the wild. The affected products include CloudGuard Network, Quantum Maestro, Quantum Scalable […]

The post Check Point Warning: VPN Gateway Products’ Zero-Day Attack appeared first on TuxCare.

The post Check Point Warning: VPN Gateway Products’ Zero-Day Attack appeared first on Security Boulevard.

A long-running ransomware campaign that has been targeting Windows and Linux systems since 2019 is the latest example of how closely threat groups track public disclosures of vulnerabilities and proofs-of-concept (PoCs) and how quickly they move in to exploit them. The PHP Group last week disclosed a high-severity flaw – tracked as CVE-2024-4577 and with..

The post Ransomware Group Jumps on PHP Vulnerability appeared first on Security Boulevard.

Google and Mozilla have released patches for 21 and 15 vulnerabilities in Chrome and Firefox, respectively.

The post Chrome 126, Firefox 127 Patch High-Severity Vulnerabilities appeared first on SecurityWeek.

The GNU C Library, commonly known as glibc, is a critical component in many Linux distributions. It provides core functions essential for system operations. However, like any software library, it is not immune to vulnerabilities. Recently, multiple security issues have been identified in glibc, which could result in a denial of service. These vulnerabilities are […]

The post Recent glibc Vulnerabilities and How to Protect Your Linux System appeared first on TuxCare.

The post Recent glibc Vulnerabilities and How to Protect Your Linux System appeared first on Security Boulevard.

A critical vulnerability in the PyTorch distributed RPC framework could be exploited for remote code execution.

The post Critical PyTorch Vulnerability Can Lead to Sensitive AI Data Theft appeared first on SecurityWeek.

A threat actor known as spr1ngtr4p has purportedly advertised a Remote Code Execution (RCE) vulnerability affecting a subdomain of Italy's Ministry of Defence website. This RCE vulnerability was posted on June 7, 2024, on a Russian-language cybercrime forum called XSS and sheds light on the malicious intent of the threat actor.  RCE vulnerabilities, such as the one claimed by spr1ngtr4p, pose significant risks as they allow malicious actors to execute code remotely on targeted systems. The implications of such an exploit can be severe, ranging from the deployment of malware to the complete compromise of affected machines.

The RCE Vulnerability and Possible Cyberattack on the Italian Ministry of Defence

[caption id="attachment_76184" align="alignnone" width="1240"] Source: Dark Web[/caption] The affected organization, as claimed by the threat actor, is the Ministry of Defence of Italy, Ministero Difesa, highlighting the gravity of the situation. The website in question, difesa.it, falls under the purview of this governmental body, making it a matter of national security concern. With Italy being the impacted country, the ramifications extend to the wider European and UK regions, emphasizing the potential for geopolitical implications. The post by the threat actor, shared on the cybercrime forum, offers insights into the nature of the RCE vulnerability. However, it lacks substantial evidence to validate the claims made. The absence of proof raises doubts about the credibility of the assertions and necessitates a thorough investigation into the matter.

No Confirmation of Intrusion

Efforts to ascertain the authenticity of the alleged cyberattack on the Italian Ministry have been initiated, with inquiries directed towards the Ministry of Defence of Italy. As of the time of this report, official confirmation or denial from the ministry is pending, leaving the status of the Italian Ministry of Defence cyberattack unresolved. Despite the alarming nature of the disclosure, there are indications that the Ministry of Defence website remains operational and unaffected by any apparent cyber intrusion. This suggests that either the threat actor has refrained from exploiting the vulnerability or that the website's security measures have effectively thwarted any attempted attacks. Nevertheless, the potential threat posed by the RCE vulnerability cannot be understated, warranting proactive measures to mitigate risks and fortify cyber defenses. Organizations, especially those in the government and law enforcement sectors, must remain vigilant and employ robust security protocols to safeguard against emerging cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: www.databreachtoday.com – Author: 1 Governance & Risk Management , Patch Management , Vulnerability Assessment & Penetration Testing (VA/PT) Remote Code Execution Exploit Found; Patch Now Available Prajeet Nair (@prajeetspeaks) • June 8, 2024     Image: Shutterstock Server administrators should take immediate action to patch a critical remote code execution vulnerability in PHP for […]

La entrada Critical PHP Vulnerability Threatens Windows Servers – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

The CyRC Vulnerability Advisory has reported a critical security flaw in EmailGPT, an AI-powered email writing assistant and Google Chrome extension that streamlines your email correspondence using advanced AI technology. This EmailGPT vulnerability (CVE-2024-5184), known as prompt injection, enables malicious actors to manipulate the service, potentially leading to the compromise of sensitive data. The core of this vulnerability in EmailGPT is the exploitation of API service, which allows malicious users to inject direct prompts, thereby gaining control over the service's logic. 

Understanding the New EmailGPT Vulnerability (CVE-2024-5184)

[caption id="attachment_75572" align="alignnone" width="1920"] Source: GitHub[/caption] By coercing the AI service, attackers can force the leakage of standard system prompts or execute unauthorized prompts, paving the way for various forms of exploitation. The implications of this EmailGPT vulnerability are profound.  By submitting a malicious prompt, individuals with access to the service can extract sensitive information, initiate spam campaigns using compromised accounts, or fabricate misleading email content, contributing to disinformation campaigns. Beyond data breaches, exploiting this vulnerability could result in denial-of-service attacks and direct financial losses through repeated requests to the AI provider's API. “When engaging with EmailGPT by submitting a malicious prompt that requests harmful information, the system will respond by providing the requested data. This vulnerability can be exploited by any individual with access to the service”, reads the CyRC Vulnerability Advisory.

CyRC Advises Users to Remove EmailGPT

With a CVSS score of 6.5 (Medium), the severity of this vulnerability highlights the urgency of remedial action. Despite the efforts of CyRC to engage with EmailGPT developers through responsible disclosure practices, no response has been received within the stipulated 90-day timeline. Consequently, the “CyRC recommends removing the applications from networks immediately”. As users navigate this security challenge, staying informed about updates and patches will be paramount to ensuring continued secure service use. Given the evolving landscape of AI technology, maintaining vigilance and implementing robust security practices are imperative to thwart potential threats. The EmailGPT vulnerability, CVE-2024-5184, serves as a stark reminder of the critical importance of prioritizing security in AI-powered tools. By heeding the recommendations of the CyRC and taking proactive measures to mitigate risks, users can safeguard their data and uphold the integrity of their digital communication systems.

On March 20, 2024, Progress Software disclosed three vulnerabilities in its Telerik Report Server products. The vulnerabilities were identified as CVE-2024-1800, CVE-2024-1801, and CVE-2024-1856. Another Progress Telerik Report Server vulnerability (CVE-2024-4358), disclosed on May 31, 2024, could potentially allow attackers to execute code on systems that have the affected Progress Telerik software versions installed. The Center for Cybersecurity Belgium issued a recent security advisory urging customers to patch these vulnerabilities.

Progress Telerik Vulnerabilities Overview

The CCB detailed all four vulnerabilities, associated risks and working exploits, and provided links that contain additional details about each vulnerability.

Insecure Deserialization Vulnerabilities

The first two vulnerabilities (CVE-2024-1801 and CVE-2024-1856) are insecure deserialization vulnerabilities in Progress Telerik Reporting. Attackers could exploit these vulnerabilities to run arbitrary code. An attacker with local access could potentially exploit CVE-2024-1801, while CVE-2024-1856 may be exploited remotely if specific web application misconfigurations are in place.

Remote Code Execution Vulnerability

The third vulnerability (CVE-2024-1800) is an insecure deserialization vulnerability in the Progress Telerik Report Server. Successfully exploitation of the vulnerability could allow for remote execution of arbitrary code on affected systems. Progress Telerik Report Server versions prior to 2024 Q1 (10.0.24.130) are vulnerable to this issue.

Authentication Bypass Vulnerability

An additional vulnerability, CVE-2024-4358, that was disclosed later affects the Telerik Report Server. This is an authentication bypass vulnerability that could allow an unauthenticated attacker to gain access to restricted functionality within the Progress Telerik Report Server. The issue affects Progress Telerik Report Server versions up to 2024 Q1 (10.0.24.305).

Recommended Actions for Telerik Vulnerabilities

The Centre for Cybersecurity Belgium strongly recommends applying, after thorough testing, the latest available software updates of Progress Telerik on vulnerable devices. Progress Telerik has explicitly stated that the only way to remediate the earlier three reported vulnerabilities was by updating to the latest available version (10.1.24.514). For the authentication bypass vulnerability (CVE-2024-4358), Progress Telerik has published a temporary mitigation. This mitigation involves applying a URL Rewrite rule in IIS to deny access to the vulnerable "startup/register" path. The Centre for Cybersecurity Belgium urges organizations to bolster their monitoring and detection capabilities to be alert for any malicious activities associated with these vulnerabilities. Organizations are further advised to check the list of users within the Progress Telerik Report Server to ensure that there is no addition of unauthorized accounts while responding quickly to detected intrusions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Researchers observed a Kiosk mode bypass vulnerability in a remote hotel's check-in terminal during their stay there while traveling to attend a threat modeling workshop. The hotel's terminal operates through the use of the Ariane Allegro Scenario Player. Ariane is an international provider of self-check systems for the hospitality industry, with deployment to more than 3,000 sites across 25 different countries. The researchers discovered the flaw in the check-in system's guest search feature, leading to a crash that allowed for unauthorized access to the underlying system.

Kiosk Mode Bypass Grants Access To Hotel's Windows Desktop

The hotel, which had no check-in staff, relied solely on the self-service check-in terminal running the Ariane Allegro Scenario Player in kiosk mode. Visiting researchers from Pentagrid discovered that the check-in terminal crashed when a single quote character was inserted into its guest search feature. Upon trying to interact with the terminal screen after the crash, the Windows operating system asks the user if it should wait longer or stop the running task. Selecting the second option halts the kiosk mode application entirely, unexpectedly allowing the team to access the underlying Windows Desktop. The researchers attributed the flaw as an accidental discovery by Martin "O'YOLO" Schobert. The researchers state that this bypass poses significant risks as attackers with access to the Windows desktop could potentially target a hotel's entire network, access stored data (including PII, reservations, and invoices), or create room keys for other hotel rooms by exploiting its RFID room-provisioning functionality. The kiosk mode bypass vulnerability has been rated with a CVSS score of 6.8 (medium). The researchers specified the following preconditions as necessary for successful exploitation of the vulnerability:

• Physical access to the check-in terminal along with time, depending upon the attack's preparation.
• The check-in terminal must be in a self-service state, as hotels might enable this option only during specific times or during staff shortage.

According to Ariane Systems, the issue stemmed from the use of outdated versions of its check-in software at the new hotel.

Disclosure Process and Vendor Response

The vulnerability's discovery led the team to investigate further, finding that a hotel chain from Liechtenstein and Switzerland use the check-in terminal for smaller hotel locations. The vulnerability could potentially affect several hotels that rely on Ariane's Allegro Scenario Player check-in system. The researchers first discovered the vulnerability on March 5, 2024, and immediately attempted to disclose it to the vendor through multiple channels, such as LinkedIn, contact numbers and official email addresses. The researchers also attempted to reach out to the company's technical leader and chief product officer, finding a delayed response on March 18 in which Ariane Systems claimed that the reported systems were legacy software models, and that no personally identifiable information (PII) or exploitable data could be retrieved from the kiosk machine. However, the researchers dispute the vendor's claim, stating that the kiosk was designed to produce and keep accessible invoice files. In a later call with Ariane Systems on April 11, further vulnerability details were shared, with the researchers awaiting a response. They state that as of June 5, 2024, there have been no updates from the vendor. They cite the initial delays and lack of additional updates as reasons for publicly disclosing the vulnerability after a waiting period of 90 days. To mitigate potential risks stemming from the vulnerability, the researchers recommended that hotels using the Ariane Allegro Scenario Player check to make sure they have the most recent version of the software installed, as the issue was reportedly fixed by the vendor. Additionally, they advised hotels to isolate check-in terminals to prevent potential bypasses that could allow attackers to compromise hotel networks or underlying Windows systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A Chinese research team identified a severe security flaw in the design of RISC-V processors, posing a threat to China's expanding domestic semiconductor/Chip sector. This flaw in the design of RISC-V processors enables cyber attackers to bypass modern processors' security measures without administrative rights. This leads to the possible theft of sensitive information and breaches of personal privacy. RISC-V is an open-source standard used in advanced chips and semiconductors. Unlike mainstream CPU architectures like Intel's and AMD's X86, RISC-V offers free access and can be modified without restriction. The vulnerability was discovered in RISC-V's SonicBOOM open-source code and confirmed by Professor Hu Wei's team at Northwestern Polytechnical University (NPU), a major defense research institute in Shaanxi. On April 24, the Chinese research team, which specializes in hardware design security, vulnerability detection, and cryptographic application safety, reported the issue to China's National Computer Network Emergency Response Technical Team/Coordination Centre (CNCERT). Later, in an official statement, additional details were revealed by NPU on May 24. This openness has made it a critical component of China's strategy to circumvent US-imposed chip bans and achieve semiconductor independence.

US-imposed chip bans: What It Is?

Since 2022, US officials have set broad restrictions on which computing processors can be supplied to China, reducing shipments of Nvidia (NVDA.O), Advanced Micro Devices (AMD.O), and Intel (INTC.O), among others. These restrictions mirrored previous limits on semiconductor shipment to Huawei Technologies (HWT.UL). However, U.S. officials have granted licenses to at least two US companies, Intel and Qualcomm (QCOM.O), to continue shipping chips to Huawei, which is using an Intel chip to power a new laptop model.

Why is This Vulnerability a Trouble For China?

The vulnerability's discovery is particularly troubling for China, which has been relying heavily on RISC-V to develop its CPUs. By the end of 2022, over 50 different versions of locally produced RISC-V chips were mass-produced in China, primarily for embedded applications such as industrial controls, power management, wireless connectivity, storage control, and the Internet of Things. Recent developments have seen RISC-V expanding into more demanding applications, including industrial control, autonomous driving, artificial intelligence, telecommunications, and data centers. RISC-V processors have gained popularity due to their simplicity, modularity, scalability, and the rapid evolution of the architecture since its inception.

Discovery of RISC-V

RISC-V was developed in 2010 by Professor David Patterson at the University of California, Berkeley, who also designed RISC-I in 1980. Despite its advantages, the newly discovered flaw in RISC-V could undermine its reliability and security, potentially impacting its adoption and use in critical applications. This discovery is part of China’s national key research and development program in processor hardware security, initiated in 2021. The program, carried out by CNCERT, Tsinghua University, NPU, and the Institute of Microelectronics of the Chinese Academy of Sciences, focuses on the research and detection of hardware vulnerabilities. The CNCERT report emphasized that processor-related vulnerability mining is highly challenging, with the number of RISC-V processor vulnerabilities in global libraries being significantly lower than software and firmware vulnerabilities.

NPU Role

NPU's participation in discovering this weakness demonstrates its status as a pioneer in China's information security education and research, which aligns with the country's strategic needs. NPU developed its "information confrontation" undergraduate program in 2000, which was later renamed "information security" in 2009. In 2011, it established the National Institute of Confidentiality, which added "secrecy" to the curriculum. In 2018, the university expanded its cybersecurity focus by founding the School of Cybersecurity. This vulnerability influences China, affecting global technology corporations and the semiconductor industry. As China pursues semiconductor independence, addressing and mitigating such vulnerabilities will be critical to guarantee the security and dependability of its domestic chip industry.

It took code security firm Kiuwan nearly two years to patch several serious vulnerabilities found in its SAST products.

The post Vulnerabilities Patched in Kiuwan Code Security Products After Long Disclosure Process appeared first on SecurityWeek.

Attention Apache Flink users! The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added an Apache Flink vulnerability to its Known Exploited Vulnerabilities Catalog, highlighting evidence of its active exploitation. Apache Flink is a popular open-source framework for processing large streams of data. It’s widely used in big data analytics and real-time applications. However, like […]

The post CISA Alert: Urgent Update Needed for Apache Flink Vulnerability appeared first on TuxCare.

The post CISA Alert: Urgent Update Needed for Apache Flink Vulnerability appeared first on Security Boulevard.

SonicWall has shared technical details on a recently addressed high-severity remote code execution flaw in Confluence.

The post Details of Atlassian Confluence RCE Vulnerability Disclosed appeared first on SecurityWeek.

A critical vulnerability in the Progress Telerik Report Server could allow unauthenticated attackers to access restricted functionality.

The post Progress Patches Critical Vulnerability in Telerik Report Server appeared first on SecurityWeek.

Cox recently patched a series of vulnerabilities that could have allowed hackers to remotely take control of millions of modems.

The post Vulnerabilities Exposed Millions of Cox Modems to Remote Hacking appeared first on SecurityWeek.

The post Risk vs. Threat vs. Vulnerability: What is the difference? appeared first on Click Armor.

The post Risk vs. Threat vs. Vulnerability: What is the difference? appeared first on Security Boulevard.

Daft name, serious risk: Kit from ActionTec and Sagemcom remotely ruined and required replacement.

The post ‘Pumpkin Eclipse’ — 600,000+ Rural ISP Routers Bricked Beyond Repair appeared first on Security Boulevard.

The recently disclosed Check Point VPN attacks involve the zero-day vulnerability CVE-2024-24919, which allows hackers to obtain passwords.

The post Check Point VPN Attacks Involve Zero-Day Exploited Since April appeared first on SecurityWeek.

Vulnerabilities in the real-time IoT operating system Eclipse ThreadX before version 6.4 could lead to denial-of-service and code execution.

The post Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution appeared first on SecurityWeek.

Exploited in the wild, Chrome vulnerability CVE-2024-5274 is a high-severity flaw described as a type confusion in the V8 JavaScript and WebAssembly engine.

The post Google Patches Fourth Chrome Zero-Day in Two Weeks appeared first on SecurityWeek.