Customer portal
Articles Tagged with

sosintelligence flash alert

"FLASH
Flash Alert

FLASH Alert – Remote Unauthenticated Code Execution Vulnerability in OpenSSH server

by Daniel Collyer
July 2, 2024

CVE-2024-6387

CVSS 8.1 HIGH (Provisional)

A significant vulnerability has been identified in OpenSSH’s server (sshd) in glibc-based Linux systems.  The vulnerability, a signal handler race condition in OpenSSH’s server (sshd), poses a significant security risk by allowing unauthenticated remote code execution (RCE) as root on glibc-based Linux systems. This issue impacts sshd in its default configuration.

According to data from Censys and Shodan, there are over 14 million OpenSSH server instances which are exposed to the wider internet and therefore potentially vulnerable.

This vulnerability is a regression of the previously patched CVE-2006-5051, reported in 2006. In this context, a regression means that a flaw once fixed has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue.  As such, the vulnerability has been dubbed regreSSHion.

Researchers at Qualys have been able to develop a working, proof-of-concept exploit for the regreSSHion vulnerability.

Affected versions

  • OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
  • Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
  • The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
  • x86 systems have been validated as vulnerable, x64 are likely to be vulnerable but this has yet to be validated.

OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability.

Impact

If exploited, this vulnerability could lead to a full system compromise, allowing an attacker to execute arbitrary code with the highest privileges. This would result in a complete system takeover, enabling the installation of malware, data manipulation, and the creation of backdoors for persistent access. It could also facilitate network propagation, allowing attackers to use the compromised system as a foothold to exploit other vulnerable systems within the organisation.

Gaining root access would enable attackers to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further obscuring their activities. This could lead to significant data breaches, exposing all data stored on the system, including sensitive or proprietary information that could be stolen or publicly disclosed.

Despite its potential impact, this vulnerability is challenging to exploit due to its remote race condition nature, requiring multiple attempts for a successful attack. Exploiting it can cause memory corruption and necessitates overcoming Address Space Layout Randomization (ASLR). However, advancements in deep learning may significantly increase the exploitation rate, potentially giving attackers a substantial advantage in leveraging such security flaws.

Mitigation

The following steps should be considered to mitigate potential risks:

  • Patch Management: Urgently apply available patches for OpenSSH and prioritise ongoing update processes.
  • Enhanced Access Control: Limit SSH access through network-based controls to minimise the attack surface.
  • Network Segmentation and Intrusion Detection: Divide networks to restrict unauthorised access and lateral movements within critical environments and deploy systems to monitor and alert on unusual activities indicative of exploitation attempts.
"FLASH
Flash Alert

FLASH Alert – Information Disclosure vulnerability in Check Point’s Quantum Gateway

by Daniel Collyer
May 30, 2024

CVE-2024-24919

CVSS 7.5 HIGH (Provisional)

On 27 May 2024, Check Point disclosed a vulnerability impacting the following products:

  • CloudGuard Network
  • Quantum Maestro
  • Quantum Scalable Chassis
  • Quantum Security Gateways
  • Quantum Spark Appliances

CVE-2024-24919 is an information disclosure vulnerability which would allow an unauthenticated threat actor to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades.

The following versions are known to be affected:

  • R77.20 (EOL)
  • R77.30 (EOL)
  • R80.10 (EOL)
  • R80.20 (EOL)
  • R80.20.x
  • R80.20SP (EOL)
  • R80.30 (EOL)
  • R80.30SP (EOL)
  • R80.40 (EOL)
  • R81, R81.10
  • R81.10.x
  • R81.20

The vulnerability is exploitable on affected systems if ONE of the following conditions is met:

  • The IPsec VPN Blade is enabled, but ONLY when included in the Remote Access VPN  community.
  • The Mobile Access Software Blade is enabled.

Check Point has issued detailed instructions for applying hotfixes to affected services to mitigate this vulnerability.  Additionally, The following has also been recommended:

  • Change the password of the Security Gateway’s account in Active Directory
  • Prevent Local Accounts from connecting to VPN with Password Authentication

The announcement of this vulnerability comes after Check Point identified a small number of login attempts on older local VPN accounts that used an unrecommended password-only authentication method.  This indicates that the vulnerability is being exploited in the wild, and so the recommended hotfixes should be applied as soon as practicable.

"Connectwise_vulnerability"/
Flash Alert

Flash Alert – Critical vulnerabilities in ConnectWise

by Daniel Collyer
February 21, 2024

CVE: TBD

CVSS: 10.00 CRITICAL

CVE: TBD

CVSS: 8.4 HIGH

In the last week, ConnectWise has disclosed vulnerabilities affecting versions 23.9.7 (and older) of its ScreenConnect product.

Two vulnerabilities have been identified and published via a security bulletin on the ConnectWise website.  Few details have been published, but the bulletin does indicate the following:

  • The first vulnerability allows for authentication bypass by utilisation of an alternate path or channel
  • The second vulnerability concerns the improper limitation of a pathname to a restricted directory (AKA “path traversal”)

Utilised together, these vulnerabilities would allow a threat actor to remotely execute code, or directly impact confidential data of critical systems.

ConnectWise is urging all users of ScreenConnect to update to version 23.9.8 to patch these vulnerabilities, but does insist that they have seen no evidence of exploitation in the wild.

"Significant
Flash Alert

Flash Alert – Significant vulnerability in FortiOS

by Daniel Collyer
February 9, 2024

CVE-2024-21762
CVSS: 9.8 CRITICAL

Fortinet has disclosed a significant vulnerability in FortiOS, their network operating system. 

An out-of-bounds write issue is present in multiple versions of the product, potentially allowing any threat actor to remotely execute code and commands without authorisation, by utilising specifically crafted HTTP requests.

The vulnerability impacts the following:

Fortinet FortiOS versions
7.4.0 through 7.4.2
7.2.0 through 7.2.6
7.0.0 through 7.0.13
6.4.0 through 6.4.14
6.2.0 through 6.2.15
6.0.0 through 6.0.17
FortiProxy versions
7.4.0 through 7.4.2
7.2.0 through 7.2.8
7.0.0 through 7.0.14
2.0.0 through 2.0.13
1.2.0 through 1.2.13
1.1.0 through 1.1.6
1.0.0 through 1.0.7

Fortinet has detailed a workaround; disabling SSL VPN, and has provided guidance on ensuring that any affected products are updated. They have further disclosed their belief that this vulnerability is being exploited in the wild. 

This comes soon after the discovery of Chinese APT VOLT TYPHOON actively targeting FortiOS to deploy their custom malware COATHANGER, including against the Dutch Ministry of Defence.

"ivanti"/
Flash Alert

Flash Alert – Further vulnerabilities reported in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA

by Daniel Collyer
February 1, 2024

Two new vulnerabilities have been disclosed by Ivanti, relating to their Connect Secure, Policy Secure and Neurons for ZTA products and services.

Ivanti Connect Secure & Ivanti Policy Secure

CVE-2024-21888

CVSS: 8.8 HIGH

Ivanti has disclosed a further vulnerability affecting their Connect Secure and Policy Secure solutions.  Impacting all currently supported versions (9.x and 22.x), the vulnerability allows a user (malicious or otherwise) to elevate their current privileges to that of an administrator.

Ivanti Connect Secure, Ivanti Policy Secure & Ivanti Neurons for ZTA

CVE-2024-21893

CVSS: 8.2 HIGH

A server-side vulnerability exists in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure & Ivanti Neurons for ZTA.  When exploited, a threat actor could access certain restricted resources without needing to authenticate.

While no threat actor use of CVE-2024-21888 has yet been discovered, there has been limited, targeted use of CVE-2024-21893. Following the disclosure of these vulnerabilities, exploitation of impacted services is suspected to increase.  Therefore, it is vital that the affected services are fully patched and updated to mitigate any risks.

The release of these vulnerabilities follows Ivanti’s research into vulnerabilities disclosed earlier in the month, CVE-2023-46805 and CVE-2024-21887 (previously reported here).  Given the volume of vulnerabilities coming from Ivanti at this time, it is expected that threat actors will put an increased focus on identifying more in order to exploit vulnerable users.

"Ivanti"/
Flash Alert

Flash Alert – Vulnerabilities reported in Ivanti ICS, Ivanti Policy Secure and Citrix NetScaler

by Daniel Collyer
January 18, 2024

In the past week, the following vulnerabilities have been disclosed, affecting:

  • Ivanti ICS
  • Ivanti Policy Secure
  • Citrix NetScaler ADC
  • Citrix NetScaler Gateway

Ivanti ICS & Ivanti Policy Secure

CVE-2023-46805

CVSS: 8.2 HIGH

CVE-2024-21887

CVSS: 9.1 CRITICAL

Ivanti has disclosed the existence of two significant vulnerabilities affecting their Connect Secure and Policy Secure gateways, specifically versions 9.x and 22.x.

CVE-2023-46805 is an authentication bypass vulnerability, which allows a threat actor to remotely access restricted resources by bypassing control checks.  CVE-2024-21887 is a command injection vulnerability, granting an authenticated user the ability to send specially crafted requests and execute arbitrary commands on the vulnerable device.

When utilised together, a threat actor can compromise a vulnerable device and execute code with admin rights, leaving the victim company open to a significant risk of network intrusion and further criminal activity.

Palo Alto’s Unit 42 has observed over 30,000 vulnerable devices spread across 141 countries. It is actively responding to incidents involving these vulnerabilities, highlighting their use by threat actors in the wild.

Ivanti is currently working on patches to fix these vulnerabilities.  In the meantime, it is recommended that the mitigations they have suggested are implemented to avoid unnecessary risk.  These can be found here.

Citrix NetScaler ADC & Citrix NetScaler Gateway

CVE-2023-6548

CVSS: 5.5 MEDIUM

CVE-2023-6549

CVSS: 8.2 HIGH

Citrix has identified and disclosed further vulnerabilities in its NetScaler ADC and NetScaler Gateway products.  The following supported versions are affected:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302*
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302*

*NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable

CVE-2023-6548 allows a threat actor authenticated, low-privileged access to remotely execute code on the management interface of a compromised device.  This requires them to have access to the NSIP, CLIP or SNIP which itself has management interface access.

CVE-2023-6549 applies to appliances configured as one of the following:

  • VPN virtual servers
  • ICA proxies
  • CVPNs
  • RDP proxies
  • AAA virtual servers

Exploitation of this vulnerability involves a threat actor restricting operations within the memory buffer, thereby causing an unauthenticated Denial of Service attack.

A patch will follow in due course, but in the meantime, Citrix recommends the following:

  • Ensure network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic
  • Ensure the management interface is not exposed to the internet
  • Ensure all previous patches are installed and software is up-to-date

Citrix has noted that these vulnerabilities have been observed in the wild and targeted by threat actors.

"managed
Flash Alert

Flash Alert – CitrixBleed victim with impacts on UK legal sector

by Daniel Collyer
November 27, 2023

CVE-2023-4966

CVSS: 9.4

In October 2023 we reported on an observation of a threat actor exploiting CVE-2023-4966, a vulnerability in Citrix NetScaler since dubbed CitrixBleed.  Further information on that report can be found here.

This vulnerability allows threat actors to hijack existing, authenticated sessions and bypass multi-factor authentication. As a result, they could fully control NetScaler environments, and therefore manage and control application delivery.

We’d previously stated an expectation that this vulnerability would continue to be exploited, banking on a slow patch rate, and this prediction appears to have been correct. In the last week, it has been reported that managed service provider (MSP) CTS has suffered a significant cyberattack as a result of CitrixBleed.

CTS provides IT services for the UK legal sector.  As a result of the attack, it is estimated that up to 200 UK firms and offices have been significantly impacted, resulting in a loss of access to systems and databases crucial for them to function. The incident was first noted on Wednesday (22nd November 2023) and continued into the weekend. This has had a significant impact on property buyers, with Fridays being the busiest days for purchase completions.

There is limited information available regarding the overall scope of the attack against CTS, but it has been suggested that ransomware had been deployed, which we will continue to monitor for. It is unknown whether any sensitive or confidential information has been impacted, but the incident has been reported to the ICO.

The targeting of an MSP at this time is significant. The UK Government has decided to not include an update to the NIS Regulations within the most recent King’s Speech, meaning that these will likely not be considered until after the next general election in 2024. Updating these regulations would treat MSPs as critical infrastructure, and encourage them to focus on and improve their own cybersecurity and defences in order to prevent supply chain attacks.  In the foreword to the UK Government’s “Proposal for legislation to improve the UK’s cyber resilience”,  Julia Lopez MP, Minister of State for Media, Data, and Digital Infrastructure stated:

“an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services,”

This is not the first such attack against an MSP in the UK.  In August 2022, IT supplier Advanced was targeted with ransomware, which had a serious impact on the NHS’s ability to deliver care.  In January 2023 the UK National Cyber Security Centre (NCSC) issued a warning regarding the use of MSP’s, and that use of their services would increase an organisation’s attack surface.  An MSP with access to multiple clients makes them a “juicy target” for threat actors wanting to cause as much disruption as possible.

Photo by Tingey Injury Law Firm on Unsplash.

"SysAid
Flash Alert

Flash Alert – Zero-day vulnerability in SysAid IT support software

by Daniel Collyer
November 9, 2023

CVE-2023-47246

CVSS: TBD

Research by Microsoft Threat Intelligence has identified a vulnerability in SysAid IT On-Premise software, documented as CVE-2023-47246. The vulnerability allows a threat actor to leverage path traversal in order to execute their own code within the target system.

It has been identified that the threat actor Lace Tempest has exploited the vulnerability by uploading a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The full directory path was:

C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\

The deployed WebShell granted the threat actor unauthorised access and control. Once established, they utilised PowerShell scripts to run a malware loader (with filename user.exe). This was in turn used to deploy the GraceWire Trojan, which was injected into one of the following running processes:

  • spoolsv.exe
  • msiexec.exe
  • svchost.exe

Once GraceWire was deployed, a second PowerShell script was executed to erase evidence of the threat actor’s presence from the disk and associated web logs.

Lace Tempest has previously been observed utilising the MOVEit vulnerability in June 2023, and deploying Cl0p ransomware.

Given the severity of the vulnerability, it is recommended that steps are taken immediately to deploy patches issued by SysAid.  Vulnerable users of the software should also review systems for evidence of prior exploitation.  Further details can be found on the SysAid blog here.

For further information on CL0P’s recent activities and other ransomware blogs check out my latest Ransomware statistics article here.

"Flash
Flash Alert

Flash Alert – Further exploitation of Citrix NetScaler

by Daniel Collyer
October 19, 2023

CVE-2023-4966

CVSS: 9.4

Last week, Citrix released a patch for CVE-2023-4966. This vulnerability allows threat actors to hijack existing, authenticated sessions and bypass multi-factor authentication. As a result, they could fully control NetScaler environments, and therefore manage and control application delivery.

The vulnerability impacts the following versions of Citrix NetScaler:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
  • NetScaler ADC and NetScaler Gateway  13.1-49.15  and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Cybersecurity firm Mandiant has been tracking exploitation of the vulnerability and has seen evidence of use since August 2023 by an as-yet-unknown threat actor. This threat actor appears most concerned with cyberespionage, with targets including professional services, technology and government organisations. Over time, it is anticipated that further threat actors will begin exploiting this vulnerability across wider sectors for financial gain.

Despite the patch being issued, it is anticipated that exploitation of this vulnerability will increase. This is down to a slow uptake of patching undertaken by users of Citrix NetScaler. For example, we previously reported on CVE-2023-3519 which was patched in July 2023 after being exploited as early as June 2023. Research by the Shadowserver Foundation indicates at least 1,300 NetScaler instances are still vulnerable to this exploit.

Citrix recommends updating and patching all instances of NetScaler to the most recently available versions in order to limit the impact of the vulnerability. Further details can be found here.

"Cisco
Flash Alert

Flash Alert – Critical Vulnerability in Cisco IOS XE Software

by Daniel Collyer
October 18, 2023

On 16 October 2023, Cisco reported on a vulnerability affecting Cisco IOS XE.  CVE-2023-20198 is a critical vulnerability apparent in the Web UI of Cisco IOS XE software.  It applies when the IOS is exposed to the internet or other untrusted networks, and impacts both physical and virtual devices with HTTP or HTTPS Server features enabled.

A threat actor can leverage this vulnerability to create an account on an affected device.  This account would benefit from privilege level 15 access, which would grant the malicious user full control of the compromised device.  From here they could freely engage in further unauthorised activity, such as data theft or malware deployment.  They would also be able to monitor network traffic, pivot into protected networks, and perform man-in-the-middle attacks

Research conducted by VulnCheck has identified thousands of hosts already impacted by this vulnerability.  They recommend disabling the web interface and removing all management interfaces from the internet.

At the time of posting, a patch for this vulnerability has yet to be released.  Cisco has recommended disabling the HTTP Server feature.  A compromise of the system can be detected by:

  • Monitoring access logs for any new or unknown users
  • Monitoring system logs for the following message (where filename is an unknown filename that does not correlate with an expected file installation action)
    • %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename
  • Running the following on a suspect device, where systemip is the IP address of the system to check.  An impacted system will return a hexadecimal string:
    • curl -k -X POST “https://systemip/webui/logoutconfirm.html?logon_hash=1″

Further details on their recommendations and IoCs can be found here.

GitHub user ZephrFish https://twitter.com/ZephrFish has produced and shared a simple tool to scan if a host has been impacted by a threat actor using the vulnerability.  This can be found here.

The following Snort rule IDs are also available to detect exploitation:

  • 3:50118:2 – can alert for initial implant injection
  • 3:62527:1 – can alert for implant interaction
  • 3:62528:1 – can alert for implant interaction
  • 3:62529:1 – can alert for implant interaction

Additional ongoing discussions on this vulnerability can be followed on this twitter thread by Daniel Card https://twitter.com/UK_Daniel_Card/thread/1714536315834798314

1 2
Recent Posts
Recent Comments
    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from - Youtube
    Vimeo
    Consent to display content from - Vimeo
    Google Maps
    Consent to display content from - Google
    Spotify
    Consent to display content from - Spotify
    Sound Cloud
    Consent to display content from - Sound
    Save