Jan 30, 2023

Chinese Hackers Exploited Fortinet VPN Vulnerability as Zero-Day

Description

A cyber threat actor believed to be linked to China has been found to have exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN, known as CVE-2022-42475, in attacks against a European government entity and an African managed service provider (MSP). Google-owned Mandiant gathered evidence showing the exploitation occurred as early as October 2022, nearly two months before fixes were released. The attacks used a sophisticated backdoor called BOLDMOVE, which is a Linux variant specifically designed to run on Fortinet’s FortiGate firewalls. The malware, written in C, can read data from a file format that’s proprietary to Fortinet. The malware is also capable of carrying out a system survey, receiving commands from a command-and-control (C2) server and relay traffic via the infected host. Mandiant noted that the exploitation of zero-day vulnerabilities in networking devices and the installation of custom implants is consistent with previous Chinese exploitation of networking devices.

Infected Technology

Fortinet FortiOS SSL-VPN

Source

https://www.securityweek.com/chinese-hackers-exploited-fortinet-vpn-vulnerability-zero-day

Recommendation

Keep Software up to date. Conduct Regular Security Assessments Monitor network security

CVE ID

CVE-2022-42475

Samsung Galaxy Store App Found Vulnerable to Sneaky App Installs and Fraud

Description

Two security weaknesses in Samsung’s Galaxy Store app for Android have been discovered, which might be abused by a local attacker to install arbitrary programs or redirect prospective victims to fake web landing sites. The vulnerabilities, identified as CVE-2023-21433 and CVE-2023-21434, were found by NCC Group in November and December 2022 and reported to the South Korean chaebol. Samsung classed the issues as moderately dangerous and fixed them in version 4.5.49.8, which was published earlier this month. CVE-2023-21433, the first of the two vulnerabilities, may allow a previously installed rogue Android app on a Samsung smartphone to install any program accessible on the Galaxy Store. Samsung classified it as an instance of poor access control that has now been fixed with sufficient permissions to prevent unwanted access. It’s worth noting that the issue only affects Samsung handsets running Android 12 and earlier, not those running the most recent version (Android 13). The update comes as Samsung rolled out security updates for the month of January 2023 to remediate several flaws, some of which could be exploited to modify carrier network parameters, control BLE advertising without permission, and achieve arbitrary code execution.

Infected Technology

Samsung’s devices

Source

https://thehackernews.com/2023/01/samsung-galaxy-store-app-found.html

Recommendation

Update the app to the latest version as soon as possible.

CVE ID

CVE-2023-21433 CVE-2023021434

IoT vendors faulted for slow progress in setting up vulnerability disclosure programs

Description

The IoT Security Foundation (IoTSF) released a report that shows that only 27.1% of IoT vendors have a vulnerability disclosure policy, which is a concern as it is a best practice for connected product security and there is a potential for penalties for non-compliance with the UK’s new Product Security and Telecoms Infrastructure regulations. The study also found that vendors from Asia tend to have better vulnerability disclosure programs compared to European suppliers. The study was based on a review of 332 companies that sell consumer focused IoT products and covered a range of products from tablets and routers to smart home lighting controls. Lawmakers are pushing for regulations to improve the security of IoT products, and the study also found an increase in the use of ‘security.txt’ files and a decline in PGP key usage for secure submissions, as well as an increase in the use of third-party ‘proxy services’ to host and maintain policies.

Infected Technology

IoT

Source

https://portswigger.net/daily-swig/iot-vendors-faulted-for-slow-progress-in-setting-up-vulnerability-disclosure-programs

Recommendation

IoT vendors should establish vulnerability disclosure programs, have a dedicated point of contact for security researchers, have a clear process for addressing reported vulnerabilities and be transparent with customers about the status of vulnerabilities and steps taken to address them.

The latest BIND updates patch multiple remotely exploitable vulnerabilities that could lead to denial-of-service (DoS)

Description

The IoT Security Foundation (IoTSF) has released a report that states that only 27.1% of IoT vendors have a vulnerability disclosure policy. This is a concern as it is a best practice for connected product security and there is potential for penalties for non-compliance with the UK’s new Product Security and Telecoms Infrastructure regulations. The study also found that vendors from Asia tend to have better vulnerability disclosure programs compared to European suppliers. The study was conducted by reviewing 332 companies that sell consumer focused IoT products, which covered a range of products from tablets and routers to smart home lighting controls. The report also highlights that there is an increase in the use of ‘security.txt’ files and a decline in PGP key usage for secure submissions, as well as an increase in the use of third-party ‘proxy services’ to host and maintain policies.

Infected Technology

BIND

Source

https://securityaffairs.com/141465/security/isc-fixed-bind-flaws.html

Recommendation

Upgrade to the latest versions of BIND (9.16.37, 9.18.11, and 9.19.9) as soon as possible. Limit the number of clients that are permitted to make dynamic zone changes. Configure the stale-answer-client-timeout option to a positive integer. Monitor logs for any suspicious activity. Restrict access to DNS servers to trusted hosts only.

CVE ID

CVE-2022-3094 CVE-2022-3736 CVE-2022-3924

A critical vulnerability in VMware vRealize Log Insight appliance.

Description

​​VMware addressed multiple vulnerabilities, tracked as CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, and CVE-2022-31711, in its vRealize Log Insight appliance. VRealize Log Insight is a log collection and analytics virtual appliance that enables administrators to collect, view, manage and analyze syslog data. Log Insight provides real-time monitoring of application logs, network traces, configuration files, messages and performance data.The most severe flaws impacting the product are a Directory Traversal Vulnerability tracked as CVE-2022-31706 (CVSS score 9.8), and a broken access control vulnerability tracked as CVE-2022-31704 (CVSS score 9.8).An unauthenticated, attacker can exploit one of the two flaws to inject files into the operating system of an impacted appliance which can result in remote code execution. CVE-2022-31710 – Deserialization Vulnerability (CVSS score 7.5) that can be exploited by a remote attacker to trigger the deserialization of untrusted data which could result in a denial of service.CVE-2022-31711 – Information Disclosure Vulnerability (CVSS score 7.5) which can be exploited by a remote attacker to collect sensitive session and application information without authentication.

Infected Technology

VMware vRealize

Source

https://securityaffairs.com/141298/security/vmware-vrealize-log-insight-rce.html

Recommendation

Patch or update provided by VMware as soon as possible

CVE ID

CVE-2023-21433 CVE-2023021434