Feb 20 2023

Critical Remote Code Execution (RCE) Vulnerability Discovered in Cisco’s ClamAV Open-Source Antivirus Software

Description

Cisco has released security updates to fix a severe vulnerability discovered in ClamAV, an open-source antivirus engine. The flaw, identified as CVE-2023-20032 with a CVSS score of 9.8, is associated with remote code execution residing in the HFS+ file parser component. The vulnerability impacts versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. The issue was reported by Simon Scannell, a security engineer at Google. An attacker can exploit the vulnerability by submitting a malicious HFS+ partition file to ClamAV on an affected device. This can result in an arbitrary code execution and cause a denial-of-service (DoS) situation. In addition, Cisco has also fixed a remote information leak vulnerability found in ClamAV’s DMG file parser (CVE-2023-20052, CVSS score: 5.3) that could be abused by an unauthenticated remote attacker. This vulnerability could allow XML external entity injection if a malicious DMG file is scanned by ClamAV on an affected device.

Infected Technology

Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints (Windows, macOS, and Linux) Secure Endpoint Private Cloud, and Secure Web Appliance, formerly Web Security Appliance

Source

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy

Recommendation

Update to the latest version of the security updates provided by Cisco

CVE ID

CVE-2023-20032 CVE-2023-20052

Hackers backdoor Microsoft IIS servers with new Frebniis malware

Description

A new malware called ‘Frebniis’ has been detected by Symantec’s Threat Hunter Team, which is being used by an unknown group of threat actors to target organizations based in Taiwan. The malware is designed to execute commands sent via web requests on Microsoft’s Internet Information Services (IIS) server. The hackers exploit an IIS feature called ‘Failed Request Event Buffering’ (FREB) to intercept and monitor all HTTP POST requests sent to the server. The malware injects malicious code into the ‘iisfreb.dll’ file to enable this functionality, making it completely stealthy and hard to detect by security tools. The attackers need to compromise the FREB module by first breaching the IIS server, but the initial method used to gain access is unknown.

Infected Technology

Microsoft IIS servers

Source

https://www.bleepingcomputer.com/news/security/hackers-backdoor-microsoft-iis-servers-with-new-frebniis-malware/

Recommendation

To avoid such attacks, it is recommended to update software and use advanced network traffic monitoring tools to detect unusual activity.

Hackers Create Malicious Dota 2 Game Modes to Secretly Access Players’ Systems

Description

Recently, a threat actor, whose identity is unknown, created some custom game modes for Dota 2, a popular multiplayer online battle arena game, that could have been used to gain unauthorized access to the systems of players. The game modes exploited a critical vulnerability in the V8 JavaScript engine, which was identified as CVE-2021-38003 and had a severity score of 8.8. The vulnerability was a zero-day exploit and was fixed by Google in October 2021. The Avast researcher, Jan Vojtěšek, reported that since the V8 engine was not sandboxed in Dota 2, the exploit could enable remote code execution against other Dota 2 players. Following responsible disclosure to Valve, the game publisher, the V8 engine was upgraded on January 12, 2023, to fix the issue. Game modes are custom capabilities that can either enhance an existing game or provide new gameplay options that differ from the standard rules. Steam store has a vetting process for publishing custom game modes, but the antivirus vendor found some malicious game modes that managed to slip through the vetting process. These malicious game modes include “test addon plz ignore,” “Overdog no annoying heroes,” “Custom Hero Brawl,” and “Overthrow RTZ Edition X10 XP.” Additionally, the threat actor also published a fifth game mode named “Brawl in Petah Tiqwa” that did not contain any rogue code. “test addon plz ignore” contained an exploit for the V8 flaw that could execute custom shellcode, while the other three game modes had a more covert approach, where the malicious code was designed to contact a remote server to download a JavaScript payload. The server is no longer reachable. In a hypothetical attack, a player who launched one of these game modes could be targeted by the threat actor to gain remote access to their infected host and install additional malware to exploit their system further.

Source

https://informationsecuritybuzz.com/exploit-dota2-video-game-infecting-players/

Recommendation

Players of Dota 2 should update their game to the latest version and should be cautious when downloading custom game modes or other user-generated content, especially from untrusted sources.

CVE ID

CVE-2021-38003

Missing permission checks in Azure Credentials Plugin allow enumerating credentials IDs

Description

The Azure Credentials Plugin is used to manage credentials for Microsoft Azure services in Jenkins. As with any plugin, it is important that it has appropriate security controls in place to protect the sensitive data it manages. In the case of the earlier version of the plugin (253.v887e0f9e898b), certain HTTP endpoints did not perform permission checks, meaning that an attacker with Overall/Read permission could access information about the credentials stored in Jenkins.This information included the IDs of the credentials, which could be used in a subsequent attack to capture the credentials using another vulnerability. For example, an attacker could use a cross-site scripting (XSS) vulnerability in a different part of Jenkins to inject malicious code that would capture the credentials when they were used.By contrast, the updated version of the plugin (254.v64da_8176c83a) requires Overall/Administer permission to enumerate credentials IDs. This means that only users with administrative privileges can access this information, reducing the attack surface and making it more difficult for an attacker to exploit the plugin.

Infected Technology

Microsoft Azure

Source

https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-1757

Recommendation

Update to plugin 254.v64da_8176c83a

CVE ID

CVE-2023-25766

Microsoft Releases Patches for 3 Actively Exploited Windows Vulnerabilities

Description

Microsoft released a security update to fix 75 vulnerabilities across its products. Of these, three zero-day vulnerabilities were being actively exploited in the wild. Nine vulnerabilities were rated critical and 66 were rated important in severity. Out of these, 37 were remote code execution flaws. The three zero-day flaws were in Microsoft Office Security Feature Bypass, Windows Graphics Component, and Windows Common Log File System (CLFS) Driver Elevation of Privilege. These flaws could allow an attacker to bypass Office macro policies or gain SYSTEM privileges. Other vendors such as Adobe, Apple, Cisco, Google Chrome, Mozilla, and VMware also released security updates to address vulnerabilities in their products. Exchange servers had multiple RCE defects, including “Exploitation More Likely,” which requires an authenticated attacker. Microsoft OneNote for Android was vulnerable to CVE-2023-21823. Several denial-of-service (DoS) issues impacting Windows iSCSI Service and Windows Secure Channel were also addressed. Since OneNote has been increasingly used as a conduit for delivering malware, users must apply the fixes. Exchange servers have proven to be high-value targets, and unauthorized access to sensitive information or Business Email Compromise (BEC) attacks could occur if exploited. The CLFS component is an essential component of the Windows operating system, and vulnerabilities in this driver could significantly impact the security and reliability of the system. These include vulnerabilities in Android, Apple, Drupal, F5, GitLab, HP, IBM, Intel, Juniper Networks, Lenovo, Linux distributions, MediaTek, NETGEAR, NVIDIA, Palo Alto Networks, Qualcomm, Samba, Samsung, SAP, Schneider Electric, Siemens, Sophos, Synology, Trend Micro, Zoho, and Zyxel.

Infected Technology

Software and Applications like Qualcomm, Samba and other mentioned in description

Source

https://msrc.microsoft.com/update-guide/releaseNote/2023-Feb

Recommendation

Verify and Update to the latest patch.

CVE ID

CVE-2023-23376 CVE-2022-24521 CVE-2022-37969