March 13, 2023

Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting

Description

HTTP Response Smuggling is a type of vulnerability that allows an attacker to interfere with the way web servers and browsers interact with each other to manipulate the responses received by the end-user. In this specific case, the vulnerability affects Apache HTTP Server versions 2.4.30 through 2.4.55, and it’s related to the mod_proxy_uwsgi module, which is responsible for forwarding requests to a uwsgi application server.The issue arises when special characters, such as whitespace or newline characters, are included in the origin response header. This can cause the header to be interpreted incorrectly, which can lead to the response being split or truncated in unexpected ways. This means that an attacker can potentially craft a malicious request that would allow them to inject additional data into the response or manipulate the behavior of the client in some other way.The impact of this vulnerability can vary depending on the specific circumstances of the attack. In some cases, it may allow an attacker to bypass security controls, gain unauthorized access to sensitive information, or execute arbitrary code on the affected system. In other cases, it may simply result in unexpected behavior or errors in the affected application.

Infected Technology

Apache 2.4.55

Source

https://httpd.apache.org/security/vulnerabilities_24.html

Recommendation

Update to the latest version as soon as possible. Monitor their systems for any signs of unusual activity or unexpected behavior.

CVE ID

• CVE-2022-27522

New Critical Flaw in FortiOS and FortiProxy Could Give Hackers Remote Access

Description

Fortinet has released patches to address 15 security flaws, including one critical vulnerability (CVE-2023-25610) in FortiOS and FortiProxy that could allow an attacker to take control of affected systems. The flaw was discovered and reported internally by Fortinet’s security teams and is rated 9.3 out of 10 for severity. The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a denial-of-service attack on the GUI via specially crafted requests. Fixes are available, and Fortinet recommends users apply them immediately or use workarounds such as disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach it.

Infected Technology

FortiOS and FortiProxy

Source

https://thehackernews.com/2023/03/new-critical-flaw-in-fortios-and.html

Recommendation

• Apply Fortinet’s patches immediately or use workarounds recommended by Fortinet.
• Monitor network activity regularly for suspicious activity or unauthorized access.
• Use strong passwords, multi-factor authentication, and keep systems up to date.

Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

Description

The Jenkins automation server has been found to have two severe security vulnerabilities, named CorePlague, that could result in code execution on targeted systems. Cloud security firm Aqua has identified the flaws as CVE-2023-27898 and CVE-2023-27905, which impact the Jenkins server and Update Center. These vulnerabilities are the result of how Jenkins processes plugins from the Update Center and could enable a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack. Since this is a case of stored XSS, the vulnerability can be activated without installing the plugin or visiting the URL. These vulnerabilities could lead to a complete compromise of the Jenkins server, potentially allowing unauthenticated attackers to execute arbitrary code. What’s more, these flaws can affect self-hosted Jenkins servers, even when not publicly accessible over the internet, as the public Jenkins Update Center can be injected by attackers. Attackers can upload a rogue plugin that is compatible with the Jenkins server and is surfaced on top of the main feed on the “Available Plugin Manager” page, which can be rigged by uploading a plugin that contains all plugin names and popular keywords embedded in the description or artificially boosting the download counts of the plugin by submitting requests from fake instances. Patches have been released by Jenkins for the Update Center and server since responsible disclosure on January 24, 2023. Users are recommended to update their Jenkins server to the latest available version to mitigate potential risks. This attack highlights the need for organizations to regularly check and update their software, as vulnerabilities can be exploited to gain unauthorized access to systems.

Infected Technology

Software and Applications

Source

https://thehackernews.com/2023/03/jenkins-security-alert-new-security.html

Recommendation

• Update Jenkins to the latest version.
• Install patches for Update Center and server.
• Conduct regular security checks and updates.
• Ensure proper security measures are in place.
• Follow responsible disclosure practices.

CVE ID

CVE-2023-27898 CVE-2023-27905

Bitwarden flaw can let hackers steal passwords using iframes

Description

Bitwarden’s autofill feature in its web browser extension can fill in login forms defined in embedded iframes, even those from external domains. This can potentially lead to malicious iframes embedded in trusted websites stealing users’ credentials and sending them to an attacker. While Bitwarden has been aware of this security problem since 2018, it has chosen to keep the behavior unchanged to accommodate legitimate sites that use iframes, and only added a warning to its documentation and extension settings. The risk is low, but still present, and Bitwarden has promised to block autofill on reported hosting environments in a future update, but it does not plan on changing the iframe functionality.

Infected Technology

Bitwarden

Source

https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/

Recommendation

• Disable autofill feature in Bitwarden.
• Educate users about risks and encourage Two-Factor Authentication (2FA).
• Keep software up-to-date and use strong passwords.
• Regularly review access logs.
• Consider alternative password management solutions if necessary.

IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks

Description

IceFire, a ransomware previously known to target Windows-based systems, has shifted its focus to target Linux enterprise networks in the media and entertainment sector globally. Cybersecurity company SentinelOne has found that the attacks exploit a recently disclosed vulnerability in IBM Aspera Faspex file-sharing software, and most of the attacks have been directed against companies located in Turkey, Iran, Pakistan, and the U.A.E. The ransomware binary targeting Linux is a 2.18 MB 64-bit ELF file that’s installed on CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software. In comparison to Windows, Linux is harder to deploy ransomware against, and attackers turn to exploiting application vulnerabilities to overcome this difficulty. Meanwhile, Fortinet FortiGuard Labs has disclosed a new LockBit ransomware campaign using “evasive tradecraft” to bypass detection through .IMG containers that avoid Mark-of-the-Web (MotW) protections.

Infected Technology

Linux-Powered Enterprise Networks

Source

https://thehackernews.com/2023/03/icefire-linux-ransomware.html

Recommendation

• Regularly update software and systems to patch vulnerabilities.
• Use strong passwords and implement multi-factor authentication.
• Implement a robust backup and disaster recovery plan.

BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads

Description

BATLOADER is a malware downloader that has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. The BATLOADER loader is responsible for distributing various types of malwares, such as information stealers, banking malware, Cobalt Strike, and ransomware. It achieves this using software impersonation tactics, where it creates websites that look like legitimate apps but are Windows installer files that trigger the infection sequence when clicked. These installer files contain Python scripts that execute the BATLOADER payload, which retrieves the next-stage malware from a remote server. This represents a slight change from previous attack methods, where PowerShell scripts were used instead of Python. Moreover, the malware can gain entrenched access to enterprise networks. The reason for impersonating popular applications is because they are commonly used in business networks and thus provide more valuable opportunities for monetization via fraud or hands-on-keyboard intrusions.

Infected Technology

Google Ads

Source

https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html

Recommendation

• Install reputable antivirus and anti-malware software