InfoSec Weekly
August 14, 2023
Table Of Contents
Android’s August Security Patch Released: 41 Vulnerabilities Patched
Description
Android has released its August Security patches, addressing 41 vulnerabilities among which 37 were categorized as High Severity and 4 as Critical Severity. These vulnerabilities encompassed categories like remote code execution (RCE), Elevation of Privileges (EoP), and Information Disclosure (ID). Android’s detailed evaluation uncovered vulnerabilities in several areas, like Android runtime, Framework, Media Framework, System, Kernel, and processor-related parts. In the Android Runtime, they addressed a vulnerability (CVE-2023-21265), which allowed remote information disclosure without needing execution privileges or user input. Framework addressed various high-severity concerns, including a crucial vulnerability (CVE-2023-21287) for remote code execution, as well as Elevation of Privilege (EoP), Information Disclosure (ID), and Denial of Service (DoS) matters. Critical remote code execution vulnerabilities were found in both Media Framework and System (CVE-2023-21282 and CVE-2023-21273). A Elevation of Privilege vulnerability (CVE-2023-21264) in the Kernel’s KVM subcomponent was discovered, potentially exploited without user interaction. Processor-related issues impacted Qualcomm, Arm, and MediaTek, tied to CVEs: CVE-2022-40510, CVE-2023-20780, and CVE-2022-34830.
Infected Technology
Android OS
Source
https://cybersecuritynews.com/android-august-security-updates/
Recommendation
• Practice regular software version tracking, make timely upgrades, remain vigilant and take precautions against potential threats.
New SystemBC Malware Variant Targets Southern African Power Company
Description
An unidentified threat actor is believed to have conducted a cyber-attack on a power generation company in southern Africa using a new version of the SystemBC malware called DroxiDat, possibly as a prelude to a ransomware assault. Kaspersky’s researchers revealed that this attack, occurring in late March 2023, involved the deployment of DroxiDat and Cobalt Strike Beacons in the nation’s critical infrastructure. SystemBC, a C/C++-based malware, is known for setting up SOCKS5 proxies on victim machines for malicious traffic. DroxiDat, slimmer than SystemBC, acted as a system profiler and transferred data to a remote server. The attackers’ identity remains unclear, but Russian ransomware groups, particularly FIN12, are suspected. Ransomware attacks on industrial organizations have doubled since Q2 2022, according to Dragos.
Infected Technology
Power generation companies
Source
https://thehackernews.com/2023/08/new-systembc-malware-variant-targets.html
Recommendation
• Use strong access controls. • Develop an incident response plan and maintain offline backups. • Employ application whitelisting, assess vendors, and share threat intel. • Adhere to regulations, involve experts, and conduct drills. • Consider a zero-trust model and secure remote access.
HTTP request smuggling bug patched in HAProxy
Description
HAProxy, a popular open-source load balancer and reverse proxy, has patched a vulnerability that could have allowed attackers to perform HTTP request smuggling attacks by sending carefully crafted requests. This could have enabled them to bypass HAProxy’s filters and gain unauthorized access to backend servers. The bug, present since HAProxy version 2.0 released in 2019, involved tricking HAProxy into dropping crucial header fields after partially processing them, causing confusion and potential security breaches. The maintainer of HAProxy, Willy Tarreau, highlighted that while the vulnerability isn’t complex to exploit, its impact depends on target servers’ reliance on HAProxy’s filters. Tarreau maintains various versions of HAProxy and has provided fixes for all affected versions. He also offered a temporary workaround for those unable to upgrade immediately. Tarreau emphasized that load balancers are crucial components and extended the maintenance of stable HAProxy versions to five years to allow users ample time for upgrades, but cautioned against relying on outdated versions.
Infected Technology
HAProxy
Source
https://portswigger.net/daily-swig/http-request-smuggling-bug-patched-in-haproxy
Recommendation
• Keep the HAProxy upto date.
Multiple Flaws in CyberPower and Dataprobe Products Put Data Centers at Risk
Description
Security researchers at Trellix have uncovered a series of severe vulnerabilities in CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe’s iBoot Power Distribution Unit (PDU). These vulnerabilities, numbered CVE-2023-3259 through CVE-2023-3267, with severity scores spanning 6.7 to 9.8, hold the potential to enable unauthorized access to these systems, opening the door for substantial damage in targeted environments. Both products are susceptible to remote code injection, which could permit the creation of backdoors or entry points into broader networks of interconnected data center devices and enterprise systems. Although no current evidence suggests active exploitation, the vulnerabilities were disclosed at DEFCON, emphasizing their significance. The issues have been addressed in the latest software and firmware releases. If successfully exploited, these vulnerabilities could lead to critical infrastructure disruptions, including shutdowns, ransomware attacks, DDoS assaults, or even cyber espionage, underlining the far-reaching consequences of such breaches.
Infected Technology
CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management.
Source
https://thehackernews.com/2023/08/multiple-flaws-in-cyberpower-and.html
Recommendation
• Isolate critical systems to limit lateral movement for attackers. • Install the latest software updates to address vulnerabilities promptly.
CVE ID
CVE-2023-3259, CVE-2023-3260, CVE-2023-3261, CVE-2023-3262, CVE-2023-3263.
New Python URL Parsing Flaw Could Enable Command Execution Attacks
Description
A high-severity security flaw (CVE-2023-24329) has been uncovered in the Python URL parsing function urllib.parse, allowing attackers to exploit a parsing issue that circumvents domain and protocol blocklists. The flaw arises from insufficient input validation when the URL begins with blank characters, leading to potential arbitrary file reads and command execution. The vulnerability, discovered by security researcher Yebo Cao in August 2022, affects various Python versions and has been addressed in versions 3.7.17 and above, impacting the widely used urllib.parse function used for URL manipulation. This vulnerability could be exploited to bypass developer-set protections and facilitate Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) attacks across multiple scenarios.
Infected Technology
• Python programming language’s URL parsing function urllib.parse.
Source
https://thehackernews.com/2023/08/new-python-url-parsing-flaw-enables.html
Recommendation
• Upgrade to fixed Python versions (3.7.17 or higher) or apply patches to address CVE-2023-24329. • Implement robust input validation to prevent malicious URLs from exploiting the vulnerability. • Combine blocklists with other security controls, educate developers, and monitor for suspicious activity to mitigate risks effectively.
Ready to get started?
Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.
Contact Us