CISA alerts about critical ManageEngine RCE vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) now includes a Java deserialization vulnerability of critical severity that affects numerous Zoho ManageEngine products. In servers running unpatched Zoho ManageEngine PAM360 and Password Manager Pro (without authentication) or Access Manager Plus (with authentication) software, this security flaw (CVE-2022-35405) can be exploited in low-complexity attacks to gain remote code execution without requiring user interaction. According to ManageEngine, they have removed the vulnerable components from PAM360, Access Manager Plus, and Password Manager Pro. Patches were released in June, and administrators are requested to upgrade to a fixed version, as a proof-of-concept exploit is already public.

Accorian can help identify this vulnerability in your environment.

Source: CISA warns of Critical ManageEngine RCE bug

Threat Advisory Team

Accorian

Article

Exploit Publicly available for MS Word Remote Code Execution flaw

CVE-2023-21716, a heap corruption vulnerability that was patched by Microsoft as part of its February 2023 Patch Tuesday cycle, now has it's exploit publicly accessible. The vulnerability holds a CVSS score of 9.8 and can allow attackers to execute code remotely without needing any authentication. The flaw impacts several MS Office and SharePoint versions, as well as Microsoft 365 Apps for Enterprise. The vulnerability exists in Microsoft Word's RTF parser and is a heap corruption issue. Attackers can remotely execute code with the same level of privileges as the victim if successfully exploited. The flaw does not require prior authentication, attackers can simply send a decoy RTF file to the victim(s) via email. ‘Protected View’, a feature of Microsoft Office 2010 and later, helps to reduce the impact that a malicious document provided from untrusted sources might cause. As the vulnerability exists when ‘Protected View’ is in use, exploiting it would require an additional sandbox escape vulnerability to gain full privileges. Although Microsoft has released fixes for CVE-2023-21716, it is strongly advised that organizations patch right away because the Proof of Concept is now widely available. Microsoft has also issued temporary solutions for CVE-2023-21716. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716 Threat Advisory Team Accorian

Article

Critical Vulnerability found in Atlassian's Jira Service Management

A critical security flaw in Jira Service Management Server and Data Centre has been fixed by Atlassian. The flaw has been identified as CVE-2023-22501 (CVSS rating: 9.4) and is described as a case of broken authentication with a simple attack vector. An attacker could take advantage of the flaw to pose to another user and access affected instances without authorization. This vulnerability affects Jira Service Management Server and Data Centre versions 5.3.0 to 5.3.2 and 5.4.0 to 5.5.0, respectively. According to Atlassian, an attacker could gain access to signup tokens with write access to a User Directory and outgoing email enabled on a Jira Service Management instance. Users who have never signed into their accounts are sent the tokens. The tokens can be accessed in two ways: If the attacker has access to requests or issues on Jira that include these users, or If the attacker is forwarded or obtains access to emails containing a “View Request” link from these users. Particularly vulnerable in this case are bot accounts. Users who are synchronized to the Jira service by read-only User Directories or single sign-on (SSO) are unaffected, however instances with single sign-on, external customer accounts can be affected in projects in which anyone can make their own account. Atlassian further noted that the issue does not affect Jira sites hosted in the cloud using an atlassian[.]net domain, and no remedial action is necessary in this scenario. Accorian advises you to upgrade each of your impacted installations to 5.3.3, 5.4.2, 5.5.1, or 5.6.0 or later considering Atlassian products' recent emergence as an alluring attack vector. Source:https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html Threat Advisory Team Accorian

Article

Git affected by remote code execution attacks

Recently, Git patched 2 critical vulnerabilities which could be used to launch remote code execution attacks. The issues have been assigned CVE-2022-23521 and CVE-2022-41903. The vulnerabilities affect Git versions up to and including Git 2.39. CVE-2022-23521 affects the gitattributes mechanism. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, or when the declared attribute names are huge. CVE-2022-41903, also a critical vulnerability regarding integer overflow, can be triggered directly by a user running a command which invokes the commit formatting machinery or can be triggered indirectly through the git archive. These integer overflows may result in arbitrary heap writes, which can result in remote code execution. It is recommended that users of Windows, macOS, and Linux/Unix download and install the most recent git release, which is v2.39.1. Disable the git archive in untrusted repositories if upgrading is unfeasible. Versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE) have been issued, according to GitLab, to resolve the issues. Customers are urged to apply the fixes with immediate effect. Accorian assures to assist all its clients. Please feel free to reach out to us if you have any questions. Source: https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released https://x41-dsec.de/security/research/news/2023/01/17/git-security-audit-ostif/ Threat Advisory Team Accorian

Article

Redigo - The Redis backdoor Malware

A new Go-based malware, Redigo, is used in an attack targeting Redis servers. Threat actors are exploiting a critical vulnerability, tracked as CVE-2022-0543, in Redis servers. The CVE-2022-0543 vulnerability affects Debian and Linux distributions and is a Lua sandbox escape vulnerability. The vulnerability, which was given a severity rating of 10, might be used by a remote attacker who can run any Lua script to potentially bypass the Lua sandbox and execute arbitrary code. Threat actors attempt to connect to the Redis server through port 6379 in the first step of the attack chain to learn more about the CPU architecture. The second use of the command is to download the newly discovered Redigo Malware. After downloading the malware file, the attackers elevate the permissions of the file to execute it. The Redigo malware, according to researchers, is being used by threat actors to infect Redis servers and add them to a botnet that they may then deploy to perform denial-of-service (DDoS) attacks, run cryptocurrency miners, or steal information from the servers. All the users who run Redis on Debian, Ubuntu, and possibly other Debian-based distros are advised to update their Redis package to the latest available version, as the vulnerability has already been fixed. Accorian is happy to assist you for any assistance you may require. Please feel free to reach out to us. Source: https://blog.aquasec.com/redigo-redis-backdoor-malware Threat Advisory Team Accorian

Article

VMware warns of the public availability code for a critical vulnerability

Last week, VMware has released security updates to address a critical remote code execution vulnerability in VMware Cloud Foundation. It is tracked as CVE-2021-39144 and has been assigned a CVSS score of 9.8. The XStream open-source library contains the remote code execution flaw. Without any user interaction, unauthenticated attackers can take advantage of the vulnerability due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation. Due to the severity of the vulnerability the team has also released patches for end-of-life products. VMware did, however, confirm over the weekend that the attack code exploiting CVE-2021-39144 has been released and is available to the public. VMware vCloud Foundation 3.11 is the fixed version released in response to this vulnerability and as well as for CVE-2022-31678, which is an XML External Entity (XXE) vulnerability that can cause a denial-of-service condition. Accorian suggests our clients upgrade their installs to the latest release. Source: https://www.vmware.com/security/advisories/VMSA-2022-0027.html Threat Advisory Team Accorian

Threat Advisory