Git Vulnerabilities v2 (002)

Two new security vulnerabilities have recently been identified in Git. These vulnerabilities are only exploitable if Git is used on a Windows instance or a multi-user machine. Both of the vulnerabilities have been assigned a separate CVE namely CVE-2022-24765 and CVE-2022-24767.

1. CVE-2022-24765: The vulnerability if exploited could lead to a potential arbitrary code execution attack. Users using Git on multi-user Windows machines are at the highest risk. As the attacker can create a .git directory, and then cause git invocations to occur outside of the repository. Few variables like core.fsmonitor have capabilities to execute commands, thus leading to arbitrary code execution attacks.

2. CVE-2022-24767: This vulnerability is only exploitable on Git for Windows uninstaller, which runs in the temporary directory of the user. Any authenticated user can inject a malicious .dll file as the C:\Windows\Temp directory is world-writable. As the SYSTEM user inherits permissions of the Temp directory, the malicious DLLs when loaded are run via the SYSTEM account.

Both these vulnerabilities have been addressed in the latest update of Git, which is Git v2.35.2. Users are advised to apply these updates as soon as possible to prevent any exploitation. Additionally, Git has also released some compensatory controls to reduce the risk if immediate upgradation is not possible.

Kindly refer to the official Git document here(https://github.blog/2022-04-12-git-security-vulnerability-announced/) to understand the fixes and compensatory controls.

Accorian is always available to assist all its clients. Please feel free to reach out to us at Alert@accorian.com, if you have any questions.Source: https://github.blog/2022-04-12-git-security-vulnerability-announced/.

Article

Outdated WordPress plugin abused to deploy backdoors.

WordPress is a popular open-sourced content management system (CMS). An outdated WordPress plugin known, Eval PHP enables site administrators to insert PHP code into posts and pages of WordPress websites, which is then executed when the page is loaded in the browser. The "eval" function was originally used to execute arbitrary PHP code, which can be useful in certain contexts, such as when creating dynamic templates or customizing functionality. The plugin is still available on the WordPress plugins repository despite not receiving any updates in the last ten years. However, attackers are injecting backdoors into websites using the legitimate but outdated WordPress plugin known as Eval PHP. A sudden spike in the number of installations for the plugin was observed in April 2023. The attackers sneakily install the vulnerable plugin, which is available on the official WordPress plugin repository, on an already compromised website. All WordPress administrators are advised by Accorian to check for the presence of Eval PHP, particularly if they did not install the plugin themselves. The presence of this plugin on a website indicates that it is compromised and may contain backdoors. To prevent any exploitation, admins should remove the plugin if found and protect the account by implementing robust WAF and 2FA. It is also recommended to keep the site up to date with the latest updates. Source: https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html Threat Advisory Team Accorian

Article

Critical Zero-day vulnerability in Microsoft Outlook

Microsoft recently released a patch for a new privilege escalation vulnerability (CVE-2023-23397) that impacts all versions of Microsoft Outlook on Windows. The vulnerability is being tracked as CVE-2023-23397 and holds a CVSS score of 9.8. By sending a specially crafted email, an attacker can remotely obtain hashed passwords without the victim ever having to open them. Microsoft has now officially released patches for the vulnerability, but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since mid-April 2022. Without the interaction of the user, an attacker can steal NTLM credentials by sending a malicious email. Exploitation takes place when the system's reminder is triggered, and Outlook is opened. According to Microsoft, by sending a message with an extended MAPI property and a UNC path to an SMB (TCP 445) share on a server under the attacker's control, an attacker can exploit the vulnerability to retrieve NTLM hashes. Accorian recommends that organizations update Microsoft Outlook for Windows as soon as possible. If not possible immediately, block outbound SMB (TCP port 445) and add users to the Protected Users group in Active Directory. This would limit the impact of the vulnerability. Accorian can help you identify the vulnerability in your environment. For more information. kindly reach out to us. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 Threat Advisory Team Accorian

Article

Exploit Publicly available for MS Word Remote Code Execution flaw

CVE-2023-21716, a heap corruption vulnerability that was patched by Microsoft as part of its February 2023 Patch Tuesday cycle, now has it's exploit publicly accessible. The vulnerability holds a CVSS score of 9.8 and can allow attackers to execute code remotely without needing any authentication. The flaw impacts several MS Office and SharePoint versions, as well as Microsoft 365 Apps for Enterprise. The vulnerability exists in Microsoft Word's RTF parser and is a heap corruption issue. Attackers can remotely execute code with the same level of privileges as the victim if successfully exploited. The flaw does not require prior authentication, attackers can simply send a decoy RTF file to the victim(s) via email. ‘Protected View’, a feature of Microsoft Office 2010 and later, helps to reduce the impact that a malicious document provided from untrusted sources might cause. As the vulnerability exists when ‘Protected View’ is in use, exploiting it would require an additional sandbox escape vulnerability to gain full privileges. Although Microsoft has released fixes for CVE-2023-21716, it is strongly advised that organizations patch right away because the Proof of Concept is now widely available. Microsoft has also issued temporary solutions for CVE-2023-21716. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716 Threat Advisory Team Accorian

Article

Critical Vulnerability found in Atlassian's Jira Service Management

A critical security flaw in Jira Service Management Server and Data Centre has been fixed by Atlassian. The flaw has been identified as CVE-2023-22501 (CVSS rating: 9.4) and is described as a case of broken authentication with a simple attack vector. An attacker could take advantage of the flaw to pose to another user and access affected instances without authorization. This vulnerability affects Jira Service Management Server and Data Centre versions 5.3.0 to 5.3.2 and 5.4.0 to 5.5.0, respectively. According to Atlassian, an attacker could gain access to signup tokens with write access to a User Directory and outgoing email enabled on a Jira Service Management instance. Users who have never signed into their accounts are sent the tokens. The tokens can be accessed in two ways: If the attacker has access to requests or issues on Jira that include these users, or If the attacker is forwarded or obtains access to emails containing a “View Request” link from these users. Particularly vulnerable in this case are bot accounts. Users who are synchronized to the Jira service by read-only User Directories or single sign-on (SSO) are unaffected, however instances with single sign-on, external customer accounts can be affected in projects in which anyone can make their own account. Atlassian further noted that the issue does not affect Jira sites hosted in the cloud using an atlassian[.]net domain, and no remedial action is necessary in this scenario. Accorian advises you to upgrade each of your impacted installations to 5.3.3, 5.4.2, 5.5.1, or 5.6.0 or later considering Atlassian products' recent emergence as an alluring attack vector. Source:https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html Threat Advisory Team Accorian

Article

Git affected by remote code execution attacks

Recently, Git patched 2 critical vulnerabilities which could be used to launch remote code execution attacks. The issues have been assigned CVE-2022-23521 and CVE-2022-41903. The vulnerabilities affect Git versions up to and including Git 2.39. CVE-2022-23521 affects the gitattributes mechanism. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, or when the declared attribute names are huge. CVE-2022-41903, also a critical vulnerability regarding integer overflow, can be triggered directly by a user running a command which invokes the commit formatting machinery or can be triggered indirectly through the git archive. These integer overflows may result in arbitrary heap writes, which can result in remote code execution. It is recommended that users of Windows, macOS, and Linux/Unix download and install the most recent git release, which is v2.39.1. Disable the git archive in untrusted repositories if upgrading is unfeasible. Versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE) have been issued, according to GitLab, to resolve the issues. Customers are urged to apply the fixes with immediate effect. Accorian assures to assist all its clients. Please feel free to reach out to us if you have any questions. Source: https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released https://x41-dsec.de/security/research/news/2023/01/17/git-security-audit-ostif/ Threat Advisory Team Accorian

Threat Advisory