Outdated WordPress plugin abused to deploy backdoors

WordPress is a popular open-sourced content management system (CMS). An outdated WordPress plugin known, Eval PHP enables site administrators to insert PHP code into posts and pages of WordPress websites, which is then executed when the page is loaded in the browser. The “eval” function was originally used to execute arbitrary PHP code, which can be useful in certain contexts, such as when creating dynamic templates or customizing functionality. The plugin is still available on the WordPress plugins repository despite not receiving any updates in the last ten years.

However, attackers are injecting backdoors into websites using the legitimate but outdated WordPress plugin known as Eval PHP. A sudden spike in the number of installations for the plugin was observed in April 2023. The attackers sneakily install the vulnerable plugin, which is available on the official WordPress plugin repository, on an already compromised website.

All WordPress administrators are advised by Accorian to check for the presence of Eval PHP, particularly if they did not install the plugin themselves. The presence of this plugin on a website indicates that it is compromised and may contain backdoors. To prevent any exploitation, admins should remove the plugin if found and protect the account by implementing robust WAF and 2FA. It is also recommended to keep the site up to date with the latest updates.

Source: https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html

Threat Advisory Team

Accorian

Article

Critical Vulnerability in Ivanti’s Avalanche Enterprise MDM Solution

Ivanti, a leading technology company that offers IT asset management, security, endpoint, and supply chain solutions has released patches for seven critical and high-severity vulnerabilities in Avalanche, its Enterprise Mobile Device Management (MDM) solution. Among the vulnerabilities is the directory traversal flaw tracked down as CVE-2023-32563. It’s the most severe of the flaws with a CVSS score of 9.8. The MDM solution's updateSkin function has this directory traversal flaw that can be exploited without authentication. The problem arises from a user-supplied path not being properly validated before being used in file operations. This vulnerability can be misused by an attacker to execute remote codes.The release also addressed multiple stack-based buffer overflow bugs collectively tracked down as CVE-2023-32560 with a CVSS score of 8.8. These were discovered in the Wavelink Avalance Manager, which processes data using a fixed-size stack-based buffer. By delivering a specially written message to the service, an adversary can take advantage of this and potentially cause code execution or disrupt the service. In addition, two other high-severity remote code execution vulnerabilities CVE-2023-32562 and CVE-2023-32564 and three authentication bypass flaws CVE-2023-32561, CVE-2023-32565, and CVE-2023-32566 present in various components of the MDM solution were patched.Although none of these problems have been reported as being exploited in the wild, Accorian strongly recommends that all users of Avalanche update it to version 6.4.1.207, released earlier this month. For any further assistance, kindly reachout to us on info@accorian.com Source: Ivanti Patches Critical Vulnerability in Avalanche Enterprise MDM Solution - SecurityWeek Threat Advisory Team Accorian

Article

Microsoft RCE & EOP Vulnerability in August Patch Release

Microsoft addressed 74 CVEs in its August Patch Tuesday release, out of which 6 were rated “Critical” and 67 were rated “Important”. Remote code execution (RCE) vulnerabilities made up 31.5% of the vulnerabilities patched, with elevation of privilege (EoP) vulnerabilities making up 24.7%. One zero-day vulnerability was also addressed in the release. Among the RCE vulnerabilities are the CVE-2023-35385, CVE-2023-36910 and CVE-2023-36911 which have been assigned a CVSSv3 score of 9.8 and are “Critical”. The vulnerabilities are found in the Microsoft Message Queuing (MSMQ) component of the Windows operating system. An unauthenticated remote attacker can exploit this flaw by sending malicious MSMQ packets to a vulnerable MSMQ server, which leads to arbitrary code execution. Yet, to exploit this weakness, the susceptible server's Message Queuing service must be activated. According to Microsoft, if the service is enabled, it runs as "Message Queuing" and listens on TCP port 1801. Another “Important” rated vulnerability is CVE-2023-21709 which is an EoP vulnerability found in Microsoft Exchange Server. An adversary could exploit this flaw by trying to brute force the password for valid user accounts. If exploited, the adversary can login as another user. According to Microsoft, a PowerShell script must be run after the patch has been applied. Microsoft addressed five other vulnerabilities in Microsoft Exchange Server which are tracked down as CVE-2023-38181, CVE-2023-38185, CVE-2023-35368, CVE-2023-38182 and CVE-2023-35388. The CVE-2023-38181 is a Spoofing Vulnerability which is assigned a CVSSv3 score of 8.8. If exploited, an attacker might acquire access to a user's Net-NTLMv2 hash, which could then be used to launch an NTLM Relay attack against another service to authenticate as the user. The rest are RCE vulnerabilities with scores 8.8, 8.8, 8.0 and 8.0 respectively. The CVE-2023-3182 and CVE-2023-35388 are rated “Exploitation More Likely” by Microsoft. If exploited, an adversary could execute a code using PowerShell remoting session. To successfully exploit, the adversary would need to have LAN access and valid credentials for an Exchange user. Accorian strongly recommends patching systems as soon as they can be and routinely scanning your environment to find any systems that need to be patched. Organizations are encouraged to apply the latest Windows updates for August. Source: https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug Threat Advisory Team Accorian

Article

Critical Security Zero Day Vulnerabilities in Critix products - NetScaler ADC and NetScaler Gateway

Citrix, a leading technology company, has issued a warning to its customers about a critical-severity RCE vulnerability (CVE-2023-3519) in its NetScaler ADC and NetScaler Gateway products. The severity of the issue is highlighted as critical and a CVSS score of 9.8. The exploits for this vulnerability are out in the wild and an adversary can use it to exploit Critix ADC versions up to 13.1 build 48.47.1. If this vulnerability is not fixed, adversaries would be able to exploit it to execute remote code without any authentication. The vulnerable appliance must, however, be set up as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy), or as an authentication virtual server (often known as the AAA server), for attackers to take advantage of this security weakness. Along with this Critix also addressed two other vulnerabilities: Reflected Cross-Site Scripting (CVE-2023-3466) and Privilege Escalation (CVE-2023-3467). Both being critical vulnerabilities, have a severity score of 8.3 and 8.0 respectively. The reflected cross-site scripting (XSS) issue requires a victim to load a link from an attacker on the same network. The Privilege Escalation vulnerability enables attackers to elevate privileges to those of a root administrator if they have authenticated access to the NetScaler appliances IP address (NSIP) or a SubNet IP (SNIP) with access to the management interface. Accorian strongly recommends the users of NetScaler ADC and NetScaler Gateway to update to the latest versions to fix all three issues at hand. The recommended versions are: NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0 NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP Source: New critical Citrix ADC and Gateway flaw exploited as zero-day (bleepingcomputer.com) Threat Advisory Team Accorian

Article

Critical Flaw Uncovered in WordPress Plugin Used by 30,000 Websites

WordPress, the world's most popular website builder has recently published a critical vulnerability in one of their plugins, Abandoned Cart Lite for WooCommerce. The plugin is used by approximately 30,000 websites. The vulnerability has been tracked as CVE-2023-2986 and has been assigned a CVSS score of 9.8. The vulnerability revolves around a broken access mechanism, which allows an adversary to gain unauthorized access to the accounts of users who have left their carts without completing the process of purchase basically, abandoned carts. According to the configuration of the Abandoned Cart Lite for WooCommerce plugin, a notification will be sent to customers who have not completed the process of purchasing. The notification has a link that automatically logs in the customer to the website to continue the process. Although this link contains an encrypted value that identifies the abandoned cart, the encryption key for this encrypted value is hardcoded in the plugin. This flaw allows adversaries to manipulate the abandoned cart id and gain access to the account associated with the abandoned cart. To mitigate this vulnerability, Accorian strongly recommends organizations to update the Abandoned Cart Lite for WooCommerce plugin to the latest version 5.15.1. By applying this update, users can ensure that the encryption key is no longer hardcoded, thereby preventing unauthorized access to user accounts through manipulated abandoned cart identifiers. It is also recommended to keep the site up to date with all the future updates. Source: https://www.wordfence.com/blog/2023/06/tyche-softwares-addresses-authentication-bypass-vulnerability-in-abandoned-cart-lite-for-woocommerce-wordpress-plugin/ Threat Advisory Team Accorian

Article

VMware discloses 3 high severity bugs in their network monitoring tool

VMware, a provider of virtualization and cloud computing services, has released security upgrades to address three vulnerabilities in the Aria Operations for Networks weaknesses that might expose user information and allow remote code execution. The tool, named Aria, offers network visibility and analytics to speed micro-segmentation security, reduce risk during application migration, and enhance network performance. Versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10 are susceptible to the attacks. CVE 2023-20887 is a command injection vulnerability with a CVSS severity score of 9.8, allowing an attacker to execute code remotely. The second, a 9.1 severity authentication deserialization flaw (CVE 2023-20888), permits remote code execution as well. A malicious actor may potentially execute remote code if they had network access to VMware Aria Operations for Networks and were an authorized member. The third vulnerability (CVE 2023-20889), rated 8.8, permits command injection attacks that could enable an attacker to get access to sensitive data. According to a statement made by VMware, there is no proof that attackers have leveraged the vulnerabilities to carry out any attacks. All three vulnerabilities have been patched, and according to VMware, there are no additional workarounds at this time. Accorian recommends applying all the patches to protect their environment. Source: https://www.vmware.com/security/advisories/VMSA-2023-0012.html Threat Advisory Team Accorian

Threat Advisory