Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now
Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems.
The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw.
„Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,“ Zyxel said in an advisory on April 25, 2023.
Products impacted by the flaw are –
- ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
- USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
- VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and
- ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1)
Zyxel has also addressed a high-severity post-authentication command injection vulnerability affecting select firewall versions (CVE-2023-27991, CVSS score: 8.8) that could permit an authenticated attacker to execute some OS commands remotely.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2023/04/zyxel-firewall-devices-vulnerable-to.html
Link: https://www.securityweek.com/critical-vulnerability-in-zyxel-firewalls-leads-to-command-execution/
Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks
The maintainers of the Apache Superset open source data visualization software have released fixes to plug an insecure default configuration that could lead to remote code execution.
The vulnerability, tracked as CVE-2023-27524 (CVSS score: 8.9), impacts versions up to and including 2.0.1 and relates to the use of a default SECRET_KEY that could be abused by attackers to authenticate and access unauthorized resources on internet-exposed installations.
Naveen Sunkavally, the chief architect at Horizon3.ai, described the issue as „a dangerous default configuration in Apache Superset that allows an unauth attacker to gain remote code execution, harvest credentials, and compromise data.“
It’s worth noting that the flaw does not affect Superset instances that have changed the default value for the SECRET_KEY config to a more cryptographically secure random string.
Source: The hacker news / Bleeping computer / Horizon3.ai blog
Link: https://thehackernews.com/2023/04/apache-superset-vulnerability-insecure.html
VMware Releases Critical Patches for Workstation and Fusion Software
VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution.
The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine.
„A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,“ the company said.
Also patched by VMware is an out-of-bounds read vulnerability affecting the same feature (CVE-2023-20870, CVSS score: 7.1), that could be abused by a local adversary with admin privileges to read sensitive information contained in hypervisor memory from a virtual machine.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2023/04/vmware-releases-critical-patches-for.html
Cisco discloses XSS zero-day flaw in server management tool
Cisco disclosed today a zero-day vulnerability in the company’s Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks.
This server management utility enables admins to perform migration or upgrade tasks on servers in their organization’s inventory.
Tracked as CVE-2023-20060, the bug was found in the web-based management interface of Cisco PCD 14 and earlier by Pierre Vivegnis of the NATO Cyber Security Centre (NCSC).
Successful exploitation enables unauthenticated attackers to launch cross-site scripting attacks remotely but requires user interaction.
„This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link,“ Cisco explains.
„A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.“
While Cisco shared info on the flaw’s impact, the company will release security updates to address it sometime next month. For now, no workarounds are available to remove the attack vector.
Luckily, the Cisco Product Security Incident Response Team (PSIRT) has yet to find any evidence of malicious use in the wild and is unaware of public exploit code targeting the bug.
Source: Bleeping computer / Securityweek
Link: https://www.securityweek.com/cisco-working-on-patch-for-vulnerability-reported-by-nato-pentester/
The Week in Ransomware – April 28th 2023 – Clop at it again
It has been a very quiet week for ransomware news, with only a few reports released and not much info about cyberattacks.
However, an item of interest was Microsoft linking the recent PaperCut server attacks on the Clop and LockBit ransomware operation. Clop claims to have started exploiting PaperCut servers on April 13th, the same day Microsoft began seeing active exploitation of the vulnerabilities.
The ransomware operation told BleepingComputer that they utilized these exploits for initial access to corporate networks rather than to steal archived documents on the server.
Other ransomware reports released this week include:
- An exposé on the initial-access broker and ransomware affiliate known as BassterLord.
- A VMware ESXi encryptor for RTM Locker
- A technical write-up on the new UNIZA Ransomware.
Finally, we learned that Yellow Pages Canada suffered a BlackBasta ransomware attack.
Source: Bleeping computer
Leveraging Breach Data for OSINT
Unearth the secrets of leveraging data breaches for OSINT investigations in this comprehensive cybersecurity article, packed with insights on real-world implications and essential strategies for staying vigilant in the constantly shifting digital landscape.
Source: Secjuice
Link: https://www.secjuice.com/leveraging-breach-data-for-osint/
Threat Source newsletter (April 27, 2023)
More information and research is still coming out around the 3CX supply chain attack. A new report indicates that it was actually two supply chain attacks linked together. The adversaries involved in the 3CX compromise first backdoored another application, which it then used to infiltrate 3CX and send out a malicious, fake update there. Additional reporting indicates that these same state-sponsored actors also infiltrated several critical infrastructure networks with a backdoor during this same campaign.
Source: CISCO Talos intelligence group