Ivanti Rushes Patches for 4 New Flaws in Connect Secure and Policy Secure
Ivanti has released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS).
The list of flaws is as follows –
- CVE-2024-21894 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack. In certain conditions, this may lead to execution of arbitrary code.
- CVE-2024-22052 (CVSS score: 7.5) – A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack.
- CVE-2024-22053 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.
- CVE-2024-22023 (CVSS score: 5.3) – An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in order to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.
The company, which has been grappling with a steady stream of security flaws in its products since the start of the year, said it’s not aware of “any customers being exploited by these vulnerabilities at the time of disclosure.”
Source: The hacker news / Bleeping computer / Dark reading / Ivanti security advisory
Link: https://thehackernews.com/2024/04/ivanti-rushes-patches-for-4-new-flaw-in.html
Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies
Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies.
The high-severity zero-day vulnerabilities are as follows –
- CVE-2024-29745 – An information disclosure flaw in the bootloader component
- CVE-2024-29748 – A privilege escalation flaw in the firmware component
“There are indications that the [vulnerabilities] may be under limited, targeted exploitation,” Google said in an advisory published April 2, 2024.
While the tech giant did not reveal any other information about the nature of the attacks exploiting these shortcomings, the maintainers of GrapheneOS said they “are being actively exploited in the wild by forensic companies.”
Source: The hacker news / Securityweek / Pixel-Update-Bulletin
Link: https://thehackernews.com/2024/04/google-warns-android-zero-day-flaws-in.html
Link: https://www.securityweek.com/pixel-phone-zero-days-exploited-by-forensic-firms/
Link: https://source.android.com/docs/security/bulletin/pixel/2024-04-01?hl=de
New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks
New research has found that the CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct denial-of-service (DoS) attacks. The technique has been codenamed HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who reported the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.
“Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream,” CERT/CC said in an advisory on April 3, 2024.
“An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash.”
Like in HTTP/1, HTTP/2 uses header fields within requests and responses. These header fields can comprise header lists, which in turn, are serialized and broken into header blocks. The header blocks are then divided into block fragments and transmitted within HEADERS or what’s called CONTINUATION frames.
“The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments,” the documentation for RFC 7540 reads.
Source: The hacker news / Bleeping computer / Securityweek / Nowotarski info blog
Link: https://thehackernews.com/2024/04/new-http2-vulnerability-exposes-web.html
Link: https://nowotarski.info/http2-continuation-flood-technical-details/
Hosting firm’s VMware ESXi servers hit by new SEXi ransomware
Chilean data center and hosting provider IxMetro Powerhost has suffered a cyberattack at the hands of a new ransomware gang known as SEXi, which encrypted the company’s VMware ESXi servers and backups.
PowerHost is a data center, hosting, and interconnectivity company with locations in the USA, South America, and Europe. On Monday, PowerHost’s Chile division, IxMetro, warned customers that it suffered a ransomware attack early Saturday morning that encrypted some of the company’s VMware ESXi servers that are used to host virtual private servers for customers.
Customers hosting their websites or services on these servers are currently down as the company attempts to restore terabytes of data from backups.
In the latest update, PowerHost apologized to customers, warning that it may not be possible to restore servers as the backups have also been encrypted.
When attempting to negotiate with the threat actors to receive a decryption key, the ransomware gang demanded two bitcoins per victim, which PowerHost’s CEO says would equal $140 million.
Source: Bleeping computer / Dark reading
Link: https://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors
The Week in Ransomware – April 5th 2024 – Virtual Machines under Attack
Ransomware attacks targeting VMware ESXi and other virtual machine platforms are wreaking havoc among the enterprise, causing widespread disruption and loss of services. Panera’s massive IT outage last month that took down internal systems, the website, mobile apps, and phones was caused by a ransomware attack encrypting the company’s virtual machines.
While the company has been able to restore servers from backups, it took almost a week for their systems to be restored.
Similarly, Omni Hotels suffered a massive outage, which took down the company’s reservation system, phones, and door lock system. The outage was so severe that guests had to contact a hotel employee to be let into their rooms, as key cards did not work.
Omni Hotels confirmed a few days later that they suffered a cyberattack, with BleepingComputer learning that it was once again a ransomware attack encrypting the company’s virtual machines. BleepingComputer has been told that Omni is restoring from backups as well.
This week, Chilean hosting provider IxMetro Powerhost also disclosed a ransomware attack where the threat actors encrypted the hosting company’s VMware ESXI servers. These servers powered customers’ virtual private servers (VPS), also bringing their websites down.
Unfortunately, they were not as lucky as Panera and Omni Hotels, as the threat actors also encrypted the company’s backups. The threat actors behind this attack, known as SEXi, demanded two bitcoins per customer to receive a decryptor.
Source: Bleeping computer