Update Chrome Browser Now: 4th Zero-Day Exploit Discovered in May 2024
Google on Thursday rolled out fixes to address a high-severity security flaw in its Chrome browser that it said has been exploited in the wild.
Assigned the CVE identifier CVE-2024-5274, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security on May 20, 2024.
Type confusion vulnerabilities occur when a program attempts to access a resource with an incompatible type. It can have serious consequences as it allows threat actors to perform out-of-bounds memory access, cause a crash, and execute arbitrary code.
The development marks the fourth zero-day that Google has patched since the start of the month after CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947.
Source: The hacker news / Bleeping computer / Dark reading / Securityweek
Link: https://thehackernews.com/2024/05/google-detects-4th-chrome-zero-day-in.html
Link: https://www.securityweek.com/google-patches-fourth-chrome-zero-day-in-two-weeks/
CISA Warns of Actively Exploited Apache Flink Security Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting Apache Flink, an open-source, unified stream-processing and batch-processing framework, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Tracked as CVE-2020-17519, the issue relates to a case of improper access control that could allow an attacker to read any file on the local filesystem of the JobManager through its REST interface.
This also means that a remote unauthenticated attacker could send a specially crafted directory traversal request that could permit unauthorized access to sensitive information.
The vulnerability, which impacts Flink versions 1.11.0, 1.11.1, and 1.11.2, was addressed in January 2021 in versions 1.11.3 or 1.12.0.
Source: The hacker news
Link: https://thehackernews.com/2024/05/cisa-warns-of-actively-exploited-apache.html
Ivanti Patches Critical Remote Code Execution Flaws in Endpoint Manager
Ivanti on Tuesday rolled out fixes to address multiple critical security flaws in Endpoint Manager (EPM) that could be exploited to achieve remote code execution under certain circumstances.
Six of the 10 vulnerabilities – from CVE-2024-29822 through CVE-2024-29827 (CVSS scores: 9.6) – relate to SQL injection flaws that allow an unauthenticated attacker within the same network to execute arbitrary code.
The remaining four bugs — CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, and CVE-2024-29846 (CVSS scores: 8.4) — also fall under the same category with the only change being that they require the attacker to be authenticated.
The shortcomings impact the Core server of Ivanti EPM versions 2022 SU5 and prior.
The company has also addressed a high-severity security flaw in Avalanche version 6.4.3.602 (CVE-2024-29848, CVSS score: 7.2) that could permit an attacker to achieve remote code execution by uploading a specially crafted file.
Source: The hacker news / Securityweek / Ivanti security advisory
Link: https://thehackernews.com/2024/05/ivanti-patches-critical-remote-code.html
High-severity GitLab flaw lets attackers take over accounts
GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting (XSS) attacks.
The security flaw (tracked as CVE-2024-4835) is an XSS weakness in the VS code editor (Web IDE) that lets threat actors steal restricted information using maliciously crafted pages.
While they can exploit this vulnerability in attacks that don’t require authentication, user interaction is still needed, increasing the attacks’ complexity. “Today, we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE),” GitLab said.
“These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.”
On Wednesday, the company also fixed six other medium-severity security flaws, including a Cross-Site Request Forgery (CSRF) via the Kubernetes Agent Server (CVE-2023-7045) and a denial-of-service bug that can let attackers disrupt the loading of GitLab web resources (CVE-2024-2874).
Source: Bleeping computer / Dark reading / Securityweek / Infosecurity magazine / NIST NVD
Link: https://www.securityweek.com/critical-authentication-bypass-resolved-in-github-enterprise-server/
Link: https://www.infosecurity-magazine.com/news/github-maximum-severity-flaw/
Link: https://nvd.nist.gov/vuln/detail/CVE-2024-4985
QNAP QTS zero-day in Share feature gets public RCE exploit
An extensive security audit of QNAP QTS, the operating system for the company’s NAS products, has uncovered fifteen vulnerabilities of varying severity, with eleven remaining unfixed.
Among them is CVE-2024-27130, an unpatched stack buffer overflow vulnerability in the ‘No_Support_ACL’ function of ‘share.cgi,’ which could enable an attacker to perform remote code execution when specific prerequisites are met.
The vendor responded to the vulnerability reports submitted between December 12, 2023, and January 23, 2024, with multiple delays and has fixed only four of the fifteen flaws. The vulnerabilities were discovered by WatchTowr Labs, who published the complete details of their findings and a proof of concept (PoC) exploit for CVE-2024-27130 on Friday.
Source: Bleeping computer / Securityweek / watchTowr Labs – Blog
Link: https://www.securityweek.com/qnap-rushes-patch-for-code-execution-flaw-in-nas-devices/
Link: https://labs.watchtowr.com/qnap-qts-qnapping-at-the-wheel-cve-2024-27130-and-friends/
Talos IR trends: BEC attacks surge, while weaknesses in MFA persist
Business email compromise (BEC) was the top threat observed by Cisco Talos Incident Response (Talos IR) in the first quarter of 2024, accounting for nearly half of engagements, which is more than double what was observed in the previous quarter.
The most observed means of gaining initial access was the use of compromised credentials on valid accounts, which accounted for 29 percent of engagements. The high number of BEC attacks likely played a significant role in valid accounts being the top attack vector this quarter.
Weaknesses involving multi-factor authentication (MFA) were observed within nearly half of engagements this quarter, with the top observed weakness being users accepting unauthorized push notifications, occurring within 25 percent of engagements.
There was a slight decrease in ransomware this quarter, accounting for 17 percent of engagements. Talos IR responded to new variants of Phobos and Akira ransomware for the first time this quarter.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/talos-ir-quarterly-trends-q1-2024/
Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns
Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries including regions of Central and South America, Africa, Europe, and the Indo-Pacific.
Source: IBM security intelligence
Link: https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/