Mirai botnets had thousands of compromised devices on their network and targeted consumer devices such as IP cameras and home routers by exploiting weak default passwords and known vulnerabilities. Several other variants had similar source codes to the Mirai botnet.

However, a new vulnerability has been discovered in Mirai botnet’s Command and Control server that allows a threat actor to perform a denial of service attack. 

DoS Attack against a DDoS Server

Botnet’s core infrastructure depends entirely upon the C2 servers, where thousands of compromised zombie computers can be controlled. The vulnerability discovered by a researcher named “Jacob Masse” states that this denial-of-service attack exists due to improper session management on the CNC server.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Further, the researcher also stated that no authentication is required for launching this attack, which can easily be exploited. This attack scenario can also be used by law enforcement or security researchers to render the CNC servers inoperable, which could result in dismantling the botnet.

Exploiting this vulnerability involves overwhelming the server’s session buffer, which is not properly handled when multiple simultaneous connections are made. Additionally, this attack exists during the pre-authenticated phase, where multiple simultaneous connection attempts after an authentication attempt has opened are not properly handled.

In this case, a threat actor can open multiple connections on the CNC server by sending authentication requests with a root username. The server fails to manage these connection attempts which results in resource exhaustion and server crash. 

Impacts of Exploitation

If this vulnerability is exploited, the attacker can disrupt the botnet activities that will subsequently neutralize the threat associated with the botnet. On the dark side, organizations that deploy a botnet environment for the purpose of stress testing the network can also be exploited with this vulnerability potentially leading to data corruption and disruption of operations.

Furthermore, the researcher published a proof-of-concept video. The POC video involves the use of server 1 CPU core, 1 GB of RAM and 25 GB of Storage that targeted a Demo Mirai botnet environment. The proof of concept code can be found in this link.

“The demonstrated exploit’s success proved that it took the CNC offline and showed that you do not need a large server to run it,” Jacob Masse added.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

The post Researchers Uncovered Remote DoS Exploit in Mirai Botnet appeared first on Cyber Security News.

These vulnerabilities have been assigned to CVE-2024-39809 and CVE-2024-39792, and the severity was given as 7.5 (High).

Moreover, these vulnerabilities were affecting BIG-IP Next Central Manager and NGINX MQTT (Message Queuing Telemetry Transport). F5 has addressed these vulnerabilities, and security advisories have been published.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Multiple F5 Vulnerabilities

CVE-2024-39809: BIG-IP Next Central Manager Vulnerability

This vulnerability exists because the user session refresh token does not expire when the user logs out.

A threat actor with access to a user’s session can use the session to access BIG-IP Next Central Manager and systems managed by BIG-IP Next Central Manager from which the user has logged out.

However, this vulnerability affects BIG-IP Next Central Manager version 20.1.0 and has been fixed in version 20.2.0. The vulnerable component of this product has been identified as webUI.

CVE-2024-39792: NGINX Plus MQTT vulnerability

This vulnerability arises when NGINX Plus is configured to use the MQTT filter module, during which undisclosed requests can increase memory resource utilization.

Further this vulnerability allows a remote, unauthenticated threat actor to cause a degradation of service that can lead to denial of service conditions of NGINX. 

Further, the system performance can degrade unless the NGINX master and worker processes are forced to restart and/or manually restarted.

The vulnerable component of this product has been identified as ngx_stream_mqtt_filter_module.

Affected Products And Fixed In Version

F5 has recommended that users upgrade their products to the latest versions to prevent threat actors from exploiting these vulnerabilities.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

The post Multiple F5 Flaws Let Attackers Login With User Session & Cause DoS Attack appeared first on Cyber Security News.

However, Ivanti has patched this vulnerability and released a security advisory to address it.

Ivanti confirmed that there is no evidence of active exploitation of this vulnerability, and a proof of concept for it is publicly available.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Ivanti Virtual Traffic Manager Vulnerability

This vulnerability allows an unauthenticated remote threat actor to bypass the admin panel authentication and perform malicious actions.

Further, a threat actor can also create an administrator account on the vulnerable Ivanti instances as a backdoor.

This particular vulnerability exists due to the incorrect implementation of the authentication algorithm in Ivanti vTM. Nevertheless, this vulnerability exists in all versions of Ivanti vTM other than versions 22.2R1 or 22.7R2.

Ivanti customers who have their management interface inside an internal network or Private IP have reduced attack surface.

Ivanti also advises its users to restrict access to the management interface and ensure they are placed on a private IP with restricted access.

Additionally, Ivanti users are advised to upgrade their Ivanti instances with the latest available patch 22.2R1 (released 26 March 2024) or 22.7R2 (released 20 May 2024) for fixing this vulnerability.

Workaround

As a workaround for this vulnerability, Ivanti instructs their users to follow the below steps to limit Admin access to the Management interface internal on the network through private or corporate network. The steps are as follows:

• In the VTM server, go to System > Security then click the drop down for the Management IP Address and Admin Server Port section
• Click the “bindip“, select the Management Interface IP Address. 
• As an alternative, users can also use the setting directly above the “bindip” setting to restrict access to trusted IP addresses, further restricting who can access the interface.

To check if the instances are terminated, they can review the “Audit Logs Output” to see if an admin user is added. 

Users are advised to keep all of the instances updated to the latest version to prevent the exploitation of this vulnerability. Ivanti also list End of Engineering and End of Support schedule for Ivanti vTM, it can be found here.

“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” Ivanti added.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

The post Ivanti Virtual Traffic Manager Flaw Let Hackers Create Rogue Admin Accounts appeared first on Cyber Security News.

However, the FBI announced the Shutdown of a Ransomware group named “Radar/Dispossessor”. This ransomware group was reportedly run by a person who goes by the name “Brain.”

Law enforcement has dismantled three U.S. servers, 3 UK servers, 18 German servers, eight U.S.-based criminal domains, and one German-based criminal domain. 

Radar/Dispossessor Ransomware Group

This threat group was first identified in August 2023 and has gained notoriety over time.

This quick popularity was due to the threat group’s activities targeting and attacking small- to mid-sized businesses and organizations in the production, development, education, healthcare, financial services, and transportation sectors. This threat actor originally focused on entities in the United States.

Nevertheless, the FBI investigations discovered that the threat group has attacked over 43 companies belonging to different countries, such as Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany.

The Radar Ransomware uses a dual-extortion method in which the files from the compromised organizations are exfiltrated as well as encrypted.

Further, the victims are threatened and pressured to pay, failing which will result in leaking or destroying their critical data.

However, this Radar ransomware group’s threat activity starts its initial access vector by identifying vulnerable computer systems, weak passwords, and a lack of two-factor authentication to isolate and attack victim companies. 

Once they identify a vulnerable point and gain access to the systems, they obtain administrator rights that will provide easier access to sensitive files in the environment.

Following this, the files are then exfiltrated to the attacker’s server while they are encrypted in the victim’s environment. This encryption prevents the victim organization from accessing their sensitive files.

Like any other ransomware group, a ransom note will be left on the encrypted servers and systems, containing instructions for contacting the threat actor.

If the victims do not contact the threat actors, the threat actors then proactively contact others in the victim company, either through email or phone calls.

These emails will also consist of a video link in which they present the stolen files from the organizations as a means of increasing the blackmail pressure.

Moreover, the negotiations take place in a separate leak site that has a countdown indicating the time left, before the files are leaked to the public in case the ransom is not paid. The total number of businesses and organizations affected is yet to be determined.

The FBI encourages those with information about Brain or Radar Ransomware—or if their business or organization has been a target or victim of ransomware or currently paying a criminal actor—to contact its Internet Crime Complaint Center at ic3.gov or 1-800-CALL-FBI.

Your identity can remain anonymous.” reads the FBI’s announcement. It is important for organizations to update their software and systems regularly.

Even if there is a ransomware attack, the victims are advised not to pay these threat actors as there is no guarantee that the files will be decrypted.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

The post FBI Shuts Down Dispossessor Ransomware Operations, Domains Dismantled appeared first on Cyber Security News.

These vulnerabilities were existing in Sonos One and Sonos Era-100 Bluetooth speakers which could allow a threat actor to record the microphone and obtain covert audio capture.

In addition to this, these vulnerabilities can also be leveraged to compromise the kernel over the air and also turn the device into a wiretap capturing all the audio within the device’s range.

However, this particular exploitation method was presented in the Black Hat USA 2024 conference.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Sonos Smart Speaker Vulnerability

According to the reports shared with Cyber Security News, CVE-2023-50809 was associated with WPA2 Handshake in which the KeyData parameter used in the function has a gtk_length parameter that is given the value 255.

However, there was no maximum bound limit set for the parameter. This particular lack of check was used for Overflow attacks.

In order to trigger the bug, there were several conditions such as 

• Keydata must be successfully decrypted which cannot be done in WPA2 until the Snonce and Anonce are exchanged
• The Vulnerable function must be triggered in Message 3 (M3) and
• The wpa_supplicant can be used in AP mode.

On successfully bypassing and truing all these conditions, the Sonos device resulted in a Crash that led to the PC being controlled. The Downstream corruption was mitigated by adding extra IEs to exit function early.  

Sonos One – Over-The-Air Vulnerability

Multiple vulnerable design patterns were identified within the code path that handled and parsed WPA key material.

One of the notable design pattern issues was the WpaParseEapolKeyData function which was used in the WPA2 four-way handshake process. 

This consists of several vulnerabilities that can be chained together to achieve a stack buffer overflow. Two issues made this possible.

One was an improper input validation of IE length and the other was the unchecked maximum length of the GTK IE Length. 

To provide a brief overview, the KdenLen variable was not checked for integer overflow, which led to the condition that the information element’s length field was smaller than 6.

This also caused a copy much larger than the 32-byte GTK stack buffer, resulting in stack buffer overflow.

The second issue exists due to the keyData parameter that was copied into the gtk_buf stack buffer which did not validate to check if the value is less than or equal to gtk_buf‘s maximum size (32-bytes).

On chaining these two issues, a malformed information element was created that used the underflow and improper validation conditions to trigger a copy of a value that exceeds the maximum GTK buffer length. 

Background Of This Attack

The WPA2 four-way handshake consists of a total of 4 packets that are exchanged between client and the access point.

Some of the important information involved in these devices’ handshake are Anonce and Snonce (random values generated by both devices), the SSID, and the pre-shared Key (PSA). 

Among these the PSA is not shared over the air but indirectly used by the client and the access point to compute Pairwise Master Key (PMK) using PBKDF2.

As a matter of fact, once a minimum required information was exchanged between the client and the router (Anonce, Snonce), the subsequent handshake contained additional information elements that were encrypted with the computed key material. 

Pivoting The Permission

Once the remote code execution was achieved, the researchers tested for pivoting their access to gain additional permissions and capabilities over the compromised device.

This was done by acquiring the Pointer EAPOL (Extensible Authentication Protocol over LAN), Adjusting the stack pointer and EAPOL pointer and pivoting with the modified stack pointer.

Once inside, the researchers used the set_memory_x which was an arbitrary virtual address space that can be marked as executable. This set_memory_x function was supplied with the EAPOL pointer that will execute the Heap. 

The code execution and shellcode was obtained by using the call_usermodehelper in the kernel with the run_cmd.

However, post-exploitation techniques involved, telnetting the payload into busybox which provided the capability to covertly capture the audio from the device’s proximity.

A demo of the exploit and Rust implant can be found here.

Sonos Era-100 – Secure Boot Bypass

This vulnerability exists due to three issues in the Sonos Era-100 U-Boot. The issue wre related to the use of modified U-boot implementation which uses locked down with password and restricted commands.

Additionally, the Era-100 U-Boot is encrypted using keys in EL3 that doesn’t yet have R/W capability on eMMC (embedded MultiMediaCard).

• The first issue was trying to load env from flash at offset 0x500000 where the CONFIG_ENV_IS_NOWHERE is not set and allows setting of “bootcmd”. 
• The second issue was associated with sonosboot that was responsible for loading and validating kernel and then passing to “bootm“. Further, the bootm uses u-boot env and passes to the linux kernel. 
• The third issue was linked to the abuse of Custom Sonos image header which is always loaded at address 0x100000. Additionally, the kernel_offset is normally 0x40 but not enforced by u-boot and also allows the signature check to pass resulting in a shell in the context of /init (root).

Furthermore, a complete presentation that was presented at Black Hat USA 2024 can be found here. The whitepaper published by the researchers of NCCGroup can be found in this link.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

The post Sonos Smart Speaker Vulnerability Let Attackers Execute Remote Code appeared first on Cyber Security News.

The vulnerabilities, with CVSS scores ranging from 6.9 to 9.3, pose significant risks of data theft, system compromise, and operational disruption. 

Active exploitation attempts by foreign threat actors targeting both private and public sector organizations were detected and mitigated, highlighting the severity of the issue. 

Numbering approximately 300,000 globally and primarily concentrated in the US, UK, India, and EU, they represent a significant target for potential remote probing.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

While access restrictions vary, their widespread adoption in enterprise environments confirms ServiceNow as a prevalent platform for digital workflow management. 

Additional search engine data indicates between 13,300 and 23,000 network hosts as potential targets, emphasizing the broad attack surface available to adversaries for network mapping and reconnaissance. 

Adversaries exploit vulnerabilities in popular applications before patches are released, targeting enterprises identified through search engine scans, which utilize proprietary bots and tools to gather information about web servers, applications, and network devices, creating valuable intelligence for attackers.

Three critical ServiceNow vulnerabilities enabled unauthenticated remote code execution on nearly 42,000 exposed instances.

While patches exist, active exploitation attempts targeting over 6,000 sites, predominantly in finance, have been observed.

Attackers leverage these vulnerabilities to test for remote code execution and exfiltrate database credentials.

Researchers have developed detection methods and automated tools to identify vulnerable systems, highlighting the critical need for prompt patching and robust security measures to prevent data breaches and unauthorized access. 

Upon the public disclosure of vulnerability details, multiple threat actors initiated aggressive scanning campaigns to identify exploitable ServiceNow instances.

Leveraging a publicly released proof-of-concept as a catalyst, adversaries focused on exploiting CVE-2024-4879, a critical vulnerability enabling unauthenticated remote code execution. 

By chaining title injection, template injection bypass, and filesystem filter bypass, attackers accessed ServiceNow data.

Network sensors found probing requests that were used to check for vulnerabilities before injecting payloads and validating responses with certain multiplication results, which show that an attempt to exploit the vulnerability was successful. 

Attackers exploited a vulnerability in login.do to inject malicious code. The first payload retrieved the path to the database configuration file, potentially revealing database details. 

The second payload queried the “sys_user” table and attempted to dump usernames and passwords. While most passwords were hashed and remained secure, leaked usernames and other metadata could aid attackers in further reconnaissance. 

A recently disclosed vulnerability in a popular enterprise application was actively exploited within a week of its release, targeting diverse organizations globally.

Attackers successfully compromised energy, data centers, government, and software development entities, demonstrating the vulnerability’s widespread impact. 

According to Resecurity, poor patch management and outdated systems exacerbated the issue. While the collected data suggests potential cyberespionage, timely patch releases mitigated further damage. 

Threat actors are actively targeting enterprise applications like ServiceNow on the Dark Web, seeking compromised access to IT service desks and corporate portals.

Initial Access Brokers (IABs) capitalize on poor network hygiene by monetizing stolen credentials and harvesting data through infostealers. 

ServiceNow Response

ServiceNow learned of a vulnerability on the Now Platform impacting instances running on the Vancouver and Washington, D.C. family releases. We deployed an update that day and have since issued a series of patches designed to address the issue.  

“Based on our investigation to date, we have encouraged our self-hosted and ServiceNow-hosted customers to apply relevant patches if they have not already done so. We will also continue to work directly with customers needing assistance applying those patches,” ServiceNow shared with Cyber Security News.

It is important to note that these are not new vulnerabilities; they were previously addressed and disclosed in CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178. 

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

The post ServiceNow Flaw Let Remote Attackers Execute Arbitrary Code appeared first on Cyber Security News.

This vulnerability, named “File Immutability,” exists due to incorrect assumptions in the design of the Core Windows feature. These assumptions can result in undefined Behaviour and security vulnerabilities. 

The list of components and concepts associated with this “File Immutability” vulnerability is as follows:

• Windows File sharing – Full set of access right
• Memory Manager – treats PE-relocated pages as unmodified, dynamically reapplying relocations during page faults.
• Sharing enforcement – the responsibility of the filesystem driver to call IoCheckShareAccess or IoCheckLinkShareAccess to see whether the requested DesiredAccess/ShareMode tuple is compatible
• Authenticode – describes a way to employ cryptography to “sign” PE files
• Code Integrity – validates signatures in the kernel
• Incorrect assumptions – implies that files successfully opened without write sharing can’t be modified by another user or process.
• Page hashes – list of hashes of each 4KB page within a PE file
• Network redirectors – allow the use of network paths with any API that accepts file paths
• Protected Process Light (PPL) – Anti-Malware services run as Protected Process Light (PPL), protecting them from tampering by malware with admin rights, so the ransomware can’t terminate the Anti-Malware service.

An attacker can utilize this false file immutability by employing a network redirector to modify PPL’s DLL Server-side and bypass sharing restrictions.

In this case, the PE’s backing an executable image are incorrectly assumed to be immutable. However, this class of vulnerability is called “False File Immutability.” 

Further, this vulnerability was also presented at Black Hat Asia 2023. A Windows Kernel vulnerability was disclosed, indicating how bad assumptions in paging can be exploited to inject code into PPL by defeating security features like LSA and Anti-Malware Process Protection.

The attack used False File immutability assumptions for DLLs in PPLs for the presented scenario.

New Research

This new vulnerability report, published by Elastic Security, uses authenticode signatures embedded within PE files, which use a detached signature called Security Catalog.

Every PE with an authentihash in the list is considered to be signed by that signer to which Windows keeps a large collection of catalog files in C:\Windows\System32\CatRoot.

Initially, the CI (Code Integrity) maps the file into kernel memory using ZwOpenFile, ZwCreateSection, and ZwMapViewOfSection and then validates the catalog’s digital signature using CI!MinCrypK_VerifySignedDataKModeEx.

If the signature is valid, it parses the hashes with CI!I_MapFileHashes.

After this, the file is opened without FILE_SHARE_WRITE, which means the write sharing is denied.

However, this is intended to prevent modification of the security catalog during processing. Nevertheless, this is a bad assumption and another example of False File Immutability.

Attack Planning

The attack flow starts with an attacker planting a security catalog on a storage device they control.

Then, they will install a symbolic link to this catalog in the CatRoot directory to ensure Windows can find it. 

Proceeding further with the attack, the attacker can perform the following actions to exploit this vulnerability:

• Asks the Kernel to load a malicious unsigned Kernel driver
• Code Integrity attempts to validate the driver, but it can’t find a signature or trusted authentihash, so it re-scans the CatRoot directory and finds the attacker’s new catalog.
• CI maps the catalog into kernel memory and validates its signature. This generates page faults, which are sent to the attacker’s storage device. The storage device returns a legitimate Microsoft-signed catalog.
• The attacker empties the system working set, forcing all the previously-fetched catalog pages to be discarded.
• CI begins parsing the catalog, generating new page faults. This time, the storage device injects the authentihash of their malicious driver.
• CI finds the malicious driver’s authentihash in the catalog and loads the driver. At this point, the attacker has achieved arbitrary code execution in the kernel.

Double Read Vulnerability and Attack

This vulnerability can arise when the victim code reads the same value from an attacker-controlled buffer more than once.

The threat actor may change the value of this buffer between the reads, resulting in unexpected victim behavior.

However, the attack pattern can be executed by setting a packet’s structure’s length field to 16 bytes and then signaling the server to indicate that a packet is ready for processing.

The victim server wakes up and allocates a 16-byte buffer using malloc(pPacket->length). The attacker then changes the length field to 32.

Next, the victim server attempts to copy the packet’s contents into the the new buffer by calling memcpy(pBuffer, pPacket->data, pPacket->length), re-reading the value in pPacket->length, which is now 32.

The victim ends up copying 32 bytes into a 16-byte buffer, overflowing it.

Affected Operations

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

The post New Windows False File Immutability Vulnerability Let Attackers Execute Arbitrary Code appeared first on Cyber Security News.

However, this plugin was discovered to have a Cross-site Scripting vulnerability that could allow threat actors to execute arbitrary Javascript code.

Okta acted swiftly upon the report and published a security advisory to address this vulnerability.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Versions 6.5.0 through 6.31.0 of the Okta Browser Plugin for Chrome, Edge, Firefox, and Safari were identified as affecting the issue.

Okta Browser Plugin Vulnerability

According to the Okta advisory, this vulnerability was assigned CVE-2024-0981, and its severity was given as 7.1 (High).

This flaw arises when users input the new credentials, and the plugin prompts users to save the credentials with Okta Personal. 

However, this vulnerability does not affect Workforce Identity Cloud users if Okta Personal is not added to the browser plugin that is used to enable multi-account views.

Additionally, Okta Admin users can run the following query to search for users who are still using an outdated version of this plugin.

debugContext.debugData.oktaUserAgentExtended ne “okta-browser-plugin/6.32.0” and debugContext.debugData.oktaUserAgentExtended co “okta-browser-plugin/”

More than 100 million users use Okta to save their credentials and connect to applications both inside and outside of their organizations. In addition, the Okta Browser Plugin offers multiple features, such as 

• Automatically sign in to your business and personal apps with just one click
• Add your own apps into Okta
• Quickly generate strong, random passwords on the fly for all your apps
• Easily access your Okta dashboard apps and tabs
• Seamlessly and securely switch between multiple Okta accounts

Affected Products And Fixed In Versions

It is recommended that users of this plugin upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

The post Okta Browser Plugin Vulnerable To Reflected Cross-Site Scripting Attacks appeared first on Cyber Security News.

It allows organizations to search, analyze and visualize data which can help to respond to incidents in a better way.

However, at the beginning of this month, Splunk released a security advisory for a high-severity vulnerability.

Given the CVE ID as CVE-2024-36991, the vulnerability was associated with Path Traversal on the “/modules/messaging/” endpoint in Splunk Enterprise on Windows. The severity for this vulnerability was given as 7.5 (High) and affected Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10. 

This vulnerability exists due to the os.path.join python function which removes the drive letter from path tokens if the drive in the token matches the drive in the build path.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Further, this vulnerability can be exploited by a threat actor to traverse the file system and access files or directories outside of the restricted directory.

Splunk Vulnerability Exploited Via GET Commands

According to the reports, more than 230,000 internet-exposed servers running Splunk are vulnerable to this flaw.

To provide a deeper insight, the os.path.join() python function takes multiple path components as arguments and combines them together into a single path.

It also ensures that the correct path separator is used based on the operating system.

As a matter of fact, Windows uses a current directory concept in which C: Source dir means “source dir” inside the current C: directory.

However, as per the os.path.join documentation, the drive is not reset on Windows when a rooted path segment like d’\foo’ is provided. 

“On Windows, the drive is not reset when a rooted path segment (e.g., r’\foo’) is encountered. If a segment is on a different drive or is an absolute path, all previous segments are ignored and the drive is reset.

Note that since there is a current directory for each drive, os.path.join(“c:”, “foo”) represents a path relative to the current directory on drive C: (c:foo), not c:\foo” reads the os.path.join documentation.

Nevertheless, an attacker can exploit this vulnerability by performing a directory listing on the Splunk endpoint, which will allow the threat actor to gain unauthorized access to sensitive files in the system.

This vulnerability is prevalent on instances running on Splunk Enterprise where Splunk Web is enabled. 

In order to exploit this vulnerability, a crafted GET request can be sent, which will cause the Splunk Enterprise instance to read arbitrary files on the operating system, reads the SonicWall report.

The below commands are examples of Arbitrary file read

Furthermore, a GitHub exploit code has been published along with a proof-of-concept. However, as a prerequisite, an attacker must be able to access the vulnerable instances remotely or through a local network. 

Affected Products And Fixed In Versions

It is recommended that users of the above Splunk Enterprise versions upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

The post Critical Splunk Vulnerability Exploited Using Crafted GET Commands appeared first on Cyber Security News.

These vulnerabilities affect 103 different models of Toshiba Multi-Function Printers. 

Vulnerabilities identified include Remote Code execution, XML External Entity Injection (XXE), Privilege Escalation, Authentication credential leak, DOM-based XSS, Insecure Permissions, TOCTOU (Time-Of-Check to Time-Of-Use) conditions, and many others.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Toshiba Multi-Function Printers

According to the reports shared with Cyber Security News, CVE-2024-27171 and CVE-2024-27180 affect the implementation of third-party application systems and also the third-party applications that are installed by default on Toshiba Printers.

A threat actor can exploit Toshiba Multi-function printers using multiple vulnerabilities. The list of Affected Toshiba MFP models is as follows:

Additionally, it was also mentioned that the physical security of the printers was not analyzed, and the vulnerabilities have been confirmed in different models that run the latest firmware versions, such as 

• e-STUDIO2010AC
• e-STUDIO3005AC
• e-STUDIO3508A
• e-STUDIO5018A

Further, all these printers run in Linux and are powerful and can be leveraged by a threat actor to move laterally inside infrastructures.

40 vulnerabilities were reported to Toshiba, and necessary security advisories have been published to address these vulnerabilities.

1. CVE-2024-27141 – Pre-authenticated Blind XML External Entity (XXE) injection – DoS
2. CVE-2024-27142 – Pre-authenticated XXE injection
3. CVE-2024-27143 – Pre-authenticated Remote Code Execution as root
4. CVE-2024-27144 – Pre-authenticated Remote Code Execution as root or apache and multiple Local Privilege Escalations
   4.1. Remote Code Execution – Upload of a new .py module inside WSGI Python programs
   4.2. Remote Code Execution – Upload of a new .ini configuration files inside WSGI Python programs
   4.3. Remote Code Execution – Upload of a malicious script /tmp/backtraceScript.sh and injection of malicious gdb commands
   4.4. Remote Code Execution – Upload of a malicious /home/SYSROM_SRC/build/common/bin/sapphost.py program
   4.5. Remote Code Execution – Upload of malicious libraries
   4.6. Other ways to get Remote Code Execution
5. CVE-2024-27145 – Multiple Post-authenticated Remote Code Executions as root
6. CVE-2024-27146 – Lack of privileges separation
7. CVE-2024-27147 – Local Privilege Escalation and Remote Code Execution using snmpd
8. CVE-2024-27148 – Local Privilege Escalation and Remote Code Execution using insecure PATH
9. CVE-2024-27149 – Local Privilege Escalation and Remote Code Execution using insecure LD_PRELOAD
10. CVE-2024-27150 – Local Privilege Escalation and Remote Code Execution using insecure LD_LIBRARY_PATH
11. CVE-2024-27151 – Local Privilege Escalation and Remote Code Execution using insecure permissions for 106 programs
    11.1. 3 vulnerable programs not running as root
    11.2. 103 vulnerable programs running as root
12. CVE-2024-27152 – Local Privilege Escalation and Remote Code Execution using insecure permissions for libraries
    12.1. Example with /home/SYSROM_SRC/bin/syscallerr
13. CVE-2024-27153 – Local Privilege Escalation and Remote Code Execution using CISSM
14. CVE-2024-27154 and CVE-2024-27155 – Passwords stored in clear-text logs and insecure logs
    14.1. Clear-text password written in logs when an user logs into the printer
    14.2. Clear-text password written in logs when a password is modified
15. CVE-2024-27156 – Leak of authentication sessions in insecure logs in /ramdisk/work/log directory
16. CVE-2024-27157 – Leak of authentication sessions in insecure logs in /ramdisk/al/network/log directory
17. CVE-2024-27158 – Hardcoded root password
18. CVE-2024-27159 – Hardcoded password used to encrypt logs
19. CVE-2024-27160 – Hardcoded password used to encrypt logs and use of a weak digest cipher
20. CVE-2024-27161 – Hardcoded password used to encrypt files
21. CVE-2024-27162 – DOM-based XSS present in the /js/TopAccessUtil.js file
22. CVE-2024-27163 – Leak of admin password and passwords
23. CVE-2024-27164 – Hardcoded credentials in telnetd
24. CVE-2024-27165 – Local Privilege Escalation using PROCSUID
25. CVE-2024-27166 – Insecure permissions for core files
26. CVE-2024-27167 – Insecure permissions used for Sendmail – Local Privilege Escalation
27. CVE-2024-27168 – Hardcoded keys found in Python applications used to generate authentication cookies
28. CVE-2024-27169 – Lack of authentication in WebPanel – Local Privilege Escalation
29. CVE-2024-27170 – Hardcoded credentials for WebDAV access
30. CVE-2024-27171 – Insecure permissions
31. CVE-2024-27172 – Remote Code Execution – command injection as root
32. CVE-2024-27173 – Remote Code Execution – insecure upload
33. CVE-2024-27174 – Remote Code Execution – insecure upload
34. CVE-2024-27175 – Local File Inclusion
35. CVE-2024-27176 – Remote Code Execution – insecure upload
36. CVE-2024-27177 – Remote Code Execution – insecure upload
37. CVE-2024-27178 – Remote Code Execution – insecure copy
38. CVE-2024-27179 – Session disclosure inside the log files in the installation of applications
39. CVE-2024-27180 – TOCTOU vulnerability in the installation of applications, allowing to install rogue applications and get RCE

Users of these Toshiba products are recommended to upgrade to the latest version as per Toshiba’s security advisory to prevent these vulnerabilities from getting exploited by threat actors.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

The post Toshiba Multi-Function Printers Impacted by 40+ Vulnerabilities appeared first on Cyber Security News.