Weekly review of vulnerability, this week we have a lot to unpack
Previous Issues of vulnerability Weekly
- Security Vulnerability of the Week 30/05/22 – GIT
- Security Vulnerability of the Week 22/05/22 – Pwn2Own
- Security Vulnerability of the Week 16/05/22 – NVIDIA
This week we deep dive into Confluence RCE vulnerability, Follina exploits and weaponization, and GitLab vulnerability for account takeover.
Appsec
Atlassian Confluence & Jira
Atlassian Confluence
Beginning of June (2-june-2022) Atlassian warned of two zero days. Atlassian credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134.
A new strain of ransomware is affecting and targeting both vulnerabilities CVE-2022-26134. and reports on Atlassian support confirm files are getting locked and encrypted.
Several attempts since weaponization have been seen (source Graynoise)
Currently, Atlassian tracks the vulnerability: https://confluence.atlassian.com/doc/confluence-securitydvisory-2022-06-02-1130377146.html with the available workaround
Both Confluence Server and Data Center are affected by an injection that allows an unauthenticated attacker to execute random code (RCE and Injection)
| The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1. |
| CVE Database/ Atlassian |
|---|
Atlassian has been hit by another critical vulnerability in April with a rating of 9.9: https://phoenix.security/svw-2022-04-25/
Also, another variant of the vulnerability Currently Tracked as CVE-2021-26084, CVSS score: 9.8
As the two vulnerabilities are highly exploitable if there are server exposed with authentication is important to patch them
Both vulnerabilities are affected by the Object-graph Navigation Language (OGNL) injection.
Both vulnerabilities is currently high in dangerousness as there are multiple exploits available in the wild: https://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html
https://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html
An example of the payload :
curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/This is just an encoding for an OGNL expression including java.lang.Runtime to execute a system command: touch /tmp/pwned.COPY
{@java.lang.Runtime@getRuntime().exec(“touch /tmp/pwned”)}
According to stats from internet asset discovery platform Censys, there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with most instances located in the U.S., China, Germany, Russia, and France.
For a live dashboard: https://datastudio.google.com/u/0/reporting/1fbdf17c-ae37-4501-bd3f-935b72d1f181/page/2DSuC
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides adding the zero-day bug to its Known Exploited Vulnerabilities Catalog, has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.
Fix
Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.
Mitigation
If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating the following files for the specific version of the product.
More details on the various version in the advisory:
https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2022-06-02
GitLab
A bit dwarfed by the Atlassian vulnerability above GitLab had a serious authentication issue affecting all all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1.
CVE-2022-1680, the issue has a CVSS severity score of 9.9
The vulnerability was discovered by the internal security team: https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1680.json
Official Advisory:
“When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker-controlled email address and thus — in the absence of 2FA — take over those accounts,” GitLab said.
Having achieved this, a malicious actor can also change the display name and username of the targeted account, the DevOps platform provider cautioned in its advisory published on June 1, 2022.
FIX
it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
INFRA/Network
MAC Hardware Vulnerability
A new hardware attack targeting the novel M1 Processor has been recently demonstrated. The attacker can execute arbitrary code on the affected Mac OS
The vulnerability is rooted in pointer authentication codes (PACs), a line of defence introduced in arm64e architecture that aims to detect and secure against unexpected changes to pointers — objects that store a memory address — in memory.
the paper’s lead co-author Ph.D. student Joseph Ravichandran on the processor vulnerability: The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system. We’ve shown that pointer authentication as a last line of defence isn’t as absolute as we once thought it was
https://pacmanattack.com/paper.pdf
Like other vulnerabilities (like spectre) the vulnerability is difficult to replicate. As for spectre the vulnerability fix might lead more likely to the exclusion of the corruptable area so steps in the future to mitigate the vulnerability needs to be carefully considered.
An example of the pointer leak:
The researcher have used the vulnerability for kernel-based attacks but remains very speculative and no weaponization seen in the wild.
Apple said in a statement shared with The Hacker News, pointing out PACMAN’s diminished potential for in-the-wild exploitation.
The researchers do say there is “no immediate call for alarm” because there needs to be a myriad of other breakages in order to for this ‘last line of defence’ to be cracked. The researchers presented their findings to Apple, who responded with a statement to TechCrunch.
Windows – Follina
The vulnerability CVE-2022-30190 (CVSS score: 7.8) has currently no fix available. Currently Tracked in https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
The discovery from the Japanese cybersecurity research team nao_sec started when they discovered a malicious Word file uploaded to VirusTotal from the Belarusian IP address.
The vulnerability exploit get triggered by chaining an HTML file from a remote template that leads to running malicious Powershell code.
The situation is more dangerous as the code is run via the MSDT tool normally run by the support desk to diagnose issues.
Remediation/ workaround
There is still no available patch the step to fix this are:
- To disable the MSDT URL Protocol (modify the register: reg export HKEY_CLASSES_ROOT\ms-msdt filename)
For additional workaround: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
Increase dangerousness
Microsoft Defender for Endpoint hasn’t been able to detect the flaw according to the research by Kevin Beaumont who gave a name to this new Microsoft Office code execution vulnerability.
Nonetheless, the following signatures have been released
- Trojan:Win32/Mesdetty.A (blocks msdt command line)
- Trojan:Win32/Mesdetty.B (blocks msdt command line)
- Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
- Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
- Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)
Follina in the Wild:
Researchers have seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus, and Nepal. An undergraduate researcher first noticed the flaw in August 2020, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful to attackers because they can stem from malicious documents without relying on Macros, the much-abused Office document feature that Microsoft has worked to rein in.
New recent detection have detected potential state sponsor attacks: Follina –
More than 1000 spam email have been recently seen,.
“This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253,” the company said in a series of tweets.
the campaign follows a recent attack
Dog Walk Follina extended attack
Despite the fact that an unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), the following flaws continue to get exploited in the wild.
The DOGWALK vulnerability leverage a startup folder exploit. The vulnerability get exploited at when the payload is launched at next user login
DogWalk was originally disclosed by security researcher Imre Rad in January 2020 after Microsoft, having acknowledged the problem, deemed it as not a security issue.
Following some example of virtual patching of this vulnerability
