Tag Archive for: Cyber Security

Markus Feilner

Municipalities, authorities and companies under pressure: serious attacks on the rise, NIS2 becomes mandatory

After experts noticed a rapid increase in cyberattacks on local authorities and government agencies in 2023, the horror stories don’t stop in 2024. The pressure to act is enormous, as the EU’s NIS2 Directive will come into force in October and makes risk and vulnerability management mandatory.

“The threat level is higher than ever,” said Claudia Plattner, President of the German Federal Office for Information Security (BSI), at Bitkom in early March. The question is not whether an attack will be successful, but only when. The BSI’s annual reports, for example the most recent report from 2023, also speak volumes in this regard. However, according to Plattner, it is striking how often local authorities, hospitals and other public institutions are at the centre of attacks. There is “not a problem with measures but with implementation in companies and authorities”, said Plattner. One thing is clear: vulnerability management such as Greenbone’s can provide protection and help to avoid the worst.

US authorities infiltrated by Chinese hackers

In view of the numerous serious security incidents, vulnerability management is becoming more important every year. Almost 70 new security vulnerabilities have been added every day in recent months. Some of them opened the door to attackers deep inside US authorities, as reported in the Greenbone Enterprise Blog:

According to the media, US authorities have been infiltrated by Chinese hacker groups such as the probably state-sponsored “Volt Typhoon” for years via serious security gaps. The fact that Volt Typhoon and similar groups are a major problem was even confirmed by Microsoft itself in a blog back in May 2023. But that’s not all: German media reported that Volt Typhoon is taking advantage of the abundant vulnerabilities in VPN gateways and routers from FortiNet, Ivanti, Netgear, Citrix and Cisco. These are currently considered to be particularly vulnerable.

The fact that the quasi-monopolist in Office, groupware, operating systems and various cloud services also had to admit in 2023 that it had the master key for large parts of its Microsoft cloud let stolen destroyed trust in the Redmond software manufacturer in many places. Anyone who has this key doesn’t need a backdoor for Microsoft systems any longer. Chinese hackers are also suspected in this case.

Software manufacturers and suppliers

The supply chain for software manufacturers has been under particular scrutiny by manufacturers and users not only since log4j or the European Cyber Resilience Act. The recent example of the attack on the XZ compression algorithm in Linux also shows the vulnerability of manufacturers. In the case of the “#xzbackdoor”, a combination of pure coincidence and the activities of Andres Freund, a German developer of open source software for Microsoft with a strong focus on performance, prevented the worst from happening.

An abyss opened up here: It was only thanks to open source development and a joint effort by the community that it came to light that actors had been using changing fake names with various accounts for years with a high level of criminal energy and with methods that would otherwise be more likely to be used by secret services. With little or no user history, they used sophisticated social scams, exploited the notorious overload of operators and gained the trust of freelance developers. This enabled them to introduce malicious code into software almost unnoticed. In the end, it was only thanks to Freund’s interest in performance that the attack was discovered and the attempt to insert a backdoor into a tool failed.

US officials also see authorities and institutions as being particularly threatened in this case, even if the attack appears to be rather untargeted and designed for mass use. The issue is complex and far from over, let alone fully understood. One thing is certain: the usernames of the accounts used by the attackers were deliberately falsified. We will continue to report on this in the Greenbone blog.

European legislators react

Vulnerability management cannot prevent such attacks, but it provides indispensable services by proactively warning and alerting administrators as soon as such an attack becomes known – usually before an attacker has been able to compromise systems. In view of all the difficulties and dramatic incidents, it is not surprising that legislators have also recognised the magnitude of the problem and are declaring vulnerability management to be standard and best practice in more and more scenarios.

Laws and regulations such as the EU’s new NIS2 directive make the use of vulnerability management mandatory, including in the software supply chain. Even if NIS2 only actually applies to around 180,000 organisations and companies in the critical infrastructure (KRITIS) or “particularly important” or “significant” companies in Europe, the regulations are fundamentally sensible – and will be mandatory from October. The EU Commission emphasises that “operators of essential services” must “take appropriate security measures and inform the competent national authorities of serious incidents”. Important providers of digital services such as search engines, cloud computing services and online marketplaces must fulfil the security and notification requirements of the directive.”

Mandatory from October: A “minimum set of cyber security measures”

The “Directive on measures for a high common level of cybersecurity across the Union (NIS2)” forces companies in the European Union to “implement a benchmark of minimum cybersecurity measures”, including risk management, training, policies and procedures, also and especially in cooperation with software suppliers. In Germany, the federal states are to define the exact implementation of the NIS2 regulations.

Do you have any questions about NIS2, the Cyber Resilience Act (CRA), vulnerability management in general or the security incidents described? Write to us! We look forward to working with you to find the right compliance solution and give your IT infrastructure the protection it needs in the face of today’s serious attacks.

To make our ecological progress even more sustainable, we keep up to date with regular internal training courses on energy efficiency. In this way, we are helping to make the world even “greener” outside of Greenbone.

Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

CISA warning: Serious Security Vulnerability in MS Sharepoint

Two security vulnerabilities in Sharepoint – both from last year – are currently causing trouble for Sharepoint administrators. Because attackers are increasingly exploiting a combination of the two vulnerabilities, the Cybersecurity Infrastructure Security Agency CISA is now also issuing a warning. Affected customers of the Greenbone Enterprise Feed have been warned since June 2023.

Tracking-News: Critical Vunerability in MS Sharepoint

Remote Privilege Execution

The two vulnerabilities CVE-2023-29357 and CVE-2023-24955 together allow attackers to remotely gain administrator rights in a company’s SharePoint server. Details of the attack were published back in September 2023 at the Pwn2Own conference in Vancouver 2023 and can be found on the Singapore Starlabs blog, for example.

Massive attacks have now led to CISA recently issuing a warning about these vulnerabilities and including CVE-2023-29357 in its catalog of known exploited vulnerabilities. However, Greenbone has already had authenticated version checks for both CVEs since around June 2023 and an active check for CVE-2023-29357 since October 2023. Customers of the enterprise products have been receiving these CVEs as a threat for several months – in authenticated and unauthenticated scan mode.

Microsoft advises its customers on its website to update to the SharePoint Server 2019 version of June 13, 2023, (KB5002402), which fixes five critical vulnerabilities, including the first CVE mentioned by CISA. Furthermore, all administrators should install the antivirus software AMSI and activate Microsoft Defender in the SharePoint server. Otherwise, attackers could bypass authentication with fake authentication tokens and gain administrator rights.

Recognising and detecting vulnerabilities in the company at an early stage is important, as the many reports of damaging vulnerabilities show. Greenbone products can take on a lot of work here and ensure security – as a hardware- or virtual appliance or as a cloud service. The Greenbone Enterprise Feed, which feeds all Greenbone security products, receives daily updates and therefore covers a high percentage of risks.

Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

Tracking News: Juniper Junos Vulnerabilities

5 Known Juniper Junos Vulnerabilities Being Actively Exploited

CISA has added 5 CVEs relating to Juniper Junos (aka Junos OS), to its Known Exploited Vulnerabilities (KEV) catalog. The full exploit chain involves combining several lower-severity CVEs to achieve pre-authentication remote code execution (RCE). The 5 CVEs range in severity from CVSS 9.8 Critical to CVSS 5.3 Medium. Greenbone is equipped with vulnerability tests to identify affected systems.

Understanding the timeline of events should help network defenders grasp how rapidly cyber threats can escalate. In this case a proof-of-concept (PoC) was published just 8 days after the vendor Juniper released its security advisory. Security researchers observed active exploitation just 12 days after the disclosure. Still, it was not until several months later that CISA acknowledged active exploitation. Greenbone Enterprise vulnerability feed added detection tests [1][2] for all impacted versions of the two affected product lines (EX Series Series Ethernet Switches and SRX Series Series Services Gateways) on August 18, 2023, immediately after they were disclosed.

Here is a brief description of each CVE:

  • CVE-2023-36844 (CVSS 5.3 Medium): A PHP External Variable Modification [CWE-473] vulnerability exists in J-Web, a tool used for remote configuration and management of Junos OS. The vulnerability allows an unauthenticated, network-based attacker to modify sensitive PHP environment variables. CVE-2023-36844 allows chaining to other vulnerabilities that lead to unauthenticated RCE.
  • CVE-2023-36845 (CVSS 9.8 Critical): A PHP External Variable Modification vulnerability [CWE-473] in J-Web allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request that sets the variable PHPRC an attacker is able to modify the PHP execution environment to inject and execute code.
  • CVE-2023-36846 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity with a specific request to user.php via J-Web. Without authentication, an attacker is able to upload arbitrary files [CWE-434] which allows chaining to other vulnerabilities including unauthenticated RCE.
  • CVE-2023-36847 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a malicious request to installAppPackage.php via J-Web an attacker is able to upload arbitrary files [CWE-434] without authentication, which may allow chaining to other vulnerabilities that lead to RCE.
  • CVE-2023-36851 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a specific request to webauth_operation.php that doesn’t require authentication, an attacker is able to upload arbitrary files via J-Web [CWE-434], leading to a loss of integrity for a certain part of the file system and chaining to other vulnerabilities.

Understanding The Attack Trajectory

Several of the CVEs listed above are classified as Missing Authentication for Critical Function [CWE-306] vulnerabilities meaning that various functions of the J-Web device management web application do not implement proper authentication checks.

Here is a summary of how these vulnerabilities were chained together for unauthenticated RCE:

The J-Web application is written in PHP which, as the watchTowr researchers noted, is known for its usability at the cost of security. In the case of CVE-2023-36846, J-web’s `webauth_operation.php` file implemented a different method for authentication than the rest of the application. This file instead invokes the `sajax_handle_client_request()` function and submits the value of ‘false’ as the `doauth` parameter, resulting in no authentication being performed. The aforementioned `sajax_handle_client_request()` function is designed to execute J-web’s built-in functions by specifying them as a $_POST variable, including the `do_upload()` function, used to upload files.

CVE-2023-36845 is a vulnerability in the Junos web server that allows system environment variables to be set via the `name` field of an HTTP POST request when a`Content-Type: multipart/form-data` header is used. Two exploits matching the description of CVE-2023-36845 were previously disclosed for the GoAhead IoT web server and tracked as CVE-2017-17562 and CVE-2021-42342, indicating that the Junos web server likely implements the GoAhead proprietary web-server.

Executing the uploaded file is possible by setting the PHPRC environment variable, using it to load an unauthorized PHP configuration `php.ini` file also uploaded via CVE-2023-36846 that contains a malicious `auto_prepend_file` setting directing PHP to execute the first uploaded file every time a page is loaded. Here is the complete example chain

Mitigation Of Recent Juniper Junos Vulnerabilities

The 5 new CVEs affect Juniper Networks Junos OS on EX Series Series Ethernet Switches and SRX Series Series Services Gateways. Specifically Junos OS version 20.4 and prior, 21.1, 21.2, 21.3, 21.4, 22.1, 22.2, 22.3, 22.4 and 23.2 on the EX and SRX Series appliances.

The best mitigation option is to install the security patches to Junos OS. If you cannot install the official provided security patches, completely disabling the J-Web interface, or configuring firewalls with an accept list to restrict access to only trusted hosts can prevent exploitation. In general, strictly limiting access to critical servers and network appliances to only client IP addresses that require access can prevent exploitation of similar yet undiscovered remotely exploitable zero-day vulnerabilities.

Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

The new SMP federal portal in partnership with the Federal Office for Information Security (BSI)

We at Greenbone are excited to introduce the innovative Greenbone SMP-Bund-Portal in collaboration with the Federal Office for Information Security (BSI). As a leading provider of IT security solutions, we are proud to offer this platform specifically tailored to the needs of federal agencies.

A Portal Setting Standards

The Greenbone SMP-Bund-Portal is the central point of contact for IT security and vulnerability management. It has been developed to provide agencies with concrete support in addressing current IT security challenges.

Many Advantages for Federal Agencies

  1. Easy-to-Understand Insights: The portal offers clear and user-friendly information about vulnerability management. It is ideal for both beginners and experts in IT security.
  2. Exclusive Framework Contract Conditions: Federal agencies enjoy special offers and benefits. The obligation to issue public tenders is eliminated, saving time and resources.
  3. Personal Support: Our competent support team is always at our customers’ side to answer questions and ensure support.
  4. Direct Access to the Agency Sales Team: Expert advice from our team, which is well-versed in the specific requirements of federal agencies. We look forward to furthering our trusted collaboration with the BSI and are available for any questions.
  5. Opportunity for Exchange: Use the shared forum to share your experiences and questions.

https://smp-bund.greenbone.net/

Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

The Confluence of Open Source and Cybersecurity in companies: Insights from Greenbone at #OSXP2023 in Paris

International panel discussion on effective cybersecurity at #OSXP2023

At the esteemed #OSXP2023 event, that took place in Paris, our participation in the “Cybersécurité et open source” roundtable brought forward critical discussions on improving cybersecurity in companies. The panel, including distinguished experts from the academic and governmental sectors, delved into strategies and points of vigilance essential for robust cybersecurity.

1. The Mindset of Security

Security by Design: A Leadership Commitment

  • The panel emphasized the importance of incorporating security from the initial stages of development. This approach requires a commitment from the top management to prioritize security in all business operations.

A Mentality Focused on Secure and Protected Solutions

  • Companies must cultivate a culture where security is an integral part of the thinking process, aiming to deliver solutions that are inherently secure and protected.

2. Implementing Key Processes

Adherence to Standards and Automation

  • The importance of adhering to established cybersecurity standards was underscored, with a recommendation to automate processes wherever possible to ensure consistency and efficiency.

No Deployment Without Security Compliance

  • It was strongly advised that no deployments or actions should proceed without meeting the necessary security requirements.

3. Resources: Empowering Teams and Enhancing Vigilance

Dedicated Security Teams and Training

  • Having specialized security teams and conducting regular training sessions were identified as crucial for maintaining a high level of security awareness and preparedness.

Vigilance as a Continuous Effort

  • Continuous vigilance was highlighted as a key resource, ensuring that security measures are always up-to-date and effective.

4. Essential Tools and Technologies

Mandatory Multi-Factor Authentication (MFA)

  • Implementing MFA as a compulsory measure we recommend enhancing account security significantly.

Vulnerability Scanners and Dependance Management

  • Utilizing vulnerability scanners and managing dependencies and configurations were suggested as vital tools. While platforms like GitHub Enterprise may be costly, they offer comprehensive solutions for these needs.

Conclusion: Education, Awareness, and the Use of Open-Source Tools

In conclusion, the panel at #OSXP2023, including our expert Corentin Bardin, a cyber security specialist and pen tester, highlighted the importance of continuous education and staying updated in the rapidly evolving cybersecurity landscape. They advocated for the use of open-source tools to bolster security measures.

The key takeaway from the discussion is the commitment to offering secure services. It’s not just about the tools and processes; it’s about the mindset and ongoing effort to stay vigilant and informed.


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

Supposedly pro-Russian hackers try to exploit Sharepoint vulnerability

Update from 2023-12-06:

Last week, we reported on pro-Russian hacktivists scanning for vulnerable SharePoint Servers to exploit a critical vulnerability (CVE-2023-29357).

New findings suggest that the group, calling themselves “Zarya”, is undertaking various exploit-attempts, including directory traversal and targeting specific vulnerabilities in systems such as OpenWRT-Routers. The IP address 212.113.106.100, associated with these activities, has been observed in several different exploit attempts. In addition to simple reconnaissance, specific attacks on configuration files and Admin-APIs have been detected. This case re-emphasizes the importance of securing systems against such threats and shows, how unprotected or poorly configured systems can become targets of such attacks.

A critical vulnerability for Sharepoint (CVE-2023-29357), is being targeted by presumably pro-Russian attackers who are trying to exploit this vulnerability.

The Internet Storm Center has discovered corresponding activity on its honeypots. The severity for this vulnerability is critical (a score of 9.8 out of 10), and the attack complexity is very low, making this vulnerability particularly dangerous. Greenbone customers can benefit from the automatic detection of this vulnerability in our Enterprise Feed. Microsoft offers a security update since June 12, 2023, Microsoft customers who missed the update should install it now.


Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

IT security update November 2023: Critical vulnerabilities and threats

In the November 2023 commVT Intelligence Update, several critical vulnerabilities and security threats have come to light. Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI) was found to be vulnerable to two actively exploited critical vulnerabilities, allowing attackers to execute arbitrary code remotely. The curl command-line tool, widely used across various platforms, faced a serious vulnerability that could result in arbitrary code execution during SOCKS5 proxy handshakes. VMware is urging immediate updates for its vCenter Server due to a critical vulnerability potentially leading to remote code execution. Multiple vulnerabilities were found in versions of PHP 8; one is a particularly critical deserialization vulnerability in the PHAR extraction process. Additionally, SolarWinds Access Rights Manager (ARM) was found susceptible to multiple critical vulnerabilities, emphasizing the urgency to update to version 2023.2.1. Lastly, two F5 BIG-IP vulnerabilities were discovered to be actively exploited, with mitigation options available and outlined below.

Cisco IOS XE: Multiple Critical Vulnerabilities

Two actively exploited critical CVSS 10 vulnerabilities were discovered in Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI); CVE-2023-20198 and CVE-2023-20273. Combined, they allow an attacker to remotely execute arbitrary code as the system user and are estimated to have been used to exploit tens of thousands of vulnerable devices within the past few weeks. Greenbone has added detection for both the vulnerable product by version [1], and another aimed at detecting the BadCandy implanted configuration file [2]. Both are VTs included in Greenbone’s Enterprise vulnerability feed.

Cisco IOS was created in the 1980s and used as the embedded OS in the networking technology giant’s routers. Fast forward to 2023, IOS XE is a leading enterprise networking full-stack software solution that powers Cisco platforms for access, distribution, core, wireless, and WAN. IOS XE is Linux-based, and specially optimized for networking and IT infrastructure, routing, switching, network security, and management. Cisco devices are pervasive in global IT infrastructure and used by organizations of all sizes, including large-scale enterprises, government agencies, critical infrastructure, and educational institutions.

Here’s how the two recently disclosed CVEs work:

CVE-2023-20198 (CVSS 10 Critical): Allows a remote, unauthenticated attacker to create an account [T1136] on an affected system with privilege level 15 (aka privileged EXEC level) access [CWE-269]. Privilege level 15 is the highest level of access to Cisco IOS. The attacker can then use that account to gain control of the affected system.
CVE-2023-20273 (CVSS 7.2 High): A regular user logged into the IOS XE web UI, can inject commands [CWE-77] that are subsequently executed on the underlying system with the system (root) privileges. This vulnerability is caused by insufficient input validation [CWE-20]. CVE is also associated with a Lua-based web-shell [T1505.003] implant dubbed “BadCandy”. BadCandy consists of an Nginx configuration file named `cisco_service.conf` that establishes a URI path to interact with the web-shell implant but requires the webserver to be restarted.

Cisco has released software updates for mitigating both CVEs in IOS XE software releases, including versions 17.9, 17.6, 17.3, and 16.12 as well as available Software Maintenance Upgrades (SMUs) and IT security teams are strongly advised to urgently install them. Cisco has also released associated indicators of compromise (IoC), Snort rules for detecting active attacks, and a TAC Technical FAQs page. Disabling the web UI prevents exploitation of these vulnerabilities and may be suitable mitigation until affected devices can be upgraded. Publicly released proof of concept (PoC) code [1][2] and a Metasploit module further increase the urgency to apply the available security updates.

Critical Vulnerability In The Curl Tool

A widespread vulnerability has been discovered in the popular curl command line tool, libcurl, and the many software applications that leverage them across a wide number of platforms. Tracked as CVE-2023-38545 (CVSS 9.8 Critical), the flaw makes curl overflow a heap-based buffer [CWE-122]] in the SOCKS5 proxy handshake that can result in arbitrary code execution [T1203]. Greenbone’s community feed includes several NVTs [1] to detect many of the affected software products and will add additional detections for CVE-2023-38545 as more vulnerable products are identified.

CVE-2023-38545 is a client-side vulnerability exploitable when passing a hostname to the SOCKS5 proxy that exceeds the maximum length of 255 bytes. If supplied with an excessively long hostname, curl is supposed to use local name resolution and pass it on to the resolved address only. However, due to the CVE-2023-38545 flaw, curl may actually copy the overly long hostname to the target buffer instead of copying just the resolved address there. The target buffer, being a heap-based buffer, and the hostname coming from the URL results in the heap-based overflow.

While the severity of the vulnerability is considered high because it can be exploited remotely and has a high impact to the confidentiality, integrity, and availability (CIA) of the underlying system, the SOCKS5 proxy method is not the default connection mode and must be declared explicitly. Additionally, for an overflow to happen an attacker also needs to cause a slow enough SOCKS5 handshake to trigger the bug. All versions of curl are affected between v7.69.0 (released March 4th, 2020) until v8.3.0. The vulnerable code was patched in v8.4.0 commit 4a4b63daaa.

VMware vCenter Server: Multiple Vulnerabilities

CVE-2023-34048 is a critical severity vulnerability that could allow a malicious actor with network access to vCenter Server to cause an out-of-bounds write [CWE-787] potentially leading to remote code execution (RCE). The affected software includes VMware vCenter Server versions 6.5, 6.7, 7.0, and 8.0. VMWare has issued a security advisory to address both vulnerabilities which states that there are no known mitigations other than installing the provided updates. Both vulnerabilities can be detected by Greenbone’s enterprise vulnerability feed [1]. The vCenter Server patch also fixes CVE-2023-34056, a medium-severity information disclosure resulting from improper authorization [CWE-285].

Although there are no reports that CVE-2023-34048 is being actively exploited in the wild attackers have proven adept at swiftly converting threat intelligence into exploit code. Research by Palo Alto Networks Unit 42 threat research group shows that on average an exploit is published 37 days after a security patch is released.

Here are some brief details on both CVEs:

CVE-2023-34048 (CVSS 9.8 Critical): vCenter Server contains an out-of-bounds write [CWE-787] vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability to achieve remote code execution (RCE). The Distributed Computing Environment Remote Procedure Call (DCERPC) protocol facilitates remote procedure calls (RPC) in distributed computing environments, allowing applications to communicate and invoke functions across networked systems.
CVE-2023-34056 (CVSS 4.3 Medium): vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.

Multiple Vulnerabilities Discovered In PHP 8

Several vulnerabilities were identified in PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3. Although the group of vulnerabilities does include one critical and two high-severity vulnerabilities, these require particular contexts to be present for exploitation; either deserializing PHP applications using PHAR or else using PHP’s core path resolution functions on untrusted input. Greenbone’s enterprise VT feed includes multiple detection tests for these vulnerabilities across multiple platforms.

Here are brief descriptions of the most severe recent PHP 8 vulnerabilities:

CVE-2023-3824 (CVSS 9.8 Critical): A PHAR file (short for PHP Archive) is a compressed packaging format in PHP, which is used to distribute and deploy complete PHP applications in a single archive file. While reading directory entries during the PHAR archive loading process, insufficient length checking may lead to a stack buffer overflow [CWE-121], potentially leading to memory corruption or remote code execution (RCE).
CVE-2023-0568 (CVSS 8.1 High): PHP’s core path resolution function allocates a buffer one byte too small. When resolving paths with lengths close to the system `MAXPATHLEN` setting, this may lead to the byte after the allocated buffer being overwritten with NULL value, which might lead to unauthorized data access or modification. PHP’s core path resolution is used for the `realpath()` and `dirname()` functions, when including other files using the `include()`, `include_once()`, `require()`, and `require_once()`, and during the process of resolving PHP’s “magic” constants” such as `__FILE__` and `__DIR__`.
CVE-2023-0567 (CVSS 6.2 Medium): PHP’s `password_verify()` function may accept some invalid Blowfish hashes as valid. If such an invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid [CWE-287]. Notably, this vulnerability has been assigned different CVSS scores by NIST (CVSS 6.2 Medium) and the PHP group CNA (CVSS 7.7 High), the difference being that the PHP Group CNA considers CVE-2023-0567 a high risk to confidentiality while NIST does not. CNAs are a group of independent vendors, researchers, open source software developers, CERT, hosted service, and bug bounty organizations authorized by the CVE Program to assign CVE IDs and publish CVE records within their own specific scopes of coverage.

SolarWinds Access Rights Manager (ARM): Multiple Critical Vulnerabilities

SolarWinds Access Rights Manager (ARM) prior to version 2023.2.1 is vulnerable to 8 different exploits; one critical and two additional high-severity vulnerabilities (CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187). These include authenticated and unauthenticated privilege escalation [CWE-269], directory traversal [CWE-22], and remote code execution (RCE) at the most privileged “SYSTEM” level. Greebone’s Enterprise vulnerability feed includes both local security check (LSC) [1] and remote HTTP detection [2].

SolarWinds ARM is an enterprise access control software for Windows Active Directory (AD) networks and other resources such as Windows File Servers, Microsoft Exchange services, and Microsoft SharePoint as well as virtualization environments, cloud services, NAS devices, and more. The widespread use of ARM and other SolarWinds software products means that its vulnerabilities have a high potential to impact a wide range of large organizations including critical infrastructure.

These and more recent vulnerabilities are disclosed in SolarWinds’ security advisories. Although no reports of active exploitation have been released, mitigation is highly recommended and available by installing SolarWinds ARM version 2023.2.1.

F5 BIG-IP: Unauthenticated RCE And Authenticated SQL Injection Vulnerabilities

Two RCE vulnerabilities in F5 BIG-IP, CVE-2023-46747 (CVSS 9.8 Critical) and CVE-2023-46748 (CVSS 8.8 High), have been observed by CISA to be actively exploited in the wild soon after PoC code was released for CVE-2023-46747. A Metasploit exploit module has also since been published. F5 BIG-IP is a family of hardware and software IT security products for ensuring that applications are always secure and perform the way they should. The platform is produced by F5 Networks, and it focuses on application services ranging from access and delivery to security. Greenbone has added detection for both CVEs [1][2].

CVE-2023-46747 is a remote authentication bypass [CWE-288] vulnerability while CVE-2023-46748 is a remote SQL injection vulnerability [CWE-89] that can only be exploited by an authenticated user. The affected products include the second minor release (X.1) for major versions 14-17 of BIG-IP Advanced Firewall Manager (AFM) and F5 Networks BIG-IP Application Security Manager (ASM).

If you are running an affected version you can eliminate this vulnerability by installing the vendor-provided HOTFIX updates [1][2]. The term “hotfix” implies that the patch can be applied to a system while it is running and operational, without the need for a shutdown or reboot. If updating is not an option, CVE-2023-46747 can be mitigated by downloading and running a bash script that adds or updates the `requiredSecret` attribute in the Tomcat configuration, which is used for authentication between Apache and Tomcat, and CVE-2023-46748 can be mitigated by restricting access to the Configuration utility to allow only trusted networks or devices, and ensuring only trusted user accounts exist thereby limiting the attack surface.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

CVE News: Critical vulnerabilities Atlassian and F5 Big vulnerability tests released by Greenbone

Our developers have provided vulnerability tests for two critical vulnerabilities in widely used enterprise software. Within a very short time, tests for CVE 2023-22518 und CVE 2023-46747 were integrated, and customers of Greenbone’s Enterprise Feed were protected.

Knowledge management tools Confluence and Jira from Australian vendor Atlassian have been hit by a serious security vulnerability, rated 9.8 out of 10 on the CERT scale. Since November 8, CVE 2023-22518 has been actively exploited by attackers gaining unauthorized access to company data, according to media reports.

According to the company, the “authentication flaw” affects all versions of Confluence Data Center and Server, but not the cloud version at Atlassian itself. For anyone else, including users of Jira, but especially all publicly accessible Confluence servers, there is a “high risk and need to take immediate action”, writes Atlassian.

We reacted quickly and provided our customers with appropriate tests before ransomware attacks could be successful. Customers of the Greenbone Enterprise Feed were warned and reminded of the patch via update.

Remote code execution: F5 BIG-IP allows request smuggling

Also at the end of October, security researchers from Praetorian Labs discovered a serious vulnerability (CVE-2023-46747) in the products of application security expert F5. The American company’s solutions are designed to protect large networks and software environments; the software, which was launched in 1997 as a load balancer, is primarily used in large enterprises.

However, according to the experts, attackers can remotely execute code on the BIG-IP servers by adding arbitrary system commands to the administration tools via manipulated URLs. Details can be found at Praetorian; patches are available, and a long list of BIG-IP products of versions 13, 14, 15, 16, and 17 are affected, both in hardware and software.

We reacted quickly and integrated tests into its vulnerability scanners on the same day, which test the BIG-IP installations at Greenbone Enterprise for vulnerable versions and, if necessary, point to the patches listed at F5.

Our vulnerability management products, the Greenbone Enterprise Appliances, offer the best protection.

Professional vulnerability management is an indispensable part of IT security. It enables the early detection of risks and provides valuable instructions for their elimination.
The Greenbone Enterprise Feed is updated daily to detect new vulnerabilities. We therefore recommend that you regularly update and scan all your systems. Please also read this article on IT security and the timeline of common attack vectors.


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

Current Report on the State of IT Security in Germany 2023

On November 2, Federal Minister of the Interior Nancy Faeser and Claudia Plattner, President of the Federal Office for Information Security (BSI), presented the latest report on the state of IT security in Germany. Attacks with ransomware represent the largest and most frequent risk, but by far not the only one. As long as these attacks cannot be completely prevented, systems must become more secure in order to prevent or at least reduce damage.

In Germany, there are a number of initiatives to improve vulnerability management. These include the National IT Security Act (IT-SiG) and the BSI’s IT-Grundschutz Compendium. The “nationwide situation picture” rightly called for by BSI President Claudia Plattner can thus map the threat situation to the situation of vulnerable systems, thereby helping to warn in advance and respond quickly and effectively in the specific event of an attack.

“Digitization makes many things in our everyday lives easier. At the same time, it creates new areas of attack,” says Federal Minister of the Interior Nancy Faeser. We need to counter the growing risks posed by progressive networking with automated tools and processes. By using them, companies and organizations can better protect their IT systems and reduce the probability of a successful cyber attack.

Insecure systems make it easier for attackers to cause damage. Improving vulnerability management is therefore an important step toward increasing IT security in Germany.Insecure systems make it easier for attackers to wreak havoc. Improving vulnerability management is therefore an important step towards increasing IT security in Germany.

Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

Critical vulnerability in Citrix Netscaler: Greenbone provides tests.

On October 10th, Citrix officially informed about the vulnerability in the Netscaler software, CVE-2023-4966, which is categorized as “critical” according to CVSS with a score of 9.4 and allows unauthorized access to corporate networks.

Greenbone has reacted to these vulnerabilities and implemented vulnerability tests at an early stage. Greenbone customers using the Citrix Netscaler Gateway, or ADC, are therefore on the safe side.

Nevertheless, the vulnerability is serious, which is why the BSI issues an urgent warning:

“The vulnerability allows attackers to disclose sensitive information without authentication. This allows authenticated sessions to be hijacked and multifactor authentication (MFA) or other means of authentication to be bypassed”.

The vulnerability, which has been actively exploited since the end of August, has been reported in numerous media outlets. Users should install the patches provided by Citrix as soon as possible. Citrix’s NetScaler ADC and NetScaler Gateway products, versions 13 and 14, and versions 12 and 13 of NetScaler ADC are affected. In addition to CVE-2023-4966, an advisory has been issued for CVE-2023-4967, which allows a Denial of Service (DoS).

Keep your IT networks secure!

Vulnerability management is a key tool in securing IT networks. It enables you to identify and eliminate potential risks in your systems. The Greenbone Enterprise Feed is updated daily to detect new vulnerabilities. Therefore, we recommend regular updates and scans for all your systems. Please also read this article about IT security and the timeline of common attack vectors.

The Greenbone Enterprise Appliances are offered as hardware, virtual appliances, or on premise (Greenbone Cloud Service). Greenbone works GDPR-compliant and offers an open-source solution. This means the best data protection compliance and is thus guaranteed to be completely free of backdoors.


Contact Free Trial Buy Here Back to Overview

/by