The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Vulnerability

Solving the indirect vulnerability enigma - fixing indirect vulnerabilities without breaking your dependency tree

Solving the indirect vulnerability enigma - fixing indirect vulnerabilities without breaking your dependency tree

July 01, 2022The Hacker News
Fixing indirect vulnerabilities is one of those complex, tedious and, quite frankly, boring tasks that no one really wants to touch. No one except for  Debricked , it seems. Sure, there are lots of ways to do it manually, but can it be done automatically with minimal risk of breaking changes? The Debricked team decided to find out.  A forest full of fragile trees So, where do you even start? Firstly, there needs to be a way to fix the vulnerability, which, for indirect dependencies, is no walk in the park. Secondly, it needs to be done in a safe way, or, without anything breaking.  You see, indirect dependencies are introduced deep down the dependency tree and it's very tricky to get to the exact version you want. As Debricked's Head of R&D once put it, " You are turning the knobs by playing around with your direct dependencies and praying to Torvalds that the correct indirect packages are resolved. When Torvalds is in your favour, you have to sacrifice some cloud
Amazon Quietly Patches 'High Severity' Vulnerability in Android Photos App

Amazon Quietly Patches 'High Severity' Vulnerability in Android Photos App

July 01, 2022Ravie Lakshmanan
Amazon, in December 2021, patched a high severity vulnerability affecting its  Photos app  for Android that could have been exploited to steal a user's access tokens. "The Amazon access token is used to authenticate the user across multiple Amazon APIs, some of which contain personal data such as full name, email, and address," Checkmarx researchers João Morais and Pedro Umbelino  said . "Others, like the Amazon Drive API, allow an attacker full access to the user's files." The Israeli application security testing company reported the issue to Amazon on November 7, 2021, following which the tech giant rolled out a fix on December 18, 2021. The leak is the result of a misconfiguration in one of the app's components named "com.amazon.gallery.thor.app.activity.ThorViewActivity" that's defined in the  AndroidManifest.xml file  and which, when launched, initiates an HTTP request with a header containing the access token. In a nutshell, it
New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

June 29, 2022Ravie Lakshmanan
A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary. The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive. Following responsible disclosure on May 4, 2022, the shortcoming was addressed by RarLab as part of  version 6.12  released on May 6. Other versions of the software, including those for Windows and Android operating systems, are not impacted. "An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive," SonarSource researcher Simon Scannell  said  in a Tuesday report. "If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arb
CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild

CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild

June 28, 2022Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to  add  a Linux vulnerability dubbed  PwnKit  to its  Known Exploited Vulnerabilities Catalog , citing evidence of active exploitation. The issue, tracked as  CVE-2021-4034  (CVSS score: 7.8), came to light in January 2022 and concerns a case of  local privilege escalation  in polkit's pkexec utility, which allows an authorized user to execute commands as another user. Polkit (formerly called PolicyKit) is a toolkit for controlling system-wide privileges in Unix-like operating systems, and provides a mechanism for non-privileged processes to communicate with privileged processes. Successful exploitation of the flaw could induce pkexec to execute arbitrary code, granting an unprivileged attacker administrative rights on the target machine. It's not immediately clear how the vulnerability is being weaponized in the wild, nor is there any information on the identity of the threat actor that may
OpenSSL to Release Security Patch for Remote Memory Corruption Vulnerability

OpenSSL to Release Security Patch for Remote Memory Corruption Vulnerability

June 28, 2022Ravie Lakshmanan
The latest version of the OpenSSL library has been discovered as susceptible to a remote memory-corruption vulnerability on select systems. The issue has been identified in OpenSSL  version 3.0.4 , which was released on June 21, 2022, and impacts x64 systems with the  AVX-512  instruction set. OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected. Security researcher Guido Vranken, who reported the bug at the end of May,  said  it "can be triggered trivially by an attacker." Although the shortcoming has been  fixed , no patches have been made available as yet. OpenSSL is a popular cryptography library that offers an open source implementation of the Transport Layer Security ( TLS ) protocol. Advanced Vector Extensions ( AVX ) are extensions to the x86 instruction set architecture for microprocessors from Intel and AMD. "I do not think this is a security vulnerability," Tomáš Mráz of the OpenSSL Foundation said in a GitHub issue thread.
Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks

Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks

June 22, 2022Ravie Lakshmanan
QNAP, Taiwanese maker of network-attached storage (NAS) devices, on Wednesday said it's in the process of fixing a critical three-year-old PHP vulnerability that could be abused to achieve remote code execution. "A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config," the hardware vendor  said  in an advisory. "If exploited, the vulnerability allows attackers to gain remote code execution." The vulnerability, tracked as  CVE-2019-11043 , is rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system. That said, it's required that Nginx and php-fpm are running in appliances using the following QNAP operating system versions - QTS 5.0.x and later QTS 4.5.x and later QuTS hero h5.0.x and later QuTS hero h4.5.x and later QuTScloud c5.0.x and later "As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not aff
Over a Dozen Flaws Found in Siemens' Industrial Network Management System

Over a Dozen Flaws Found in Siemens' Industrial Network Management System

June 17, 2022Ravie Lakshmanan
Cybersecurity researchers have disclosed details about 15 security flaws in Siemens SINEC network management system (NMS), some of which could be chained by an attacker to achieve remote code execution on affected systems. "The vulnerabilities, if exploited, pose a number of risks to Siemens devices on the network including denial-of-service attacks, credential leaks, and remote code execution in certain circumstances," industrial security company Claroty  said  in a new report. The shortcomings in question — tracked from CVE-2021-33722 through CVE-2021-33736 — were addressed by Siemens in version V1.0 SP2 Update 1 as part of patches shipped on October 12, 2021. "The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions," Siemens  noted  in an advisory at the time. Chief among the weaknesses is CVE-2021-33723 (CVSS score: 8.8), which allows for privilege escalation to
High-Severity RCE Vulnerability Reported in Popular Fastjson Library

High-Severity RCE Vulnerability Reported in Popular Fastjson Library

June 16, 2022Ravie Lakshmanan
Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Tracked as  CVE-2022-25845  (CVSS score: 8.1), the  issue  relates to a case of  deserialization of untrusted data  in a supported feature called "AutoType." It was patched by the project maintainers in  version 1.2.83  released on May 23, 2022. "This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific  class  to deserialize," JFrog's Uriya Yavnieli  said  in a write-up. Fastjson  is a Java library that's used to convert Java Objects into their  JSON  representation and vice versa.  AutoType , the function vulnerable to the flaw, is enabled by default and is designed to specify a custom type when parsing
Technical Details Released for 'SynLapse' RCE Vulnerability Reported in Microsoft Azure

Technical Details Released for 'SynLapse' RCE Vulnerability Reported in Microsoft Azure

June 14, 2022Ravie Lakshmanan
Microsoft has incorporated additional improvements to address the recently disclosed  SynLapse  security vulnerability in order to meet comprehensive  tenant isolation   requirements  in Azure Data Factory and Azure Synapse Pipelines. The latest safeguards include moving the shared integration runtimes to sandboxed ephemeral instances and using scoped tokens to prevent adversaries from using a client certificate to access other tenants' information. "This means that if an attacker could execute code on the  integration runtime , it is never shared between two different tenants, so no sensitive data is in danger," Orca Security said in a technical report detailing the flaw. In a statement shared with The Hacker News regarding the protections deployed, Microsoft said it fully mitigated different attack paths to the vulnerability across all integration runtime types. The tech giant stated that it "contained and closely monitored the backend certificate for adver
Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability

Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability

June 08, 2022Ravie Lakshmanan
An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. The issue — referenced as  DogWalk  — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a specially crafted ".diagcab" archive file that contains a diagnostics configuration file. The idea is that the payload would get executed the next time the victim logs in to the system after a restart. The vulnerability affects all Windows versions, starting from Windows 7 and Server Server 2008 to the latest releases. DogWalk was originally  disclosed  by security researcher Imre Rad in January 2020 after Microsoft, having acknowledged the problem, deemed it as not a security issue. "There are a number of file types that can execute code in such a way but aren't techni
CISA Warned About Critical Vulnerabilities in Illumina's DNA Sequencing Devices

CISA Warned About Critical Vulnerabilities in Illumina's DNA Sequencing Devices

June 06, 2022Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Food and Drug Administration (FDA) have issued an advisory about critical security vulnerabilities in Illumina's next-generation sequencing ( NGS ) software. Three of the flaws are rated 10 out of 10 for severity on the Common Vulnerability Scoring System ( CVSS ), with two others having severity ratings of 9.1 and 7.4. The issues impact software in medical devices used for "clinical diagnostic use in sequencing a person's DNA or testing for various genetic conditions, or for research use only,"  according to the FDA . "Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to take control of the affected product remotely and take any action at the operating system level," CISA  said  in an alert. "An attacker could impact settings, configurations, software, or data on the affected product and interact through the affected product with the c
State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S

State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S

June 05, 2022Ravie Lakshmanan
A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked as  CVE-2022-30190  (CVSS score: 7.8). No less than 1,000 phishing messages containing a lure document were sent to the targets. "This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253," the company  said  in a series of tweets. The payload, which manifests in the form of a PowerShell script, is Base64-encoded and functions as a downloader to retrieve a second PowerShell script from a remote server named "seller-notification[.]live." "This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine re
Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild

Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild

June 04, 2022Ravie Lakshmanan
Atlassian on Friday rolled out fixes to address a  critical security flaw  affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution. Tracked as  CVE-2022-26134 , the issue is similar to  CVE-2021-26084  — another security flaw the Australian software company patched in August 2021. Both relate to a case of Object-Graph Navigation Language ( OGNL ) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance. The newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions - 7.4.17 7.13.7 7.14.3 7.15.2 7.16.4 7.17.4 7.18.1 According to stats from internet asset discovery platform  Censys , there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluenc
GitLab Issues Security Patch for Critical Account Takeover Vulnerability

GitLab Issues Security Patch for Critical Account Takeover Vulnerability

June 03, 2022Ravie Lakshmanan
GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover. Tracked as  CVE-2022-1680 , the issue has a CVSS severity score of 9.9 and was discovered internally by the company. The security flaw affects all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1. "When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus — in the absence of 2FA — take over those accounts," GitLab  said . Having achieved this, a malicious actor can also change the display name and username of the targeted account, the DevOps platform provider cautioned in its
Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability

Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability

June 02, 2022Ravie Lakshmanan
Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild. The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as  CVE-2022-26134 . "Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server," it  said  in an advisory. "There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix." Specifics of the security flaw have been withheld until a software patch is available. All supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version is
New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email

New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email

June 01, 2022Ravie Lakshmanan
A new unpatched security vulnerability has been disclosed in the open-source Horde Webmail client that could be exploited to achieve remote code execution on the email server simply by sending a specially crafted email to a victim. "Once the email is viewed, the attacker can silently take over the complete mail server without any further user interaction," SonarSource said in a report shared with The Hacker News. "The vulnerability exists in the default configuration and can be exploited with no knowledge of a targeted Horde instance." The issue, which has been assigned the CVE identifier  CVE-2022-30287 , was reported to the vendor on February 2, 2022. The maintainers of the Horde Project did not immediately respond to a request for comment regarding the unresolved vulnerability. At its core, the issue makes it possible for an authenticated user of a Horde instance to run malicious code on the underlying server by taking advantage of a quirk in how the client
Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

May 31, 2022Ravie Lakshmanan
An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new  zero-day flaw  in Microsoft Office to achieve code execution on affected systems. "TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint  said  in a tweet. "Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app." TA413  is best known for its campaigns aimed at the Tibetan diaspora to deliver implants such as  Exile RAT  and  Sepulcher  as well as a rogue Firefox browser extension dubbed  FriarFox . The high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the "ms-msdt:" protocol URI scheme to execute arbitrary code. Specific
Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation

Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation

May 30, 2022Ravie Lakshmanan
Microsoft on Monday published guidance for a newly discovered  zero-day security flaw  in its Office productivity suite that could be exploited to achieve code execution on affected systems. The weakness, now assigned the identifier  CVE-2022-30190 , is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and Office 2021, as well as Professional Plus editions, are impacted.  "To help protect customers, we've published CVE-2022-30190 and additional guidance  here ," a Microsoft spokesperson told The Hacker News in an emailed statement. The  Follina  vulnerability, which came to light late last week, involved a real-world exploit that leveraged the shortcoming in a weaponized Word document to execute arbitrary PowerShell code by making use of the "ms-msdt:" URI scheme. The sample was uploaded to VirusTotal from Belarus. But first signs of exploitation of the flaw date back
Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild

Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild

May 30, 2022Ravie Lakshmanan
Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems. The vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (" 05-2022-0438.doc ") that was uploaded to VirusTotal from an IP address in Belarus. "It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code," the researchers  noted  in a series of tweets last week. According to security researcher Kevin Beaumont, who dubbed the flaw "Follina," the maldoc leverages Word's  remote template  feature to fetch an HTML file from a server, which then makes use of the "ms-msdt://" URI scheme to run the malicious payload. The shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in t
Experts Detail New RCE Vulnerability Affecting Google Chrome Dev Channel

Experts Detail New RCE Vulnerability Affecting Google Chrome Dev Channel

May 27, 2022Ravie Lakshmanan
Details have emerged about a recently patched critical remote code execution vulnerability in the V8 JavaScript and WebAssembly engine used in Google Chrome and Chromium-based browsers. The issue relates to a case of use-after-free in the instruction optimization component, successful exploitation of which could "allow an attacker to execute arbitrary code in the context of the browser." The flaw, which  was identified  in the Dev channel version of Chrome 101, was reported to Google by Weibo Wang, a security researcher at Singapore cybersecurity company  Numen Cyber Technology  and has since been quietly fixed by the company. "This vulnerability occurs in the instruction selection stage, where the wrong instruction has been selected and resulting in memory access exception," Wang said . Use-after-free flaws  occur  when previous-freed memory is accessed, inducing undefined behavior and causing a program to crash, use corrupted data, or even achieve execution
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.