The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Vulnerability

GitLab Releases Patch for Critical Vulnerability That Could Let Attackers Hijack Accounts

GitLab Releases Patch for Critical Vulnerability That Could Let Attackers Hijack Accounts

April 01, 2022Ravie Lakshmanan
DevOps platform GitLab has released software updates to address a critical security vulnerability that, if potentially exploited, could permit an adversary to seize control of accounts. Tracked as  CVE-2022-1162 , the issue has a CVSS score of 9.1 and is said to have been discovered internally by the GitLab team. "A hardcoded password was set for accounts registered using an  OmniAuth provider  (e.g., OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the company  said  in an advisory published on March 31. GitLab, which has addressed the bug with the latest release of versions 14.9.2, 14.8.5, and 14.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE), also said it took the step of resetting the password of an unspecified number of users out of an abundance of caution. "Our investigation shows no indication that users or accounts have
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit

Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit

April 01, 2022Ravie Lakshmanan
A Chinese advanced persistent threat tracked as Deep Panda has been observed exploiting the  Log4Shell vulnerability  in VMware Horizon servers to deploy a backdoor and a novel rootkit on infected machines with the goal of stealing sensitive data. "The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates,"  said  Rotem Sde-Or and Eliran Voronovitch, researchers with Fortinet's FortiGuard Labs, in a report released this week. "The victims belong to the financial, academic, cosmetics, and travel industries." Deep Panda , also known by the monikers Shell Crew, KungFu Kittens, and Bronze Firestone, is said to have been active since at least 2010, with recent attacks "targeting legal firms for data exfiltration and technology providers for command-and-control infrastructure building,"  according  to Secureworks. Cybersecurity firm CrowdStrike, which assigned the panda
Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices

Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices

March 31, 2022Ravie Lakshmanan
Apple on Thursday rolled out emergency patches to address two zero-day flaws in its  mobile  and  desktop operating systems  that it said may have been exploited in the wild. The shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously. Tracked as  CVE-2022-22675 , the issue has been described as an  out-of-bounds write  vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges. Apple said the defect was resolved with improved bounds checking, adding it's aware that "this issue may have been actively exploited." The latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for  CVE-2022-22674 , an  out-of-bounds read  issue in the Intel Graphics Driver module that could enable a malicious actor to read kern
Honda’s Keyless Access Bug Could Let Thieves Remotely Unlock and Start Vehicles

Honda's Keyless Access Bug Could Let Thieves Remotely Unlock and Start Vehicles

March 30, 2022Ravie Lakshmanan
A duo of researchers has released a proof-of-concept (PoC) demonstrating the ability for a malicious actor to remote lock, unlock, and even start Honda and Acura vehicles by means of what's called a replay attack. The attack is made possible, thanks to a vulnerability in its remote keyless system ( CVE-2022-27254 ) that affects Honda Civic LX, EX, EX-L, Touring, Si, and Type R models manufactured between 2016 and 2020. Credited with discovering the issue are Ayyappan Rajesh, a student at UMass Dartmouth, and Blake Berry (HackingIntoYourHeart). "A hacker can gain complete and unlimited access to locking, unlocking, controlling the windows, opening the trunk, and starting the engine of the target vehicle where the only way to prevent the attack is to either never use your fob or, after being compromised (which would be difficult to realize), resetting your fob at a dealership," Berry  explained  in a GitHub post. The underlying issue is that the remote key fob on the a
Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability

Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability

March 27, 2022Ravie Lakshmanan
Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system. The vulnerability relates to  CVE-2022-0543 , a  Lua sandbox escape flaw  in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity. "Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu noted in an advisory released last month. According to  telemetry data  gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script ("russia.sh") from a remote server, which is then utilized to fetch and execute the botnet binaries from another s
Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

March 25, 2022Ravie Lakshmanan
Google on Friday shipped an out-of-band security update to address a high severity vulnerability in its Chrome browser that it said is being actively exploited in the wild. Tracked as  CVE-2022-1096 , the zero-day flaw relates to a type confusion vulnerability in the V8 JavaScript engine. An anonymous researcher has been credited with reporting the bug on March 23, 2022. Type confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that's incompatible to what was originally initialized, could have serious consequences in languages that are not  memory safe  like C and C++, enabling a malicious actor to perform out-of-bounds memory access. "When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution," MITRE's Common Weakness Enum
North Korean Hackers Exploited Chrome Zero-Day to Target Fintech, IT, and Media Firms

North Korean Hackers Exploited Chrome Zero-Day to Target Fintech, IT, and Media Firms

March 24, 2022Ravie Lakshmanan
Google's Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser. The campaigns, once again "reflective of the regime's immediate concerns and priorities," are said to have targeted U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries, with one set of the activities sharing direct infrastructure overlaps with previous attacks  aimed at security researchers  last year. The shortcoming in question is  CVE-2022-0609 , a use-after-free vulnerability in the browser's Animation component that Google addressed as part of updates (version 98.0.4758.102) issued on February 14, 2022. It's also the first zero-day flaw patched by the tech giant since the start of 2022. "The earliest evidence we have of this exploit kit being actively deploy
The Continuing Threat of Unpatched Security Vulnerabilities

The Continuing Threat of Unpatched Security Vulnerabilities

March 07, 2022The Hacker News
Unpatched software is a computer code containing known security weaknesses. Unpatched vulnerabilities refer to weaknesses that allow attackers to leverage a known security bug that has not been patched by running malicious code. Software vendors write additions to the codes, known as "patches," when they come to know about these application vulnerabilities to secure these weaknesses. Adversaries often probe into your software, looking for unpatched systems and attacking them directly or indirectly. It is risky to run unpatched software. This is because attackers get the time to become aware of the  software's unpatched vulnerabilities  before a patch emerges. A  report  found that unpatched vulnerabilities are the most consistent and primary ransomware attack vectors. It was recorded that in 2021,  65  new vulnerabilities arose that were connected to ransomware. This was observed to be a twenty-nine percent growth compared to the number of vulnerabilities in 2020.  Gr
Researchers Warn of Linux Kernel ‘Dirty Pipe’ Arbitrary File Overwrite Vulnerability

Researchers Warn of Linux Kernel 'Dirty Pipe' Arbitrary File Overwrite Vulnerability

March 07, 2022Ravie Lakshmanan
Linux distributions are in the process of issuing patches to address a newly disclosed security vulnerability in the kernel that could allow an attacker to overwrite arbitrary data into any read-only files and allow for a complete takeover of affected systems. Dubbed " Dirty Pipe " (CVE-2022-0847, CVSS score: 7.8) by IONOS software developer Max Kellermann, the flaw "leads to privilege escalation because unprivileged processes can inject code into root processes." Kellermann said the bug was discovered after digging into a support issue raised by one of the customers of the cloud and hosting provider that concerned a case of a "surprising kind of corruption" affecting web server access logs. The Linux kernel flaw is said to have existed since  version 5.8 , with the vulnerability sharing similarities to that of  Dirty Cow  (CVE-2016-5195), which came to light in October 2016. "A flaw was found in the way the 'flags' member of the new pip
New Linux Kernel cgroups Vulnerability Could Let Attackers Escape Container

New Linux Kernel cgroups Vulnerability Could Let Attackers Escape Container

March 05, 2022Ravie Lakshmanan
Details have emerged about a now-patched high-severity vulnerability in the Linux kernel that could potentially be abused to escape a container in order to execute arbitrary commands on the container host. The shortcoming resides in a Linux kernel feature called  control groups , also referred to as cgroups version 1 (v1), which allows processes to be organized into hierarchical groups, thereby making it possible to limit and monitor the usage of resources such as CPU, memory, disk I/O, and network. Tracked as  CVE-2022-0492  (CVSS score: 7.0), the  issue   concerns  a  case  of  privilege escalation  in the cgroups v1 release_agent functionality, a script that's executed following the termination of any process in the cgroup. "The issue stands out as one of the simplest Linux privilege escalations discovered in recent times: The Linux kernel mistakenly exposed a privileged operation to unprivileged users," Unit 42 researcher Yuval Avrahami  said  in a report publishe
CISA Adds Another 95 Flaws to its Actively Exploited Vulnerabilities Catalog

CISA Adds Another 95 Flaws to its Actively Exploited Vulnerabilities Catalog

March 04, 2022Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week added 95 more security flaws to its  Known Exploited Vulnerabilities Catalog , taking the total number of actively exploited vulnerabilities to 478. "These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise," the agency  said  in an advisory published on March 3, 2022. Of the 95 newly added bugs, 38 relate to Cisco vulnerabilities, 27 for Microsoft, 16 for Adobe, seven impact Oracle, and one each corresponding to Apache Tomcat, ChakraCore, Exim, Mozilla Firefox, Linux Kernel, Siemens SIMATIC CP, and Treck TCP/IP stack. Included in the list are five issues discovered in Cisco RV routers, which CISA notes are being exploited in real-world attacks. The flaws, which  came to light  early last month, allow for the execution of arbitrary code with root privileges. Three of the vulnerabilities – CVE-2022-20699, CVE-2022-20
New Security Vulnerability Affects Thousands of Self-Managed GitLab Instances

New Security Vulnerability Affects Thousands of Self-Managed GitLab Instances

March 03, 2022Ravie Lakshmanan
Researchers have disclosed details of a new security vulnerability in GitLab, an open-source DevOps software, that could potentially allow a remote, unauthenticated attacker to recover user-related information. Tracked as CVE-2021-4191 (CVSS score: 5.3), the medium-severity flaw affects all versions of GitLab Community Edition and Enterprise Edition starting from 13.0 and all versions starting from 14.4 and prior to 14.8. Credited with discovering and reporting the flaw is Jake Baines, a senior security researcher at Rapid7. Following responsible disclosure on November 18, 2021, patches were  released  for self-managed servers as part of GitLab critical security releases 14.8.2, 14.7.4, and 14.6.5 shipped on February 25, 2022. "The vulnerability is the result of a missing authentication check when executing certain GitLab GraphQL API queries," Baines  said  in a report published Thursday. "A remote, unauthenticated attacker can use this vulnerability to collect regi
Critical Security Bugs Uncovered in VoIPmonitor Monitoring Software

Critical Security Bugs Uncovered in VoIPmonitor Monitoring Software

March 01, 2022Ravie Lakshmanan
Critical security vulnerabilities have been uncovered in VoIPmonitor software that, if successfully exploited, could allow unauthenticated attackers to escalate privileges to the administrator level and execute arbitrary commands. Following responsible disclosure by researchers from  Kerbit , an Ethiopia-based penetration-testing and vulnerability research firm, on December 15, 2021, the issues were addressed in  version 24.97  of the WEB GUI shipped on January 11, 2022. "[F]ix critical vulnerabilities - new SQL injects for unauthenticated users allowing gaining admin privileges," the maintainers of VoIPmonitor noted in the change log. VoIPmonitor is an open-source network packet sniffer with commercial frontend for SIP RTP and RTCP VoIP protocols running on Linux, allowing users to monitor and troubleshoot quality of SIP VoIP calls as well as decode, play, and archive calls in a  CDR  database. The three flaws identified by Kerbit is below – CVE-2022-24259  (CVSS sco
CISA Warns of High-Severity Flaws in Schneider and GE Digital's SCADA Software

CISA Warns of High-Severity Flaws in Schneider and GE Digital's SCADA Software

February 28, 2022Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an industrial control system ( ICS ) advisory related to multiple vulnerabilities impacting Schneider Electric's  Easergy  medium voltage protection relays. "Successful exploitation of these vulnerabilities may disclose device credentials, cause a denial-of-service condition, device reboot, or allow an attacker to gain full control of the relay," the agency  said  in a bulletin on February 24, 2022. "This could result in loss of protection to your electrical network." The two high-severity weaknesses impact Easergy P3 versions prior to v30.205 and Easergy P5 versions before v01.401.101. Details of the flaws are as follows – CVE-2022-22722  (CVSS score: 7.5) – Use of hardcoded credentials that could be abused to observe and manipulate traffic associated with the device. CVE-2022-22723  and  CVE-2022-22725  (CVSS score: 8.8) – A buffer overflow vulnerability that could resu
9-Year-Old Unpatched Email Hacking Bug Uncovered in Horde Webmail Software

9-Year-Old Unpatched Email Hacking Bug Uncovered in Horde Webmail Software

February 22, 2022Ravie Lakshmanan
Users of Horde Webmail are being urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be abused to gain complete access to email accounts simply by previewing an attachment. "This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization," SonarSource vulnerability researcher, Simon Scannell,  said  in a report. An " all volunteer " initiative, the Horde Project is a free, browser-based communication suite that allows users to read, send, and organize email messages as well as manage and share calendars, contacts, tasks, notes, files, and bookmarks. The flaw, which was introduced as part of a  code change  pushed on November 30, 2012, relates to a case of an "unusual" stored cross-site scripting flaw (aka persistent XSS) that allows an adversary t
Critical Flaw Uncovered in WordPress Backup Plugin Used by Over 3 Million Sites

Critical Flaw Uncovered in WordPress Backup Plugin Used by Over 3 Million Sites

February 18, 2022Ravie Lakshmanan
Patches have been issued to contain a "severe" security vulnerability in UpdraftPlus, a WordPress plugin with over three million installations, that can be weaponized to download the site's private data using an account on the vulnerable sites. "All versions of UpdraftPlus from March 2019 onwards have contained a vulnerability caused by a missing permissions-level check, allowing untrusted users access to backups," the maintainers of the plugin said in an advisory published this week. Security researcher Marc-Alexandre Montpas of Automattic has been credited with discovering and reporting the vulnerability on February 14 that's been assigned the identifier  CVE-2022-0633  (CVSS score: 8.5). The issue impacts UpdraftPlus versions from 1.16.7 to 1.22.2. UpdraftPlus is a  backup and restoration solution  that's capable of performing full, manual, or scheduled backups of WordPress files, databases, plugins and themes, which can then be reinstated via th
Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware

Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware

February 17, 2022Ravie Lakshmanan
A "potentially destructive actor" aligned with the government of Iran is actively exploiting the well-known  Log4j vulnerability  to infect unpatched VMware Horizon servers with ransomware. Cybersecurity firm SentinelOne dubbed the group " TunnelVision " owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker  Phosphorus  as well as Charming Kitten and Nemesis Kitten. "TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions," SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky  said  in a report, with the intrusions detected in the Middle East and the U.S. Also observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw ( CVE-2018-13379 ) and the Microsoft Exchange  ProxyShell  vulnerability to gain initial access into the target networks for post-exploitation. "TunnelVis
Attackers Can Crash Cisco Email Security Appliances by Sending Malicious Emails

Attackers Can Crash Cisco Email Security Appliances by Sending Malicious Emails

February 17, 2022Ravie Lakshmanan
Cisco has released security updates to contain three vulnerabilities affecting its products, including one high-severity flaw in its Email Security Appliance (ESA) that could result in a denial-of-service (DoS) condition on an affected device. The weakness, assigned the identifier CVE-2022-20653 (CVSS score: 7.5), stems from a case of insufficient error handling in  DNS  name resolution that could be abused by an unauthenticated, remote attacker to send a specially crafted email message and cause a DoS. "A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS condition," the company  said  in an advisory. "Continued attacks could cause the device to become completely unavailable, resulting in a persistent DoS condition." The flaw impacts Cisco ESA devices running Cisco AsyncOS Software running vers
VMware Issues Security Patches for High-Severity Flaws Affecting Multiple Products

VMware Issues Security Patches for High-Severity Flaws Affecting Multiple Products

February 16, 2022Ravie Lakshmanan
VMware on Tuesday patched several  high-severity   vulnerabilities  impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service (DoS) condition. As of writing, there's no evidence that any of the weaknesses are exploited in the wild. The list of six flaws is as follows – CVE-2021-22040  (CVSS score: 8.4) - Use-after-free vulnerability in XHCI USB controller CVE-2021-22041  (CVSS score: 8.4) - Double-fetch vulnerability in UHCI USB controller CVE-2021-22042  (CVSS score: 8.2) - ESXi settingsd unauthorized access vulnerability CVE-2021-22043  (CVSS score: 8.2) - ESXi settingsd TOCTOU vulnerability CVE-2021-22050  (CVSS score: 5.3) - ESXi slow HTTP POST denial-of-service vulnerability CVE-2022-22945  (CVSS score: 8.8) - CLI shell injection vulnerability in the NSX Edge appliance component Successful exploitation of the flaws could allow a malicious actor with local ad
High-Severity RCE Security Bug Reported in Apache Cassandra Database Software

High-Severity RCE Security Bug Reported in Apache Cassandra Database Software

February 15, 2022Ravie Lakshmanan
Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution (RCE) on affected installations. "This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra," Omer Kaspi, security researcher at DevOps firm JFrog,  said  in a technical write-up published Tuesday. Apache Cassandra is an open-source, distributed, NoSQL database management system for managing very large amounts of structured data across commodity servers. Tracked as  CVE-2021-44521  (CVSS score: 8.4), the vulnerability concerns a specific scenario where the configuration for user-defined functions ( UDFs ) are enabled, effectively allowing an attacker to leverage the  Nashorn  JavaScript engine, escape the sandbox, and achieve execution of untrusted code. Specifically, it was fou
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.