Vulnerability | Breaking Cybersecurity News | The Hacker News

Researchers have disclosed a previously undocumented local file inclusion ( LFI ) vulnerability in  Hashnode , a developer-oriented blogging platform, that could be abused to access sensitive data such as SSH keys, server's IP address, and other network information. "The LFI originates in a  Bulk Markdown Import feature  that can be manipulated to provide attackers with unimpeded ability to download local files from Hashnode's server," Akamai researchers said in a report shared with The Hacker News. Local file inclusion flaws occur when a web application is tricked into exposing or running unapproved files on a server, leading to directory traversal, information disclosure, remote code execution, and cross-site scripting (XSS) attacks. The flaw, caused due to the web application failing to adequately sanitize the path to a file that's passed as input, could have serious repercussions in that an assailant could navigate to any path on the server and access s

The recently disclosed critical Spring4Shell vulnerability is being actively exploited by threat actors to execute the Mirai botnet malware , particularly in the Singapore region since the start of April 2022. "The exploitation allows threat actors to download the Mirai sample to the '/tmp' folder and execute them after permission change using 'chmod ,'" Trend Micro researchers Deep Patel, Nitesh Surana, Ashish Verma said in a report published Friday. Tracked as CVE-2022-22965 (CVSS score: 9.8), the vulnerability could allow malicious actors to achieve remote code execution in Spring Core applications under non-default circumstances, granting the attackers full control over the compromised devices. The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog based on "evidence of active exploitation." This is

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its  Known Exploited Vulnerabilities Catalog  based on "evidence of active exploitation." The critical severity flaw, assigned the identifier  CVE-2022-22965  (CVSS score: 9.8) and dubbed "Spring4Shell", impacts Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later. "Exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application," Praetorian researchers Anthony Weems and Dallas Kaman noted last week. Although exact details of in-the-wild abuse remain unclear, information security company SecurityScorecard  said  "active scanning for this vulnerability has been observed coming fro

DevOps platform GitLab has released software updates to address a critical security vulnerability that, if potentially exploited, could permit an adversary to seize control of accounts. Tracked as  CVE-2022-1162 , the issue has a CVSS score of 9.1 and is said to have been discovered internally by the GitLab team. "A hardcoded password was set for accounts registered using an  OmniAuth provider  (e.g., OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the company  said  in an advisory published on March 31. GitLab, which has addressed the bug with the latest release of versions 14.9.2, 14.8.5, and 14.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE), also said it took the step of resetting the password of an unspecified number of users out of an abundance of caution. "Our investigation shows no indication that users or accounts have

A Chinese advanced persistent threat tracked as Deep Panda has been observed exploiting the  Log4Shell vulnerability  in VMware Horizon servers to deploy a backdoor and a novel rootkit on infected machines with the goal of stealing sensitive data. "The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates,"  said  Rotem Sde-Or and Eliran Voronovitch, researchers with Fortinet's FortiGuard Labs, in a report released this week. "The victims belong to the financial, academic, cosmetics, and travel industries." Deep Panda , also known by the monikers Shell Crew, KungFu Kittens, and Bronze Firestone, is said to have been active since at least 2010, with recent attacks "targeting legal firms for data exfiltration and technology providers for command-and-control infrastructure building,"  according  to Secureworks. Cybersecurity firm CrowdStrike, which assigned the panda

Apple on Thursday rolled out emergency patches to address two zero-day flaws in its  mobile  and  desktop operating systems  that it said may have been exploited in the wild. The shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously. Tracked as  CVE-2022-22675 , the issue has been described as an  out-of-bounds write  vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges. Apple said the defect was resolved with improved bounds checking, adding it's aware that "this issue may have been actively exploited." The latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for  CVE-2022-22674 , an  out-of-bounds read  issue in the Intel Graphics Driver module that could enable a malicious actor to read kern

A duo of researchers has released a proof-of-concept (PoC) demonstrating the ability for a malicious actor to remote lock, unlock, and even start Honda and Acura vehicles by means of what's called a replay attack. The attack is made possible, thanks to a vulnerability in its remote keyless system ( CVE-2022-27254 ) that affects Honda Civic LX, EX, EX-L, Touring, Si, and Type R models manufactured between 2016 and 2020. Credited with discovering the issue are Ayyappan Rajesh, a student at UMass Dartmouth, and Blake Berry (HackingIntoYourHeart). "A hacker can gain complete and unlimited access to locking, unlocking, controlling the windows, opening the trunk, and starting the engine of the target vehicle where the only way to prevent the attack is to either never use your fob or, after being compromised (which would be difficult to realize), resetting your fob at a dealership," Berry  explained  in a GitHub post. The underlying issue is that the remote key fob on the a

Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system. The vulnerability relates to  CVE-2022-0543 , a  Lua sandbox escape flaw  in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity. "Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu noted in an advisory released last month. According to  telemetry data  gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script ("russia.sh") from a remote server, which is then utilized to fetch and execute the botnet binaries from another s

Google on Friday shipped an out-of-band security update to address a high severity vulnerability in its Chrome browser that it said is being actively exploited in the wild. Tracked as  CVE-2022-1096 , the zero-day flaw relates to a type confusion vulnerability in the V8 JavaScript engine. An anonymous researcher has been credited with reporting the bug on March 23, 2022. Type confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that's incompatible to what was originally initialized, could have serious consequences in languages that are not  memory safe  like C and C++, enabling a malicious actor to perform out-of-bounds memory access. "When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution," MITRE's Common Weakness Enum

Google's Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser. The campaigns, once again "reflective of the regime's immediate concerns and priorities," are said to have targeted U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries, with one set of the activities sharing direct infrastructure overlaps with previous attacks  aimed at security researchers  last year. The shortcoming in question is  CVE-2022-0609 , a use-after-free vulnerability in the browser's Animation component that Google addressed as part of updates (version 98.0.4758.102) issued on February 14, 2022. It's also the first zero-day flaw patched by the tech giant since the start of 2022. "The earliest evidence we have of this exploit kit being actively deploy

Unpatched software is a computer code containing known security weaknesses. Unpatched vulnerabilities refer to weaknesses that allow attackers to leverage a known security bug that has not been patched by running malicious code. Software vendors write additions to the codes, known as "patches," when they come to know about these application vulnerabilities to secure these weaknesses. Adversaries often probe into your software, looking for unpatched systems and attacking them directly or indirectly. It is risky to run unpatched software. This is because attackers get the time to become aware of the  software's unpatched vulnerabilities  before a patch emerges. A  report  found that unpatched vulnerabilities are the most consistent and primary ransomware attack vectors. It was recorded that in 2021,  65  new vulnerabilities arose that were connected to ransomware. This was observed to be a twenty-nine percent growth compared to the number of vulnerabilities in 2020.  Gr

Linux distributions are in the process of issuing patches to address a newly disclosed security vulnerability in the kernel that could allow an attacker to overwrite arbitrary data into any read-only files and allow for a complete takeover of affected systems. Dubbed " Dirty Pipe " (CVE-2022-0847, CVSS score: 7.8) by IONOS software developer Max Kellermann, the flaw "leads to privilege escalation because unprivileged processes can inject code into root processes." Kellermann said the bug was discovered after digging into a support issue raised by one of the customers of the cloud and hosting provider that concerned a case of a "surprising kind of corruption" affecting web server access logs. The Linux kernel flaw is said to have existed since  version 5.8 , with the vulnerability sharing similarities to that of  Dirty Cow  (CVE-2016-5195), which came to light in October 2016. "A flaw was found in the way the 'flags' member of the new pip

Details have emerged about a now-patched high-severity vulnerability in the Linux kernel that could potentially be abused to escape a container in order to execute arbitrary commands on the container host. The shortcoming resides in a Linux kernel feature called  control groups , also referred to as cgroups version 1 (v1), which allows processes to be organized into hierarchical groups, thereby making it possible to limit and monitor the usage of resources such as CPU, memory, disk I/O, and network. Tracked as  CVE-2022-0492  (CVSS score: 7.0), the  issue   concerns  a  case  of  privilege escalation  in the cgroups v1 release_agent functionality, a script that's executed following the termination of any process in the cgroup. "The issue stands out as one of the simplest Linux privilege escalations discovered in recent times: The Linux kernel mistakenly exposed a privileged operation to unprivileged users," Unit 42 researcher Yuval Avrahami  said  in a report publishe

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week added 95 more security flaws to its  Known Exploited Vulnerabilities Catalog , taking the total number of actively exploited vulnerabilities to 478. "These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise," the agency  said  in an advisory published on March 3, 2022. Of the 95 newly added bugs, 38 relate to Cisco vulnerabilities, 27 for Microsoft, 16 for Adobe, seven impact Oracle, and one each corresponding to Apache Tomcat, ChakraCore, Exim, Mozilla Firefox, Linux Kernel, Siemens SIMATIC CP, and Treck TCP/IP stack. Included in the list are five issues discovered in Cisco RV routers, which CISA notes are being exploited in real-world attacks. The flaws, which  came to light  early last month, allow for the execution of arbitrary code with root privileges. Three of the vulnerabilities – CVE-2022-20699, CVE-2022-20

Researchers have disclosed details of a new security vulnerability in GitLab, an open-source DevOps software, that could potentially allow a remote, unauthenticated attacker to recover user-related information. Tracked as CVE-2021-4191 (CVSS score: 5.3), the medium-severity flaw affects all versions of GitLab Community Edition and Enterprise Edition starting from 13.0 and all versions starting from 14.4 and prior to 14.8. Credited with discovering and reporting the flaw is Jake Baines, a senior security researcher at Rapid7. Following responsible disclosure on November 18, 2021, patches were  released  for self-managed servers as part of GitLab critical security releases 14.8.2, 14.7.4, and 14.6.5 shipped on February 25, 2022. "The vulnerability is the result of a missing authentication check when executing certain GitLab GraphQL API queries," Baines  said  in a report published Thursday. "A remote, unauthenticated attacker can use this vulnerability to collect regi

Critical security vulnerabilities have been uncovered in VoIPmonitor software that, if successfully exploited, could allow unauthenticated attackers to escalate privileges to the administrator level and execute arbitrary commands. Following responsible disclosure by researchers from  Kerbit , an Ethiopia-based penetration-testing and vulnerability research firm, on December 15, 2021, the issues were addressed in  version 24.97  of the WEB GUI shipped on January 11, 2022. "[F]ix critical vulnerabilities - new SQL injects for unauthenticated users allowing gaining admin privileges," the maintainers of VoIPmonitor noted in the change log. VoIPmonitor is an open-source network packet sniffer with commercial frontend for SIP RTP and RTCP VoIP protocols running on Linux, allowing users to monitor and troubleshoot quality of SIP VoIP calls as well as decode, play, and archive calls in a  CDR  database. The three flaws identified by Kerbit is below – CVE-2022-24259  (CVSS sco

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an industrial control system ( ICS ) advisory related to multiple vulnerabilities impacting Schneider Electric's  Easergy  medium voltage protection relays. "Successful exploitation of these vulnerabilities may disclose device credentials, cause a denial-of-service condition, device reboot, or allow an attacker to gain full control of the relay," the agency  said  in a bulletin on February 24, 2022. "This could result in loss of protection to your electrical network." The two high-severity weaknesses impact Easergy P3 versions prior to v30.205 and Easergy P5 versions before v01.401.101. Details of the flaws are as follows – CVE-2022-22722  (CVSS score: 7.5) – Use of hardcoded credentials that could be abused to observe and manipulate traffic associated with the device. CVE-2022-22723  and  CVE-2022-22725  (CVSS score: 8.8) – A buffer overflow vulnerability that could resu

Users of Horde Webmail are being urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be abused to gain complete access to email accounts simply by previewing an attachment. "This gives the attacker access to all sensitive and perhaps secret information a victim has stored in their email account and could allow them to gain further access to the internal services of an organization," SonarSource vulnerability researcher, Simon Scannell,  said  in a report. An " all volunteer " initiative, the Horde Project is a free, browser-based communication suite that allows users to read, send, and organize email messages as well as manage and share calendars, contacts, tasks, notes, files, and bookmarks. The flaw, which was introduced as part of a  code change  pushed on November 30, 2012, relates to a case of an "unusual" stored cross-site scripting flaw (aka persistent XSS) that allows an adversary t

Patches have been issued to contain a "severe" security vulnerability in UpdraftPlus, a WordPress plugin with over three million installations, that can be weaponized to download the site's private data using an account on the vulnerable sites. "All versions of UpdraftPlus from March 2019 onwards have contained a vulnerability caused by a missing permissions-level check, allowing untrusted users access to backups," the maintainers of the plugin said in an advisory published this week. Security researcher Marc-Alexandre Montpas of Automattic has been credited with discovering and reporting the vulnerability on February 14 that's been assigned the identifier  CVE-2022-0633  (CVSS score: 8.5). The issue impacts UpdraftPlus versions from 1.16.7 to 1.22.2. UpdraftPlus is a  backup and restoration solution  that's capable of performing full, manual, or scheduled backups of WordPress files, databases, plugins and themes, which can then be reinstated via th

A "potentially destructive actor" aligned with the government of Iran is actively exploiting the well-known  Log4j vulnerability  to infect unpatched VMware Horizon servers with ransomware. Cybersecurity firm SentinelOne dubbed the group " TunnelVision " owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker  Phosphorus  as well as Charming Kitten and Nemesis Kitten. "TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions," SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky  said  in a report, with the intrusions detected in the Middle East and the U.S. Also observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw ( CVE-2018-13379 ) and the Microsoft Exchange  ProxyShell  vulnerability to gain initial access into the target networks for post-exploitation. "TunnelVis