The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Vulnerability

Google Created 'Open Source Maintenance Crew' to Help Secure Critical Projects

Google Created 'Open Source Maintenance Crew' to Help Secure Critical Projects

May 13, 2022Ravie Lakshmanan
Google on Thursday  announced  the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects. Additionally, the tech giant pointed out  Open Source Insights  as a tool for analyzing packages and their dependency graphs, using it to determine "whether a vulnerability in a dependency might affect your code." "With this information, developers can understand how their software is put together and the consequences to changes in their dependencies," the company said. The development comes as security and trust in the open source software ecosystem has been increasingly thrown into question in the aftermath of a  string  of  supply chain   attacks  designed to compromise developer workflows. In December 2021, a critical flaw in the ubiquitous open source  Log4j logging library  left several companies scrambling to patch their systems against potential abuse. The announcement also comes less than
Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability

Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability

May 12, 2022Ravie Lakshmanan
Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution. "A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device," the company  said  in an advisory published Thursday. Cybersecurity firm Rapid7, which  discovered  and reported the flaw on April 13, 2022, said that the weakness could permit a remote unauthenticated adversary to execute code as the "nobody" user on impacted appliances. Tracked as  CVE-2022-30525  (CVSS score: 9.8), the flaw impacts the following products, with patches released in version ZLD V5.30 - USG FLEX 100(W), 200, 500, 700 USG FLEX 50(W) / USG20(W)-VPN ATP series, and  VPN series Rapid 7 noted that there are at least 16,213 vulnerable Zyxel devices exposed to the internet, making it a
Researchers Develop RCE Exploit for the Latest F5 BIG-IP Vulnerability

Researchers Develop RCE Exploit for the Latest F5 BIG-IP Vulnerability

May 08, 2022Ravie Lakshmanan
Days after F5 released patches for a critical remote code execution vulnerability affecting its BIG-IP family of products, security researchers are warning that they were able to create an exploit for the shortcoming. Tracked  CVE-2022-1388  (CVSS score: 9.8), the flaw relates to an iControl REST authentication bypass that, if successfully exploited, could lead to remote code execution, allowing an attacker to gain initial access and take control of an affected system. This could range anywhere from deploying cryptocurrency miners to dropping web shells for follow-on attacks, such as information theft and ransomware. "We have reproduced the fresh CVE-2022-1388 in F5's BIG-IP," cybersecurity company Positive Technologies  said  in a tweet on Friday. "Patch ASAP!" The critical security vulnerability impacts the following versions of BIG-IP products - 16.1.0 - 16.1.2 15.1.0 - 15.1.5 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 11.6.1 - 11.6.5 Fixe
QNAP Releases Firmware Patches for 9 New Flaws Affecting NAS Devices

QNAP Releases Firmware Patches for 9 New Flaws Affecting NAS Devices

May 06, 2022Ravie Lakshmanan
QNAP, Taiwanese maker of network-attached storage (NAS) devices, on Friday released security updates to patch nine security weaknesses, including a critical issue that could be exploited to take over an affected system. "A vulnerability has been reported to affect QNAP VS Series NVR running QVR," QNAP  said  in an advisory. "If exploited, this vulnerability allows remote attackers to run arbitrary commands." Tracked as  CVE-2022-27588  (CVSS score: 9.8), the vulnerability has been addressed in QVR 5.1.6 build 20220401 and later. Credited with reporting the flaw is the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). Aside from the critical shortcoming, QNAP has also resolved three high-severity and five medium-severity bugs in its software - CVE-2021-38693  (CVSS score: 5.3) - A  path traversal vulnerability  in thttpd affecting QNAP devices running QTS, QuTS hero, QuTScloud, and QVR Pro Appliance, leading to information disclosure C
Google Releases Android Update to Patch Actively Exploited Vulnerability

Google Releases Android Update to Patch Actively Exploited Vulnerability

May 05, 2022Ravie Lakshmanan
Google has released monthly security patches for Android with fixes for 37 flaws across different components, one of which is a fix for an actively exploited Linux kernel vulnerability that came to light earlier this year. Tracked as  CVE-2021-22600  (CVSS score: 7.8), the vulnerability is ranked "High" for severity and could be exploited by a local user to escalate privileges or deny service. The issue relates to a  double-free vulnerability  residing in the  Packet  network protocol implementation in the Linux kernel that could cause memory corruption, potentially leading to denial-of-service or execution of arbitrary code. Patches were released by different Linux distributions, including  Debian ,  Red Hat ,  SUSE , and  Ubuntu  in December 2021 and January 2022. "There are indications that CVE-2021-22600 may be under limited, targeted exploitation," Google  noted  in its Android Security Bulletin for May 2022. Specifics about the nature of the attacks are
Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches

Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches

May 03, 2022Ravie Lakshmanan
Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information. The findings follow the March disclosure of  TLStorm , a set of three critical flaws in APC Smart-UPS devices that could permit an attacker to take over control and, worse, physically damage the appliances. IoT security firm Armis, which uncovered the shortcomings, noted that the design flaws can be traced back to a common source: a misuse of  NanoSSL , a standards-based SSL developer suite from Mocana, a DigiCert subsidiary. The new set of flaws, dubbed  TLStorm 2.0 , renders Aruba and Avaya network switches vulnerable to remote code execution vulnerabilities, enabling an adversary to commandeer the devices, move laterally across the network, and exfiltrate sensitive data. Affected devices include Avaya ERS3500 Seri
Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload

Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload

May 02, 2022The Hacker News
According to folklore, witches were able to sail in a sieve, a strainer with holes in the bottom. Unfortunately, witches don't work in cybersecurity – where networks generally have so many vulnerabilities that they resemble sieves.  For most of us, keeping the sieve of our networks afloat requires nightmarishly hard work and frequent compromises on which holes to plug first. The reason? In 2010, just under 5000 CVEs were recorded in the MITRE vulnerabilities database. By 2021, the yearly total had skyrocketed to  over 20,000 . Today, software and network integrity are synonymous with business continuity. And this makes the issue of which vulnerabilities to address first mission-critical. Yet owing to the countless documented vulnerabilities lurking in a typical enterprise ecosystem – across thousands of laptops, servers, and internet-connected devices – less than  one in ten  actually needs to be patched. The question is: how can we know which patches will ensure that our sieve does
Microsoft Discovers New Privilege Escalation Flaws in Linux Operating System

Microsoft Discovers New Privilege Escalation Flaws in Linux Operating System

April 26, 2022Ravie Lakshmanan
Microsoft on Tuesday disclosed a set of two privilege escalation vulnerabilities in the Linux operating system that could potentially allow threat actors to carry out an array of nefarious activities. Collectively called " Nimbuspwn ," the flaws "can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution," Jonathan Bar Or of the Microsoft 365 Defender Research Team  said  in a report. On top of that, the defects — tracked as  CVE-2022-29799 and CVE-2022-29800  — could also be weaponized as a vector for root access to deploy more sophisticated threats such as ransomware. The vulnerabilities are rooted in a  systemd  component called  networkd-dispatcher , a  daemon program  for the network manager system service that's designed to dispatch network status changes. Specifically, they relate to a combination of  directory t
Iranian Hackers Exploiting VMware RCE Bug to Deploy 'Core Impact' Backdoor

Iranian Hackers Exploiting VMware RCE Bug to Deploy 'Core Impact' Backdoor

April 25, 2022Ravie Lakshmanan
An Iranian-linked threat actor known as  Rocket Kitten  has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems. Tracked as  CVE-2022-22954  (CVSS score: 9.8), the critical issue concerns a case of remote code execution (RCE) vulnerability affecting VMware Workspace ONE Access and Identity Manager. While the issue was patched by the virtualization services provider on April 6, 2022, the company  cautioned users  of confirmed exploitation of the flaw occurring in the wild a week later. "A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface," researchers from Morphisec Labs  said  in a new report. "This means highest privileged access into any components of the virtualized host and guest environment." Attack chains exploiting the flaw involve the distribution of a PowerShell-based stager, which is the
Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability

Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability

April 22, 2022Ravie Lakshmanan
Atlassian has published a security advisory warning of a critical vulnerability in its Jira software that could be abused by a remote, unauthenticated attacker to circumvent authentication protections. Tracked as  CVE-2022-0540 , the flaw is rated 9.9 out of 10 on the CVSS scoring system and resides in Jira's authentication framework, Jira Seraph. Khoadha of Viettel Cyber Security has been credited with discovering and reporting the security weakness. "A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration," Atlassian  noted . The flaw affects the following Jira products - Jira Core Server, Jira Software Server and Jira Software Data Center: All versions before 8.13.18, 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6, and 8.21.x Jira Service Management Server and Jira Service Management Data Cent
Researcher Releases PoC for Recent Java Cryptographic Vulnerability

Researcher Releases PoC for Recent Java Cryptographic Vulnerability

April 22, 2022Ravie Lakshmanan
A proof-of-concept (PoC) code demonstrating a newly disclosed digital signature bypass vulnerability in Java has been shared online.  The  high-severity flaw  in question,  CVE-2022-21449  (CVSS score: 7.5), impacts the following versions of Java SE and Oracle GraalVM Enterprise Edition - Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18 Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 The issue resides in Java's implementation of the Elliptic Curve Digital Signature Algorithm ( ECDSA ), a  cryptographic mechanism  to  digitally sign  messages and data for verifying the authenticity and the integrity of the contents. In a nutshell, the cryptographic blunder — dubbed Psychic Signatures in Java — makes it possible to present a totally blank signature, which would still be perceived as valid by the vulnerable implementation. Successful exploitation of the flaw could permit an attacker to forge signatures and bypass authentication measures put in place. The PoC,
Researchers Detail Bug That Could Paralyze Snort Intrusion Detection System

Researchers Detail Bug That Could Paralyze Snort Intrusion Detection System

April 20, 2022Ravie Lakshmanan
Details have emerged about a now-patched security vulnerability in the Snort intrusion detection and prevention system that could trigger a denial-of-service (DoS) condition and render it powerless against malicious traffic. Tracked as  CVE-2022-20685 , the vulnerability is rated 7.5 for severity and resides in the Modbus preprocessor of the Snort detection engine. It affects all open-source Snort project releases earlier than 2.9.19 as well as version 3.1.11.0. Maintained by Cisco,  Snort  is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS) that offers real-time network traffic analysis to spot potential signs of malicious activity based on predefined rules. "The vulnerability, CVE-2022-20685, is an integer-overflow issue that can cause the Snort Modbus OT preprocessor to enter an infinite  while loop ," Uri Katz, a security researcher with Claroty,  said  in a report published last week. "A successful exploit keeps Snort from p
Hackers Exploiting Recently Reported Windows Print Spooler Vulnerability in the Wild

Hackers Exploiting Recently Reported Windows Print Spooler Vulnerability in the Wild

April 19, 2022Ravie Lakshmanan
A security flaw in the Windows Print Spooler component that was patched by Microsoft in February is being actively exploited in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned . To that end, the agency has added the shortcoming to its Known Exploited Vulnerabilities Catalog , requiring Federal Civilian Executive Branch (FCEB) agencies to address the issues by May 10, 2022. Tracked as CVE-2022-22718 (CVSS score: 7.8), the security vulnerability is one among the four privilege escalation flaws in the Print Spooler that Microsoft resolved as part of its Patch Tuesday updates on February 8, 2022. It's worth noting that the Redmond-based tech giant has remediated a number of Print Spooler flaws since the critical PrintNightmare remote code execution vulnerability came to light last year, including 15 elevation of privilege vulnerabilities in April 2022. Specifics about the nature of the attacks and the identity of the threat actors that m
Critical RCE Flaw Reported in WordPress Elementor Website Builder Plugin

Critical RCE Flaw Reported in WordPress Elementor Website Builder Plugin

April 17, 2022Ravie Lakshmanan
Elementor, a WordPress website builder plugin with over five million active installations, has been found to be vulnerable to an authenticated remote code execution flaw that could be abused to take over affected websites. Plugin Vulnerabilities, which  disclosed  the flaw last week, said the bug was introduced in version 3.6.0 that was released on March 22, 2022. Roughly  37% of users  of the plugin are on version 3.6.x. "That means that malicious code provided by the attacker can be run by the website," the researchers said. "In this instance, it is possible that the vulnerability might be exploitable by someone not logged in to WordPress, but it can easily be exploited by anyone logged in to WordPress who has access to the WordPress admin dashboard." In a nutshell, the issue relates to a case of arbitrary file upload to affected websites, potentially leading to code execution. The bug has been addressed in the latest version of Elementor, with Patchstack 
Critical VMware Workspace ONE Access Flaw Under Active Exploitation in the Wild

Critical VMware Workspace ONE Access Flaw Under Active Exploitation in the Wild

April 13, 2022Ravie Lakshmanan
A week after VMware released patches to remediate eight security vulnerabilities in VMware Workspace ONE Access, threat actors have begun to actively exploit one of the critical flaws in the wild. Tracked as  CVE-2022-22954 , the security shortcoming relates to a remote code execution vulnerability that stems from server-side template injection in VMware Workspace ONE Access and Identity Manager. The bug is rated 9.8 in severity. "A malicious actor with network access can trigger a server-side  template injection  that may result in remote code execution," the company  noted  in its advisory. The virtualization services provider has since revised its bulletin to warn customers of confirmed exploitation of CVE-2022-22954 occurring in the wild. Cybersecurity firm Bad Packets also  corroborated  that it detected attempts to weaponize the vulnerability. Source:  Bad Packets It's worth noting that the patches shipped last week address seven more vulnerabilities in VMwar
Critical LFI Vulnerability Reported in Hashnode Blogging Platform

Critical LFI Vulnerability Reported in Hashnode Blogging Platform

April 12, 2022Ravie Lakshmanan
Researchers have disclosed a previously undocumented local file inclusion ( LFI ) vulnerability in  Hashnode , a developer-oriented blogging platform, that could be abused to access sensitive data such as SSH keys, server's IP address, and other network information. "The LFI originates in a  Bulk Markdown Import feature  that can be manipulated to provide attackers with unimpeded ability to download local files from Hashnode's server," Akamai researchers said in a report shared with The Hacker News. Local file inclusion flaws occur when a web application is tricked into exposing or running unapproved files on a server, leading to directory traversal, information disclosure, remote code execution, and cross-site scripting (XSS) attacks. The flaw, caused due to the web application failing to adequately sanitize the path to a file that's passed as input, could have serious repercussions in that an assailant could navigate to any path on the server and access s
Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware

Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware

April 08, 2022Ravie Lakshmanan
The recently disclosed critical Spring4Shell vulnerability is being actively exploited by threat actors to execute the Mirai botnet malware , particularly in the Singapore region since the start of April 2022. "The exploitation allows threat actors to download the Mirai sample to the '/tmp' folder and execute them after permission change using 'chmod ,'" Trend Micro researchers Deep Patel, Nitesh Surana, Ashish Verma said in a report published Friday. Tracked as CVE-2022-22965 (CVSS score: 9.8), the vulnerability could allow malicious actors to achieve remote code execution in Spring Core applications under non-default circumstances, granting the attackers full control over the compromised devices. The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog based on "evidence of active exploitation." This is
CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability

CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability

April 05, 2022Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its  Known Exploited Vulnerabilities Catalog  based on "evidence of active exploitation." The critical severity flaw, assigned the identifier  CVE-2022-22965  (CVSS score: 9.8) and dubbed "Spring4Shell", impacts Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later. "Exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application," Praetorian researchers Anthony Weems and Dallas Kaman noted last week. Although exact details of in-the-wild abuse remain unclear, information security company SecurityScorecard  said  "active scanning for this vulnerability has been observed coming fro
GitLab Releases Patch for Critical Vulnerability That Could Let Attackers Hijack Accounts

GitLab Releases Patch for Critical Vulnerability That Could Let Attackers Hijack Accounts

April 01, 2022Ravie Lakshmanan
DevOps platform GitLab has released software updates to address a critical security vulnerability that, if potentially exploited, could permit an adversary to seize control of accounts. Tracked as  CVE-2022-1162 , the issue has a CVSS score of 9.1 and is said to have been discovered internally by the GitLab team. "A hardcoded password was set for accounts registered using an  OmniAuth provider  (e.g., OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the company  said  in an advisory published on March 31. GitLab, which has addressed the bug with the latest release of versions 14.9.2, 14.8.5, and 14.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE), also said it took the step of resetting the password of an unspecified number of users out of an abundance of caution. "Our investigation shows no indication that users or accounts have
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit

Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit

April 01, 2022Ravie Lakshmanan
A Chinese advanced persistent threat tracked as Deep Panda has been observed exploiting the  Log4Shell vulnerability  in VMware Horizon servers to deploy a backdoor and a novel rootkit on infected machines with the goal of stealing sensitive data. "The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates,"  said  Rotem Sde-Or and Eliran Voronovitch, researchers with Fortinet's FortiGuard Labs, in a report released this week. "The victims belong to the financial, academic, cosmetics, and travel industries." Deep Panda , also known by the monikers Shell Crew, KungFu Kittens, and Bronze Firestone, is said to have been active since at least 2010, with recent attacks "targeting legal firms for data exfiltration and technology providers for command-and-control infrastructure building,"  according  to Secureworks. Cybersecurity firm CrowdStrike, which assigned the panda
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.