Calenderweek 50 – WafdogBlog http://192.168.11.11 Tue, 28 May 2024 09:39:21 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 http://192.168.11.11/wp-content/uploads/2023/11/logo_fav.png Calenderweek 50 – WafdogBlog http://192.168.11.11 32 32 Security Advisory: Critical Vulnerabilities in Atlassian Products (CVE-2022-1471) – Urgent Action Required http://192.168.11.11/security-advisory-critical-vulnerabilities-in-atlassian-products-cve-2022-1471-urgent-action-required/ Tue, 12 Mar 2024 14:12:45 +0000 http://192.168.11.11/?p=1146 Security Advisory: Critical Vulnerabilities in Atlassian Products (CVE-2022-1471) – Urgent Action Required Read More »

]]>
On December 6, 2023, the Federal Office for Information Security (BSI) issued a security advisory regarding Atlassian products. The security vulnerability affects UNIX, Linux, and Windows operating systems, as well as Atlassian Bitbucket, Atlassian Confluence, and Atlassian Jira Software.

For the latest manufacturer recommendations regarding updates, workarounds, and security patches for this vulnerability, please refer to the Atlassian Security Advisory CVE-2022-1471 (as of December 5, 2023). Additional useful links are provided at the end of this article.

Security Advisory for Atlassian Products – Risk: High

  • Risk Level: 4 (High)
  • CVSS Base Score: 9.8
  • CVSS Temporal Score: 8.5
  • Remote Attack: Yes

The severity of vulnerabilities in computer systems is evaluated using the Common Vulnerability Scoring System (CVSS). This standard allows potential or actual security vulnerabilities to be compared based on various metrics to create a prioritized list for countermeasures. Severity levels are assessed using attributes such as “none,” “low,” “medium,” “high,” and “critical.” The Base Score evaluates the prerequisites for an attack and its consequences, while the Temporal Score considers temporal changes in the threat landscape. The current vulnerability is rated as “high” with a Base Score of 9.8.

Atlassian Products Bug: Multiple vulnerabilities allow code execution. Bitbucket is a Git server for source code version control, Confluence is commercial wiki software, and Jira is a web application for software development. A remote, anonymous, or authenticated attacker can exploit multiple vulnerabilities in Atlassian Bitbucket, Atlassian Confluence, and Atlassian Jira Software to execute arbitrary code. These vulnerabilities were classified using the CVE (Common Vulnerabilities and Exposures) designation system, with individual serial numbers CVE-2023-22524, CVE-2023-22523, CVE-2023-22522, and CVE-2022-1471.

Overview of affected systems:

  • Operating Systems: UNIX, Linux, Windows
  • Products:
    • Atlassian Bitbucket Data Center
    • Atlassian Bitbucket Server
    • Atlassian Confluence Data Center
    • Atlassian Confluence Server
    • Atlassian Confluence Cloud Migration App
    • Atlassian Jira Software Core Data Center
    • Atlassian Jira Software Core Server
    • Atlassian Jira Software Service Management Data Center
    • Atlassian Jira Software Service Management Server
    • Atlassian Jira Software Software Data Center
    • Atlassian Jira Software Software Server
    • Atlassian Jira Software Management Cloud

General measures for handling IT security vulnerabilities:

  • Users should keep the affected applications up to date and promptly install new security updates.
  • For further information on current versions of the software, availability of security patches, or workarounds, consult the sources listed below.
  • If you have any questions or uncertainties, contact your system administrator.
  • IT security officers should regularly check for the availability of new security updates.

Manufacturer information on updates, patches, and workarounds: Additional links to bug reports, security fixes, and workarounds are provided below:

  • Atlassian Security Advisory CVE-2022-1471 dated December 5, 2023 Further information available at: Link
  • Atlassian Security Advisory CVE-2023-22522 dated December 5, 2023 Further information available at: Link
  • Atlassian Security Advisory CVE-2023-22523 dated December 5, 2023 Further information available at: Link
  • Atlassian Security Advisory CVE-2023-22524 dated December 5, 2023 Further information available at: Link
]]>
Unmasking SLAM: Exploiting CPU Security Features for Spectre Attacks http://192.168.11.11/unmasking-slam-exploiting-cpu-security-features-for-spectre-attacks/ Tue, 12 Mar 2024 14:10:23 +0000 http://192.168.11.11/?p=1144 Unmasking SLAM: Exploiting CPU Security Features for Spectre Attacks Read More »

]]>
Recent revelations by cybersecurity researchers from the Systems and Network Security Group at VU Amsterdam have brought to light a sophisticated new attack vector known as SLAM (Spectre based on Linear Address Masking). This attack exploits vulnerabilities inherent in modern CPUs, particularly those anticipated in upcoming products from Intel, AMD, and Arm.

SLAM takes advantage of speculative execution vulnerabilities, such as those found in Spectre, allowing unauthorized access to sensitive data within microprocessors. By manipulating the speculative execution capabilities of CPUs, hackers can extract confidential information, bypassing traditional security measures.

One of the key targets for SLAM is the hardware security features being implemented by major CPU vendors like Intel, AMD, and Arm. These features, including Intel’s Linear Address Masking (LAM), AMD’s Upper Address Ignore (UAI), and Arm’s Top Byte Ignore (TBI), were designed to bolster security. However, SLAM demonstrates that these enhancements inadvertently increase the attack surface for Spectre-based attacks.

SLAM delves into the residual attack space of Spectre, particularly on current and future CPUs equipped with features like Intel LAM. By bypassing new transient execution methods and exploiting overlooked Spectre disclosure gadgets, SLAM can circumvent standard security measures. This includes avoiding typical “masked” gadgets that use secret data to index arrays, which are commonly used in software.

The attack methodology of SLAM involves identifying and exploiting unmasked gadgets within code patterns, particularly those related to pointer-chasing snippets. These unmasked gadgets, which exploit confidential data as pointers, are prevalent in software. Despite efforts to mitigate such vulnerabilities, the researchers discovered tens of thousands of exploitable gadgets in the Linux kernel alone, with hundreds posing immediate risks.

One of the most concerning aspects of SLAM is its ability to quickly extract sensitive data, such as root password hashes, in under 30 seconds. This was demonstrated on the latest Ubuntu system, emulating Intel LAM. Moreover, SLAM’s impact extends beyond current vulnerabilities, targeting future CPUs expected to support LAM, UAI, and TBI features.

While CPU vendors have been informed about SLAM, responses vary. Intel, acknowledging its sponsorship of the research, plans to offer software guidance prior to releasing CPUs with LAM support. Meanwhile, Linux developers have already taken steps to disable certain security features by default until further guidance is available.

AMD and Arm have taken different approaches. Arm believes its existing mitigations for Spectre v2 and Spectre BHI should suffice, while AMD points to current mitigations for Spectre v2, without providing further updates.

In summary, SLAM represents a significant advancement in side-channel attacks, exploiting hardware features intended to enhance security. As CPU vendors work to address these vulnerabilities, it underscores the ongoing arms race between cybersecurity researchers and threat actors in the ever-evolving landscape of computer security.

]]>
Unveiling the Exploits: Microsoft Outlook and WinRAR Vulnerabilities Exploited by Forest Blizzard http://192.168.11.11/unveiling-the-exploits-microsoft-outlook-and-winrar-vulnerabilities-exploited-by-forest-blizzard/ Tue, 12 Mar 2024 14:07:25 +0000 http://192.168.11.11/?p=1142 Unveiling the Exploits: Microsoft Outlook and WinRAR Vulnerabilities Exploited by Forest Blizzard Read More »

]]>
Microsoft revealed on Monday that it had uncovered Kremlin-backed nation-state activity exploiting a now-patched critical security flaw in its Outlook email service, allowing unauthorized access to victims’ accounts within Exchange servers. The intrusions were attributed to a threat actor dubbed Forest Blizzard (formerly Strontium), also known as APT28, BlueDelta, Fancy Bear, and various other aliases. The security vulnerability, CVE-2023-23397, rated at a CVSS score of 9.8, enabled a critical privilege escalation bug, subsequently patched by Microsoft in March 2023. This flaw could potentially allow an adversary to access a user’s Net-NTLMv2 hash, facilitating a relay attack against another service to authenticate as the user. The Polish Cyber Command (DKWOC) noted that the goal was to obtain unauthorized access to mailboxes belonging to public and private entities in the country. The adversary, identified as Forest Blizzard, then proceeded to modify folder permissions within the victim’s mailbox, granting access to authenticated users in the Exchange organization. This modification enabled the threat actor to extract valuable information from high-value targets. Microsoft had previously disclosed that the vulnerability had been exploited by Russia-based threat actors targeting various sectors across Europe since April 2022. In June 2023, cybersecurity firm Recorded Future detailed a spear-phishing campaign orchestrated by APT28, exploiting vulnerabilities in Roundcube webmail software concurrently with the Microsoft Outlook vulnerability. The National Cybersecurity Agency of France (ANSSI) also attributed attacks to Forest Blizzard, targeting government entities and businesses using various vulnerabilities, including CVE-2023-23397. Forest Blizzard’s activities extended to utilizing the WinRAR flaw (CVE-2023-38831) to steal browser login data. Furthermore, Proofpoint observed high-volume phishing campaigns in late March and September 2023, leveraging these vulnerabilities to target organizations in Europe and North America. Despite the patching of vulnerabilities, Forest Blizzard persists, relying on unpatched systems for continued success.

]]>
Securing Cloud Environments: Understanding and Mitigating AWS Token Exploitation http://192.168.11.11/securing-cloud-environments-understanding-and-mitigating-aws-token-exploitation/ Tue, 12 Mar 2024 13:40:39 +0000 http://192.168.11.11/?p=1139 Securing Cloud Environments: Understanding and Mitigating AWS Token Exploitation Read More »

]]>
Threat actors can exploit the Amazon Web Services Security Token Service (AWS STS) to infiltrate cloud accounts and carry out subsequent attacks. This service allows them to impersonate user identities and roles within cloud environments, enabling unauthorized access and malicious actions, as highlighted by Red Canary researchers Thomas Gardner and Cody Betsworth in a recent analysis.

AWS STS functions as a web service enabling users to request temporary, limited-privilege credentials for accessing AWS resources without the need for creating AWS identities. These temporary STS tokens have varying lifespans, ranging from 15 minutes to 36 hours.

The exploitation of AWS STS involves stealing long-term IAM tokens through methods like malware infections, exposed credentials, or phishing attacks. With these tokens, threat actors can ascertain associated roles and privileges via API calls. Depending on the permissions granted by the token, adversaries can even create additional IAM users with long-term access, ensuring persistence even if initial tokens are revoked.

Subsequently, an MFA-authenticated STS token can be utilized to generate multiple short-term tokens, facilitating post-exploitation actions such as data exfiltration.

To mitigate the risk of AWS token abuse, it is recommended to monitor CloudTrail event data, detect MFA abuse and role-chaining incidents, and regularly rotate long-term IAM user access keys. While AWS STS serves as a crucial security control for limiting the use of static credentials and access duration, certain IAM configurations can be exploited by adversaries to access cloud resources and execute malicious activities.

Furthermore, recent findings by SentinelLabs reveal significant security vulnerabilities affecting AWS and other cloud services due to flaws in driver software. These vulnerabilities could potentially allow attackers to escalate their privileges, disable security solutions, tamper with system components, or execute malicious actions unhindered. Both end-users and cloud service providers are susceptible to these vulnerabilities, which stem from shared code utilized in server and client-side applications.

SentinelLabs has proactively disclosed these vulnerabilities to affected providers and assigned CVE identifiers for tracking. While there’s no evidence of exploitation by malicious actors so far, users of affected services are advised to promptly check for updates and apply patches as necessary, as some vulnerabilities may require manual intervention for mitigation.

]]>