Recent findings from Akamai security researchers have unveiled a vulnerability in the armor of DNS security. This flaw, stemming from the exploitation of DHCP DNS Dynamic Updates, creates an avenue for attackers to engage in the deceitful practice of DNS record spoofing.

Exploring the Vulnerability The Dynamic Host Configuration Protocol (DHCP), which quietly manages IP addresses and configurations in network devices, harbors a vulnerability within its functionality. DHCP DNS Dynamic Updates, intended for automatic DNS record adjustments, becomes a liability when left unsecured. The lack of authentication in this process permits any device within the network to impersonate others, setting the stage for potential exploitation.

DNS records serve as the internet’s directory, translating human-readable domain names into numeric IP addresses. By spoofing these records, attackers can divert unsuspecting users to malicious websites, mirroring legitimate platforms such as banks, social media sites, or internal company resources. This enables them to pilfer login credentials, access sensitive data, and even launch further incursions within the network.

Exploited DHCP Functionality The vulnerability resides in a DHCP feature known as DHCP DNS Dynamic Updates. This feature enables DHCP servers to autonomously register and update DNS records for connected devices, ensuring seamless network connectivity. However, its inherent lack of authentication renders it vulnerable to exploitation. Malicious entities can manipulate this weakness by submitting forged requests to the DHCP server, duping it into creating or altering DNS records and ultimately redirecting users to their fraudulent phishing sites.

The potential ramifications of this vulnerability are substantial. Microsoft DHCP servers, widely deployed, were observed by Akamai on 40% of the monitored networks, exposing countless organizations and individuals to DNS spoofing assaults. Consequently, this poses a critical threat necessitating immediate remedial action.

Akamai advises the implementation of mitigation measures until a patch is provided by Microsoft.

This flaw permits attackers to insert harmful code into the software, potentially leading to complete system takeover and data breaches.

Sophos has responded by releasing updated versions of their firewalls to detect and prevent exploitation attempts targeting older versions. This Remote Code Execution (RCE) vulnerability has been rated Critical (9.8).

According to Sophos, devices vulnerable to this exploit are running end-of-life (EOL) firmware. A patch has been promptly developed for certain EOL firmware versions and automatically applied to 99% of affected organizations with “accept hotfix” enabled.

The Sophos Firewall v19.0 MR1 (19.0.1) and earlier versions, released in 2022, have become obsolete, leading to end-of-life (EOL) status for all vulnerable devices. Consequently, these devices will no longer receive updates or support, exposing them to potential security threats.

It’s noteworthy that attackers have been targeting firmware and end-of-life (EOL) devices from various technology vendors. Sophos has reported exploitation of this specific vulnerability, primarily targeting a specific group of companies, mostly in South Asia.

To enhance security, organizations should take measures to safeguard their User Portal and Webadmin, including preventing exposure to the Wide Area Network (WAN). For remote access and management, employing VPN or Sophos Central is recommended, with the latter being the preferred choice. Sophos advises disabling WAN access to the User Portal and Webadmin to adhere to best practices for device access.

Victims of these attacks span various industries, including software development, marketing, sales, medical devices, billing, employee monitoring, financial management, hosting, tool manufacturing, small and large IT companies, and an energy trade association.

The SVR’s ongoing operation, targeting networks hosting TeamCity servers, exploits the vulnerability identified as CVE-2023-42793. This flaw, impacting versions before 2023.05.4, allowed for authentication bypass in JetBrains TeamCity, potentially resulting in Remote Code Execution (RCE) on TeamCity Server.

TeamCity servers are integral to software development, enabling developers to manage and automate tasks such as development, compilation, testing, and release. Malicious actors, upon gaining access to these servers, can execute various harmful actions, including supply chain attacks, source code retrieval, certificate signing, software deployment disruption, and more.

The CSA highlights malicious activities such as lateral movement, backdoor deployment, privilege escalation, and others aimed at ensuring prolonged access to compromised networks.

JetBrains released a fix for CVE-2023-42793 in mid-September 2023, limiting the SVR’s ability to exploit unpatched TeamCity servers accessible via the internet.

While the SVR’s operations are believed to be in the preparatory phase, access to software developers’ networks provides an opportunity for establishing covert command and control (C2) infrastructure.

Rob Joyce, Director of NSA’s Cybersecurity Directorate, emphasizes the importance of promptly patching systems, implementing mitigations, and utilizing Indicators of Compromise (IOCs) to detect adversary presence and prevent persistent access.

For the latest manufacturer recommendations regarding updates, workarounds, and security patches for this vulnerability, please refer to the Atlassian Security Advisory CVE-2022-1471 (as of December 5, 2023). Additional useful links are provided at the end of this article.

Security Advisory for Atlassian Products – Risk: High

• Risk Level: 4 (High)
• CVSS Base Score: 9.8
• CVSS Temporal Score: 8.5
• Remote Attack: Yes

The severity of vulnerabilities in computer systems is evaluated using the Common Vulnerability Scoring System (CVSS). This standard allows potential or actual security vulnerabilities to be compared based on various metrics to create a prioritized list for countermeasures. Severity levels are assessed using attributes such as “none,” “low,” “medium,” “high,” and “critical.” The Base Score evaluates the prerequisites for an attack and its consequences, while the Temporal Score considers temporal changes in the threat landscape. The current vulnerability is rated as “high” with a Base Score of 9.8.

Atlassian Products Bug: Multiple vulnerabilities allow code execution. Bitbucket is a Git server for source code version control, Confluence is commercial wiki software, and Jira is a web application for software development. A remote, anonymous, or authenticated attacker can exploit multiple vulnerabilities in Atlassian Bitbucket, Atlassian Confluence, and Atlassian Jira Software to execute arbitrary code. These vulnerabilities were classified using the CVE (Common Vulnerabilities and Exposures) designation system, with individual serial numbers CVE-2023-22524, CVE-2023-22523, CVE-2023-22522, and CVE-2022-1471.

Overview of affected systems:

• Operating Systems: UNIX, Linux, Windows
• Products:
  • Atlassian Bitbucket Data Center
  • Atlassian Bitbucket Server
  • Atlassian Confluence Data Center
  • Atlassian Confluence Server
  • Atlassian Confluence Cloud Migration App
  • Atlassian Jira Software Core Data Center
  • Atlassian Jira Software Core Server
  • Atlassian Jira Software Service Management Data Center
  • Atlassian Jira Software Service Management Server
  • Atlassian Jira Software Software Data Center
  • Atlassian Jira Software Software Server
  • Atlassian Jira Software Management Cloud

General measures for handling IT security vulnerabilities:

• Users should keep the affected applications up to date and promptly install new security updates.
• For further information on current versions of the software, availability of security patches, or workarounds, consult the sources listed below.
• If you have any questions or uncertainties, contact your system administrator.
• IT security officers should regularly check for the availability of new security updates.

Manufacturer information on updates, patches, and workarounds: Additional links to bug reports, security fixes, and workarounds are provided below:

• Atlassian Security Advisory CVE-2022-1471 dated December 5, 2023 Further information available at: Link
• Atlassian Security Advisory CVE-2023-22522 dated December 5, 2023 Further information available at: Link
• Atlassian Security Advisory CVE-2023-22523 dated December 5, 2023 Further information available at: Link
• Atlassian Security Advisory CVE-2023-22524 dated December 5, 2023 Further information available at: Link

SLAM takes advantage of speculative execution vulnerabilities, such as those found in Spectre, allowing unauthorized access to sensitive data within microprocessors. By manipulating the speculative execution capabilities of CPUs, hackers can extract confidential information, bypassing traditional security measures.

One of the key targets for SLAM is the hardware security features being implemented by major CPU vendors like Intel, AMD, and Arm. These features, including Intel’s Linear Address Masking (LAM), AMD’s Upper Address Ignore (UAI), and Arm’s Top Byte Ignore (TBI), were designed to bolster security. However, SLAM demonstrates that these enhancements inadvertently increase the attack surface for Spectre-based attacks.

SLAM delves into the residual attack space of Spectre, particularly on current and future CPUs equipped with features like Intel LAM. By bypassing new transient execution methods and exploiting overlooked Spectre disclosure gadgets, SLAM can circumvent standard security measures. This includes avoiding typical “masked” gadgets that use secret data to index arrays, which are commonly used in software.

The attack methodology of SLAM involves identifying and exploiting unmasked gadgets within code patterns, particularly those related to pointer-chasing snippets. These unmasked gadgets, which exploit confidential data as pointers, are prevalent in software. Despite efforts to mitigate such vulnerabilities, the researchers discovered tens of thousands of exploitable gadgets in the Linux kernel alone, with hundreds posing immediate risks.

One of the most concerning aspects of SLAM is its ability to quickly extract sensitive data, such as root password hashes, in under 30 seconds. This was demonstrated on the latest Ubuntu system, emulating Intel LAM. Moreover, SLAM’s impact extends beyond current vulnerabilities, targeting future CPUs expected to support LAM, UAI, and TBI features.

While CPU vendors have been informed about SLAM, responses vary. Intel, acknowledging its sponsorship of the research, plans to offer software guidance prior to releasing CPUs with LAM support. Meanwhile, Linux developers have already taken steps to disable certain security features by default until further guidance is available.

AMD and Arm have taken different approaches. Arm believes its existing mitigations for Spectre v2 and Spectre BHI should suffice, while AMD points to current mitigations for Spectre v2, without providing further updates.

In summary, SLAM represents a significant advancement in side-channel attacks, exploiting hardware features intended to enhance security. As CPU vendors work to address these vulnerabilities, it underscores the ongoing arms race between cybersecurity researchers and threat actors in the ever-evolving landscape of computer security.

AWS STS functions as a web service enabling users to request temporary, limited-privilege credentials for accessing AWS resources without the need for creating AWS identities. These temporary STS tokens have varying lifespans, ranging from 15 minutes to 36 hours.

The exploitation of AWS STS involves stealing long-term IAM tokens through methods like malware infections, exposed credentials, or phishing attacks. With these tokens, threat actors can ascertain associated roles and privileges via API calls. Depending on the permissions granted by the token, adversaries can even create additional IAM users with long-term access, ensuring persistence even if initial tokens are revoked.

Subsequently, an MFA-authenticated STS token can be utilized to generate multiple short-term tokens, facilitating post-exploitation actions such as data exfiltration.

To mitigate the risk of AWS token abuse, it is recommended to monitor CloudTrail event data, detect MFA abuse and role-chaining incidents, and regularly rotate long-term IAM user access keys. While AWS STS serves as a crucial security control for limiting the use of static credentials and access duration, certain IAM configurations can be exploited by adversaries to access cloud resources and execute malicious activities.

Furthermore, recent findings by SentinelLabs reveal significant security vulnerabilities affecting AWS and other cloud services due to flaws in driver software. These vulnerabilities could potentially allow attackers to escalate their privileges, disable security solutions, tamper with system components, or execute malicious actions unhindered. Both end-users and cloud service providers are susceptible to these vulnerabilities, which stem from shared code utilized in server and client-side applications.

SentinelLabs has proactively disclosed these vulnerabilities to affected providers and assigned CVE identifiers for tracking. While there’s no evidence of exploitation by malicious actors so far, users of affected services are advised to promptly check for updates and apply patches as necessary, as some vulnerabilities may require manual intervention for mitigation.

Command Injection Vulnerabilities:

1. CVE-2023-35138: This vulnerability affects the “show_zysync_server_contents” function of Zyxel NAS devices, enabling unauthenticated attackers to execute operating system commands via crafted HTTP POST requests, with a severity rating of 9.8 (Critical).
2. CVE-2023-37928: This post-authentication command injection flaw resides in the WSGI server of NAS devices. By exploiting this vulnerability with a crafted URL, threat actors can execute OS commands on affected devices, rated at 8.8 in severity (High).
3. CVE-2023-4473: Present in the web server of Zyxel NAS devices, this vulnerability permits unauthenticated threat actors to execute OS commands through crafted URLs, with a severity rating of 9.8 (Critical).

Acknowledging the responsible disclosure of these vulnerabilities by security researchers, Zyxel credits Maxim Suslov for CVE-2023-35138 and Attila Szász from BugProve for CVE-2023-37928 and CVE-2023-4473, along with Drew Balfour from IBM X-Force for CVE-2023-4473.

In addition to addressing these specific vulnerabilities, Zyxel has released patches to rectify a total of 15 security issues affecting NAS, firewall, and access point (AP) devices. Among these, three critical flaws, including the aforementioned command injection vulnerabilities, have been identified as potential pathways for authentication bypass and unauthorized command execution. These patches aim to fortify the security posture of Zyxel devices, reducing the risk of exploitation by threat actors.

It’s imperative for users to promptly apply these updates to mitigate potential threats, especially considering the history of Zyxel devices being targeted by malicious actors. By staying vigilant and ensuring their devices are up to date, users can bolster their defenses against evolving cybersecurity risks.

The vulnerability resides within the Graphapi app, which leverages a third-party library to provide a URL for retrieving PHP environment details, including sensitive data like OwnCloud admin passwords and mail server credentials. Notably, instances predating February 2023 in Docker containers remain unaffected by credential exposure.

Reports indicate a significant concentration of vulnerable systems in Germany, with over 11,000 systems worldwide at risk. Despite the gravity of the situation, merely deactivating the Graphapi app does not suffice as a solution.

OwnCloud advises administrators to delete the vulnerable file and promptly change exposed credentials. Additionally, two other vulnerabilities (CVE-2023-49104 and CVE-2023-49105) have been disclosed, further underscoring the urgency for mitigation efforts.

Despite OwnCloud’s patch release on September 1, an update to Graphapi version 0.3.1 remains imperative to safeguard systems. Threat actors have swiftly capitalized on this vulnerability since November 25, 2023, with multiple IPs involved in exploitation attempts.

Both Shadowserver and Greynoise corroborate the escalating threat landscape, necessitating immediate action from administrators to mitigate the risk. Disabling the ‘phpinfo’ function in Docker containers and fortifying passwords are crucial steps in thwarting potential breaches.

In conclusion, the exploitation of CVE-2023-49103 underscores the critical importance of swift and comprehensive security measures within the OwnCloud ecosystem.

FortiSIEM, Fortinet’s security information and event management (SIEM) solution, play a crucial role in identifying both insider and incoming threats that may bypass standard defenses. The advisory from Fortinet warns of an “improper neutralization of special elements used in an OS Command vulnerability [CWE-78]” within the FortiSIEM report server, tracked as CVE-2023-36553, with a CVSS Score of 9.3. This vulnerability allows unauthorized execution of commands through manipulated API requests.

Moreover, this critical vulnerability (CVE-2023-36553) is identified as a variant of CVE-2023-34992, previously addressed in October. Versions 7.0.0, 6.7.0 through 6.7.5, 6.6.0 through 6.6.3, 6.5.0 through 6.5.1, and 6.4.0 through 6.4.2 of FortiSIEM are susceptible to this flaw, potentially enabling unauthorized code execution or command execution through crafted API requests due to improper input sanitization. Such vulnerabilities increase the risk of unauthorized data access, modification, and deletion through API requests.

In addition to Fortinet’s disclosure, the software and appliance manufacturer has addressed security vulnerabilities across various products. These include SQL injections and opportunities for attackers to execute arbitrary commands on the company’s appliances. Fortinet has released updates for all affected products, advising administrators to install them promptly.

The vulnerabilities in FortiOS and FortiProxy, including insufficient integrity checks leading to potential exploits on VM images of the firewall, are highlighted. Fortinet maintains the original CVE-ID CVE-2023-38545 for these vulnerabilities, with CVSSv3 scores slightly lower than those provided by the cURL project. Updates are available for vulnerable versions, addressing these issues.

Furthermore, Fortinet addressed vulnerabilities in FortiClient, a Windows software ensuring compliance with corporate policies, which allowed DLL hijacking and arbitrary file deletion. Updates have been provided to mitigate these risks.

Fortinet’s own FortiSIEM revealed a security flaw allowing arbitrary command execution via API requests, with versions 4.7 through 5.4 affected. Upgrading to versions starting from 6.4.3 resolves this issue.

Additionally, in FortiWLM, Fortinet fixed critical SQL injection and file path manipulation vulnerabilities reported by security researchers, along with other security issues across FortiADC and FortiDDoS-F products.

The comprehensive updates from Fortinet aim to mitigate these vulnerabilities, ensuring the security and integrity of their products amidst evolving cyber threats. Administrators are strongly advised to apply these patches promptly to safeguard their systems and data.