According to WordPress security researchers, the Jupiter Theme and JupiterX Core plugins for the WordPress content management system have a variety of vulnerabilities. A major privilege escalation issue is one of these vulnerabilities. 

Privilege escalation is a malicious method that involves acquiring control of a user's account that would otherwise be inaccessible to the present user by exploiting an app or OS flaw or configuration error. By obtaining these rights, a hostile actor can do a variety of actions on the operating system or server, such as executing instructions or assisting malware infection within the network, which can result in business disruption, sensitive data exposure, or system takeover. This is a violation of privilege. 

As per the source, "This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme. The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks."

"On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner. On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template." 

Jupiter is a powerful and high-quality WordPress theme builder. More than 90,000 well-known blogs, online magazines, and platforms with a high volume of user traffic use it. The vulnerability, which has been issued the tracking number CVE-2022-1654 and a CVSS score of 9.9, allows any authorised user on a website that employs vulnerable plugins to get administrator access (critical). 

After successfully exploiting the flaw, attackers have complete control over the website and may do whatever they want with it. This can include altering the site's content, installing dangerous programmes, or completely deleting the site. The attacker only has to be a simple subscriber or client on the website to exploit this vulnerability; thus, it could be said that the attack does not have strict requirements. 

CVE-2022-1654 affects Jupiter Theme 6.10.1 and older (fixed in 6.10.2), JupiterX Theme 2.0.6 and older (fixed in 2.0.7), and JupiterX Core Plugin 2.0.7 and older (fixed in 2.0.8). To improve the security vulnerabilities, one needs to either update to the latest version or disable the plugin and change the site's theme.

Hackers can remotely unlock millions of digital locks around the world, including those on Tesla cars, due to a flaw in Bluetooth technology, according to a cybersecurity firm. 

NCC Group researcher Sultan Qasim Khan was able to open and then drive a Tesla using a small relay device tied to a laptop, which spanned a wide gap between the Tesla and the Tesla owner's phone, according to a video shared with Reuters.

"This proves that any product relying on a trusted BLE connection is vulnerable to attacks even from the other side of the world," the UK-based firm said in a statement, referring to the Bluetooth Low Energy (BLE) protocol - technology used in millions of cars and smart locks which automatically open when in close proximity to an authorised device. 

Although Khan demonstrated the hack on a Tesla Model Y from 2021, NCC NSE 0.23 percent Group claims that any smart lock that uses BLE technology, including residential smart locks, may be unlocked in the same way. A request for comment from Tesla was not immediately returned. 

"In effect, systems that people rely on to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware," the firm stated. "This research illustrates the danger of using technologies for reasons other than their intended purpose, especially when security issues are involved". 

According to the NCC Group, such a vulnerability is not the same as a traditional bug that can be repaired with a software patch, and BLE-based authentication was not intended for usage in locking mechanisms.

SonicWall is urging customers to fix multiple high-risk security vulnerabilities in its Secure Mobile Access (SMA) 1000 Series line of products, which might allow attackers to evade authorization and compromise unpatched devices. 

Enterprises utilise SonicWall SMA 1000 SSLVPN solutions to ease end-to-end secure remote access to business resources in on-premises, cloud, and hybrid data centre environments. The first bug (a high-severity unauthenticated access control bypass) has been assigned CVE-2022-22282, however, the other two (a hard-coded cryptographic key and an open redirect, both of medium severity) are currently awaiting a CVE ID. 

"SonicWall strongly urges that organizations using the SMA 1000 series products upgrade to the latest patch," the company says in a security advisory published this week. 

SonicWall, on the other hand, stated that no evidence of these vulnerabilities being exploited in the field was discovered. The vulnerabilities do not affect SMA 1000 series devices running versions prior to 12.4.0, SMA 100 series products, CMS, or remote access clients, according to the company. The following SMA 1000 Series models are affected by security flaws: 6200, 6210, 7200, 7210, and 8000v (ESX, KVM, Hyper-V, AWS, Azure). 

The most serious of the three flaws is CVE-2022-22282, which allows unauthenticated attackers to bypass access control and obtain access to internal resources. This vulnerability can be remotely exploited in low-complexity attacks that don't involve any user input. If left unpatched and abused by attackers, the hard-coded cryptographic key flaw can have catastrophic repercussions, allowing them to get access to encrypted passwords. 

According to MITRE's CWE database, "The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question." 

Threat actors would most likely seek ways to compromise SMA 1000 series VPN appliances because they are utilised to protect remote connections into corporate networks. SonicWall also warned in July 2021 that end-of-life SMA 100 series and Secure Remote Access systems will be more vulnerable to ransomware assaults. 

SonicWall's products are used by over 500,000 commercial clients in 215 countries and territories across the world, with many of them deployed on the networks of government agencies and the world's major corporations.

A researcher has demonstrated how a flaw common to numerous ransomware families can be used to control and eliminate the malware before it encrypts files on vulnerable systems. Malvuln is a project created by researcher John Page (aka hyp3rlinx) that lists vulnerabilities uncovered in various types of malware. 

Early in 2021, the Malvuln project was launched. SecurityWeek covered it in January 2021, when there were only a few dozen entries, and again in June 2021, when there were 260. Malvuln had almost 600 malware vulnerabilities as of May 4, 2022. Page added ten new entries in the first several days of May, detailing vulnerabilities in the Conti, REvil, Loki Locker, Black Basta, AvosLocker, LockBit, and WannaCry ransomware families. 

The researcher discovered that DLL hijacking flaws affect these and other ransomware families. By inserting a carefully designed file in a location where it will be run before the legal DLL, these vulnerabilities can often be exploited for arbitrary code execution and privilege escalation. When it comes to ransomware, a "attacker" can build a DLL file with the same name as a DLL that the malware looks for and loads. 

The new DLL will be executed instead of the ransomware executable if it is placed next to it. This can be used to stop malware from encrypting data by intercepting it and terminating it. The DLLs can be hidden, according to the researcher, who uses the Windows "attrib +s +h" command in his PoC videos. 

Page explained, “Endpoint protection systems and/or antivirus can potentially be killed prior to executing malware, but this method cannot as there’s nothing to kill — the DLL just lives on disk waiting. From a defensive perspective, you can add the DLLs to a specific network share containing important data as a layered approach.” 

Page told SecurityWeek that while some of the ransomware versions he tested were new, the strategy works against practically all ransomware, comparing it to a "Pandora's box of vulnerabilities." The researcher has also made videos showing how to exploit the ransomware's flaws. The videos demonstrate how a specially constructed DLL file installed in the same folder as the ransomware executable prevents the malware from encrypting files. 

Authentication bypass, command/code execution, hardcoded credentials, DoS, SQL injection, XSS, XXE, CSRF, path traversal, information disclosure, insecure permissions, cryptography-related, and other forms of attacks are all stored in the Malvuln database. Page also recently released Adversary3, an open-source malware vulnerability intelligence tool for third-party attackers. The Python-based application is intended to make it easier to access data from the Malvuln database, allowing users to search for vulnerabilities by attack category. 

According to the researcher, the tool could be valuable in red teaming activities. For instance, the tester could seek for devices hosting malware and exploit vulnerabilities in that malware to gain elevated access. When the project was first announced, certain members of the cybersecurity community expressed concern that the data could be beneficial to malware makers, assisting them in fixing vulnerabilities, some of which may have been exploited for threat intelligence reasons without their knowledge. The ransomware vulnerabilities and the Adversary3 tool, on the other hand, illustrate that the project can also benefit the cybersecurity community.

Recently, Microsoft has patched pair of security vulnerabilities in its Azure Database for PostgreSQL Flexible Server which could have been exploited to execute malicious code. On Thursday, cyber security researchers from Wiz Research published an advisory on "ExtraReplica," wherein they described it as a "cross-account database vulnerability" in Azure's infrastructure. 

The first is a privilege escalation bug in a modification that Microsoft made to the PostgreSQL engine and the second bug leverages the privilege escalation enabled by the former to give attackers cross-account access. 

Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers, it also provides various services to different enterprises including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). 

It supports various programming languages, frameworks, and tools including both Microsoft-specific and third-party software and systems, as well as housing the data for various other Microsoft tools is one of its key features. 

According to the report, security vulnerabilities in the software could be used to bypass Azure's tenant isolation, which prevents software-as-a-service (SaaS) systems users from accessing resources belonging to other tenants. 

Also, ExtraReplica's core attack vector is based on a flaw that gave full access to customer data across multiple databases in a region without authorization, researchers from cloud security vendor Wiz Research recently added. 

"An attacker could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially exfiltrating all the information stored in the database…," 

 “…The vulnerabilities would have allowed attackers to bypass firewalls configured to protect the hosted databases unless an organization had configured it for private access only but this is not the default configuration," says Ami Luttwak, co-founder and CTO at Wiz. 

Following the attack, Microsoft said it has mitigated the security vulnerabilities in the second week of January 2022, less than 48 hours after Wiz had warned about the attack. However, the company said that its research showed no evidence that hackers has exploited the vulnerabilities to access customer data.

This week, Cisco released its April 2022 bundle of security advisories for Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC). 

The semiannual bundled advisories include a total of 19 flaws in Cisco security products, with 11 of them being classified as "high severity." 

CVE-2022-20746 (CVSS score of 8.8) is the most serious of these, an FTD security vulnerability that occurs because TCP flows aren't appropriately handled and might be exploited remotely without authentication to generate a denial of service (DoS) condition. 

“An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition,” Cisco explains in an advisory. 

With the introduction of FDT versions 6.6.5.2 and 7.1.0.1, the IT giant has addressed the problem. Fixes will also be included in FDT releases 6.4.0.15 and 7.0.2, which will be released next month. Several more DoS vulnerabilities, all rated "high severity," were fixed with the same FDT releases, including ones that affect ASA as well. They were addressed in ASA releases 9.12.4.38, 9.14.4, 9.15.1.21, 9.16.2.14, and 9.17.1.7. Other problems fixed by these software upgrades could result in privilege escalation or data manipulation when using an IPsec IKEv2 VPN channel.

Cisco also fixed an ASA-specific flaw that allowed an attacker to access sensitive information from process memory. Firepower Management Center (FMC) releases 6.6.5.2 and 7.1.0.1, as well as the future releases 6.4.0.15 and 7.0.2, resolve a remotely exploitable security protection bypass flaw, as per the tech giant. 

Cisco stated, “An attacker could exploit this vulnerability by uploading a maliciously crafted file to a device running affected software. A successful exploit could allow the attacker to store malicious files on the device, which they could access later to conduct additional attacks, including executing arbitrary code on the affected device with root privileges."

Fixes for eight medium-severity vulnerabilities in these security products are included in the company's semiannual bundled publishing of security advisories. Cisco is not aware of any attacks that take advantage of these flaws.

Microsoft uncovered vulnerabilities in Linux systems that could be used to grant attackers root access if they were chained together. 

The flaws, dubbed "Nimbuspwn," are detected in networkd-dispatcher, a dispatcher daemon for systemd-networkd connection status changes in Linux, and are labelled as CVE-2022-29799 and CVE-2022-29800. As part of a code review and dynamic analysis effort, Microsoft found the vulnerabilities while listening to signals on the System Bus. 

Microsoft’s Jonathan Bar Or explained, “Reviewing the code flow for networkd-dispatcher revealed multiple security concerns, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues, which could be leveraged to elevate privileges and deploy malware or carry out other malicious activities.”

 

“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.” 

He went on to state that ransomware attackers might use Nimbuspwn as a route for root access in order to have a significant impact on affected machines. Clayton Craft, the maintainer of the networkd-dispatcher, apparently worked promptly to remedy the flaws after responsibly revealing the bugs. 

Linux users who are affected are recommended to apply patches as soon as they become available. Although Nimbuspwn has the potential to affect a huge number of people, attackers would first need local access to the targeted systems in order to exploit the flaws. 

Mike Parkin, senior technical engineer at Vulcan Cyber argued, “Any vulnerability that potentially gives an attacker root-level access is problematic. Fortunately, as is common with many open-source projects, patches for this new vulnerability were quickly released.” 

“While susceptible configurations aren’t uncommon, exploiting these vulnerabilities appears to require a local account and there are multiple ways to mitigate them beyond the recommended patching. There is currently no indication that these vulnerabilities have been exploited in the wild.”

Three security flaws in Qualcomm and MediaTek audio decoders have been discovered, if left unpatched which might permit an adversary to remotely access media and audio chats from compromised mobile devices. According to Israeli cybersecurity firm Check Point, the flaws might be exploited to execute remote code execution (RCE) attacks by delivering a carefully prepared audio file. 

The researchers said in a report shared with The Hacker News, "The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user's multimedia data, including streaming from a compromised machine's camera. In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations." 

The flaws, termed ALHACK, are based on an audio coding system that Apple created and made open-source in 2011. The Apple Lossless Audio Codec (ALAC) or Apple Lossless audio codec format is used to compress digital music in a lossless manner. Since then, other third-party suppliers have used Apple's reference audio codec implementation as the basis for their own audio decoders, including Qualcomm and MediaTek. While Apple has constantly patched and fixed security problems in their proprietary version of ALAC, the open-source version of the codec has not gotten a single update since it was first uploaded to GitHub on October 27, 2011. 

Check Point revealed three vulnerabilities in this ported ALAC code, two of which were found in MediaTek CPUs and one in Qualcomm chipsets. – 

• CVE-2021-0674 (CVSS score: 5.5, MediaTek) - A case of improper input validation in ALAC decoder leading to information disclosure without any user interaction 

• CVE-2021-0675 (CVSS score: 7.8, MediaTek) - A local privilege escalation flaw in the ALAC decoder stemming from out-of-bounds write 

• CVE-2021-30351 (CVSS score: 9.8, Qualcomm) - An out-of-bound memory access due to improper validation of a number of frames being passed during music playback 

The vulnerabilities allowed Check Point to "grab the phone's camera feed" in a proof-of-concept exploit, according to security researcher Slava Makkaveev, who discovered the issues alongside Netanel Ben Simon. All three vulnerabilities were addressed by the individual chipset manufacturers in December 2021, following responsible disclosure. 

"The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone," Makkaveev explained.

In April 2022, Palo Alto Networks aims to patch the CVE-2022-0778 OpenSSL flaw in several of its firewall, VPN, and XDR devices. 

OpenSSL published fixes in mid-March to address a high-severity denial-of-service (DoS) vulnerability impacting the BN mod sqrt() function used in certificate parsing, which is tracked as CVE-2022-0778. Tavis Ormandy, a well-known Google Project Zero researcher, uncovered the issue. An attacker can exploit the flaw by creating a certificate with invalid explicit curve parameters. 

The advisory for this flaw read, “The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.” 

“It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.” 

The bug affects OpenSSL versions 1.0.2, 1.1.1, and 3.0, and the project's maintainers fixed it with the release of versions 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. When parsing an invalid certificate, an attacker can cause the OpenSSL library to enter an infinite loop, resulting in a DoS condition, according to Palo Alto Networks. 

“All PAN-OS software updates for this issue are expected to be released in April 2022. The full fixed versions for PAN-OS hotfixes will be updated in this advisory as soon as they are available.” as per Palo Alto Network. 

During the week of April 18, the company is expected to provide security remedies for the above vulnerability. PAN-OS, GlobalProtect app, and Cortex XDR agent software, according to Palo Alto, have a faulty version of the OpenSSL library, whereas Prisma Cloud and Cortex XSOAR solutions are unaffected. 

“We intend to fix this issue in the following releases: PAN-OS 8.1.23, PAN-OS 9.0.16-hf, PAN-OS 9.1.13-hf, PAN-OS 10.0.10, PAN-OS 10.1.5-hf, PAN-OS 10.2.1, and all later PAN-OS versions. These updates are expected to be available during the week of April 18, 2022.” continues the advisory. 

Customers with Threat Prevention subscriptions can enable Threat IDs 92409 and 92411 to limit the risk of exploitation for this issue while waiting for PAN-OS security upgrades, according to the company.

According to figures from one cybersecurity firm, about one out of every six firms affected by the Spring4Shell zero-day vulnerability has already been targeted by threat actors. 

The exploitation attempts occurred within the first four days of the severe remote code execution (RCE) issue, CVE-2022-22965, and the associated attack code was publicly disclosed. 37,000 Spring4Shell attacks were discovered over the weekend alone, according to Check Point, which generated the statistics based on their telemetry data. Software vendors appear to be the most hit industry, accounting for 28% of the total, possibly due to their high vulnerability to supply chain threats. 

Based on their visibility, Check Point ranks Europe #1 in terms of the most targeted region, with 20%. This suggests that the malicious effort to exploit existing RCE possibilities against vulnerable systems is well underway, and threat actors seem to be turning to Spring4Shell while unpatched systems are still exposed. North America accounts for 11% of Check Point's detected Spring4Shell attacks, while other entities have confirmed active exploitation in the United States. 

Spring4Shell was one of four flaws posted to the US Cybersecurity & Infrastructure Security Agency's (CISA) inventory of vulnerabilities known to be used in actual attacks yesterday. The agency has uncovered evidence of attacks on VMware products, in which the software vendor published security upgrades and alerts. 

Microsoft also released guidelines for detecting and preventing Spring4Shell attacks, as well as a statement that they are already analyzing exploitation attempts. Spring MVC and Spring WebFlux apps operating on JDK 9+ are affected by CVE-2022-22965, hence all Java Spring installations should be considered potential attack vectors. Spring Framework versions 5.3.18 and 5.2.2, as well as Spring Boot 2.5.12, were published by the vendor to address the RCE issue. 

As a result, upgrading to these versions or later is strongly advised. System administrators should also be aware of the remote code execution vulnerabilities in the CVE-2022-22963 and CVE-2022-22947 remote code execution flaws in the Spring Cloud Function and Spring Cloud Gateway. These flaws already have proof-of-concept exploits that are publicly available.

Rockwell Automation's programmable logic controllers (PLCs) and engineering workstation software have two new security flaws that might be exploited by an intruder to introduce malicious code into affected systems and silently manipulate automation operations. 

In a way similar to Stuxnet and the Rogue7 assaults, the vulnerabilities have the ability to impair industrial operations and cause physical damage to factories. 

Claroty's Sharon Brizinov noted in a write-up published, "Programmable logic and predefined variables drive these [automation] processes, and changes to either will alter the normal operation of the PLC and the process it manages." 

The following is a list of two flaws – 

Successfully exploiting the flaws could enable an attacker to change user programmes and download malicious code to the controller, effectively changing the PLC's normal operation and allowing rogue commands to be sent to the industrial system's physical devices. 

Brizinov explained, "The end result of exploiting both vulnerabilities is the same: The engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC." 

Because of the severity of the weaknesses, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning outlining mitigation actions that users of the affected hardware and software can take as part of a "comprehensive defence-in-depth strategy."