Search This Blog

Showing posts with label Vulnerabilities and Exploits.. Show all posts

JsonWebToken Library Security Flaw: Used in 20,000+ Projects

In the widely-used open-source project, JavaScript library JsonWebToken researchers from Palo Alto Networks unit 42 found a new high-severity vulnerability   CVE-2022-23529. 

Palo Alto Networks released a security advisory on Monday highlighting how the weakness could be used by an attacker to execute code remotely on a server that was verifying a maliciously constructed JSON web token (JWT) request. 

The JSON web token JavaScript module, designed and maintained by Okta's Auth0, enables users to decode, validate, and create JSON web tokens as a way of securely communicating information among two entities enabling authorization and authentication. The npm software registry receives more than 10 million downloads per week and is used in more than 22,000 projects.

Therefore, the capability of running malicious code on a server could violate confidentiality and integrity guarantees, enabling a bad actor to alter any files on the host and carry out any operation of its choice using a contaminated private key. However, Unit 42 cautions that to exploit it, malicious actors would need to first breach the secret management procedure with an app and a JsonWebToken server, dropping the severity level to 7.6/10.

Researchers discovered that after verifying a maliciously constructed JWS token, threat actors might use JsonWebToken to execute remote malware on servers. This is aided by a bug in JsonWebToken's verify() method, which checks a JWT and returns the decoded data. The token, the secretOrPublicKey, and options are the three inputs that this method accepts.

Artur Oleyarsh of Palo Alto Networks Unit 42 said, "An attacker will need to leverage a fault within the secret management mechanism to exploit the vulnerability mentioned in this post and manipulate the secretOrPublicKey value."

The security researcher claims that the Auth0 technical team released a patch for the vulnerability in December 2022. "We appreciate the Auth0 team's competent handling of the disclosure procedure and the provision of a patch for the reported vulnerability," said Oleyarsh.

In summary, the cybersecurity analyst stressed the importance of security awareness when utilizing open-source software. It is critical that downstream users proactively identify, mitigate, and patch vulnerabilities in such products as open-source software often appears as a lucrative first entry pathway for threat actors to stage supply chain attacks. The fact that hackers are now considerably faster at exploiting recently discovered flaws, substantially reducing the time between a patch release and exploit availability, simply makes matters difficult.

WhatsApp Allows Communication Amid Internet Outages

On January 5, WhatsApp revealed a new feature that enables users to connect via proxy servers so they may continue using the service even when the internet is restricted or disrupted by shutdowns.

Concept of Whatsapp proxy 

When selecting a proxy, users can connect to WhatsApp via servers run by individuals and groups devoted to promoting free speech throughout the world. According to WhatsApp, using a proxy connection preserves the app's privacy and security settings, and end-to-end encryption will continue to secure private conversations. As per the firm, neither the proxy servers, WhatsApp, nor Meta will be able to see the communications that are sent between them.

When it comes to assisting users when WhatsApp is prohibited in a country, the messaging service stated, "If WhatsApp is restricted in your nation, you can utilize a proxy to connect and communicate with loved ones. End-to-end encryption will still be used to protect private communications while using a proxy connection to WhatsApp."

In accordance with the new rules, internet service providers had to remove anything that law enforcement regarded to be illegal and cooperate with police investigations, which included locating the authors of malicious materials.WhatsApp countered this claim by saying that it will continue to secure users' private messages and would not compromise their security for any government.

According to Juras Jurnas of the proxy and online data collecting company Oxylabs, "For persons with government restrictions on internet access, such as was the situation with Iran, utilization of a proxy server can help people keep a connection to WhatsApp as well as the rest of the public, internet free."

After activists in response to the death of Mahsa Amini, 22, while in police detention, the Iranian government restricted access to Instagram and WhatsApp last year. The suspension of Article 370 of the Indian Constitution by the Indian Parliament resulted in a shutdown of the internet in the state of Jammu & Kashmir. This state-imposed lockdown was implemented as a precautionary measure. Only two districts, Ganderbal and Udampur, have 4G availability. After 552 days without internet or with slow internet, the former state was finally connected to 4G on February 6th, 2021.

The business stated it is working to ensure that internet shutdowns never occur and that individuals are not denied human rights or prevented from seeking immediate assistance as these scenarios arise in various locations throughout the world. 

Internet platforms had to comply with police investigations, including locating the authors of malicious information and destroying anything that authorities had determined to be illegal, according to the new legislation.WhatsApp countered that it would maintain the privacy of users' private messages and would not compromise its security for any government.

Twitter Substitute: Mastodon is it Secure?

Mastodon, a Twitter substitute, has gained popularity as the Musk era gets underway, however, is it more private and safe than Twitter?

Mastodon resembles a hybrid of Twitter and Discord. It is a microblogging network, like Twitter. It hosts hundreds of separate servers, unlike Twitter, and is decentralized.

Mastodon is self-funded and dependent on member donations and the administrator's goodwill. The servers are often run by volunteer moderators and focused on a single topic, such as politics or technology. Each has unique guidelines and a sign-up procedure. Users do not require special access to view posts and interact with others because users can join as many as they like and follow people across different sections.

People who switch from Twitter to Mastodon make the first error of thinking that it will be a resembling alternative. 

Mastodon Security

Forbes spoke to numerous specialists who addressed security issues with Mastodon's architecture and potential programming flaws in an article published this week. 

"Mastodon isn't the cure many people abandoning Twitter may think it is," cautioned Cybrary's senior director of threat intelligence, David Maynor.

For your Mastodon account, enable two-factor authentication. Mastodon's design may have flaws, according to Melissa Bischoping, director and endpoint security research specialist at Tanium. The website is divided up into 'instances,' or separately maintained sections. In addition to developing the rules for each 'instance,' administrators are also in charge of the site's infrastructure and software.

User verification is another function that falls under the general security category. Anybody can sign up at any of Mastodon's several distinct instances, independent servers managed by various admins because you are not registered and pretend to be you. 

Finally, numerous instances have been created solely for the goal of testing security and reporting flaws and vulnerabilities, allowing the ethical hacking and bug-hunting community to continue to participate and enhance the security of the platform as it becomes more widely used.

RCE Vulnerability patched in vm2 Sandbox

Researchers from Oxeye found a serious vm2 vulnerability (CVE-2022-36067) that has the highest CVSS score of 10.0. R&D executives, AppSec engineers, and security experts must make sure they rapidly repair the vm2 sandbox if they utilize it in their apps due to a new vulnerability known as SandBreak.

The most widely used Javascript sandbox library is vm2, which receives about 17.5 million downloads each month. It offers a widely used software testing framework that may synchronously execute untrusted code in a single process.

The Node.js functionality that allows vm2 maintainers to alter the call stack of failures in the software testing framework is the primary culprit in the vulnerability, which Oxeye's researchers have dubbed SandBreak.

According to senior security researcher Gal Goldshtein of Oxeye, "when examining the prior issues revealed to the vm2 maintainers, we observed an unusual technique: the bug reporter leveraged the error mechanism in Node.js to escape the sandbox."

Modern applications use sandboxes for a variety of functions, including inspecting attached files in email servers, adding an extra layer of protection in web browsers, and isolating running programs in some operating systems. Bypassing the vm2 sandbox environment, a hacker who takes advantage of this vulnerability would be able to execute shell commands on the computer hosting it.

The vm2 vulnerability can still have serious repercussions for apps that use vm2 without a fix due to the nature of the use cases for sandboxes. Given that this vulnerability does have the highest CVSS score and is quite well-known, its potential impact is both significant and extensive.

Nevertheless, an attacker might offer its alternative implementation of the prepareStackTrace technique and escape the sandbox because it did not cover all particular methods.

The researchers at Oxeye also were able to substitute their own implementation, which contained a unique prepareStackTrace function for the global Error object. When it was called, it would discover a CallSite object outside the sandbox, enabling the host to run any code.

Users are advised to upgrade as quickly as possible to the most recent version due to the vulnerability's serious severity and to reduce potential risks.

FDA Issues Cybersecurity Alert on Medtronic Insulin Pumps

The U.S. Food and Drug Administration issued a warning on Tuesday regarding the vulnerability of some insulin pump devices made by Medtronic. The flaw makes the devices vulnerable to cyberattacks while presenting a possibility for hackers to interfere with insulin delivery by gaining access to the device.

The FDA, a U.S. government organization, has issued an advisory regarding the MiniMed 600 Series Insulin Pump System from Medtronic, which includes the MiniMed 630G and MiniMed 670G devices.

The Department of Health and Human Services safeguards the public's health by ensuring the efficacy, security, and safety of pharmaceuticals for use in humans and animals, medical devices, and vaccinations. The agency is in charge of regulating tobacco products as well as the safety and security of our country's food supply, cosmetics, nutritional supplements, and devices that emit electronic radiation.

The FDA pointed out that many parts, including the insulin pump, constant glucose monitoring (CGM) transmitter, blood glucose meter, and CareLink USB device, connect wirelessly. A technical malfunction could make it possible for someone to break in and trigger the pump to administer the patient with either too much or too little insulin.

The insulin pumps are offered by Medtronic's diabetes division, which generated $2.41 billion in sales in 2021, or 8% of the business's overall revenue.

In the aftermath of the security incident, Medtronic cautioned users about the dangers and offered suggestions, such as advising them to permanently disable the 'Remote Bolus' function on the pump, refrain from disclosing the serial number of the device to unauthorized individuals, and avoid connecting or linking devices in public.

The business warned that patients should never accept remote connection requests and other remote activities unless patients or support persons initiated them and should always detach the USB device from their laptop while it is not being used to download pump data.

Although medical equipment is frequently connected to the internet, hospital networks, and other devices, the FDA warned that these same characteristics may pose cybersecurity threats.

According to the FDA advisory, "Medical devices, like other computer systems, might be subject to security breaches, possibly affecting the device's safety and effectiveness."

The MiniMed 508 and Paradigm insulin pumps have security flaws that Medtronic is unable to fully fix with software updates or patches. The FDA said that it was working with Medtronic to identify, discuss, and anticipate the negative consequences of this risk.

Hackers are Actively Targeting Linux-Based Devices

Ransomware attacks against Linux have accelerated as cybercriminals try to increase their options and take advantage of an operating system that is sometimes neglected when organizations think about security. 

According to Trend Micro, hackers prefer using ransomware-as-a-service (RaaS) techniques because they enable quicker deployment and higher rewards. Additionally, they increasingly focused their attacks on Linux-based computers and employed relatively new ransomware families in high-profile strikes. Operators of ransomware also used both cutting-edge and time-tested strategies to attack cloud environments.

Linux powers significant enterprise IT infrastructure, including servers, making it a target for ransomware gangs. This is especially true when cybersecurity teams may decide to concentrate on protecting Windows networks against cybercrime due to a believed lack of threat to Linux systems compared to Windows.

For instance, LockBit, one of the most widespread and effective ransomware operations in recent memory, now provides the choice of a Linux-based variant that is made to target Linux systems and has been used to carry out assaults in the field.

Hackers are regularly extending the scope of their exploits by focusing on Linux, one of the most potent operating systems utilized in cloud platforms and servers around the world, in addition to upping the ante by utilizing MaaS methods in their attacks.

The RaaS architecture makes it simpler and quicker for cyber criminals to deploy ransomware attacks than traditional ransomware models, even those with limited technical knowledge. According to SPN data, three ransomware families—the infamous LockBit, Conti, and BlackCat families—dominated the RaaS space in terms of detections. BlackCat is a family of ransomware that was developed in the Rust programming language at the end of 2021.

Attackers using ransomware are motivated by money and would jump at new possibilities if they believe they can increase their earnings; it would seem that encrypting Linux systems and demanding payment for the key to open servers and files are becoming more and more common.

According to researchers, as ransomware perpetrators strive to maximize their profits, this strategy will only grow in popularity.

It's not only ransomware entities that are focusing more on Linux, according to Trend Micro, but there has also been a 145% increase in Linux-based cryptocurrency-mining malware attacks, wherein online criminals covertly use the processing power of infected computers and servers to mine for cryptocurrency for their own gain.

Apple Offers iOS Update to Fix Vulnerabilities

Apple has patched a vulnerability that was potentially used by hackers in its iOS 12 upgrade for older iPhone and iPad models. The vulnerability was discovered by an anonymous researcher, who has received acknowledgment.

The flaw, identified as CVE-2022-32893 (CVSS score: 8.8), affects WebKit and is an out-of-bounds write problem that could result in arbitrary code execution when processing maliciously created web content, according to a document released by the firm on Wednesday.

A security vulnerability found in the platform affects users of Google Chrome, Mozilla Firefox, and Microsoft Edge as well because WebKit powers Safari and every other third-party browser accessible for iOS and iPadOS.

The security patch fixes a Safari vulnerability that might have allowed unauthorized access for users to parse maliciously created web content and execute arbitrary code. With enhanced bounds checking, the developers appear to have found a solution. Apple stated that they are already aware of a report that claims the problem may have been intentionally exploited.

Several older Apple devices, including the iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad Mini 2, iPad Mini 3, and iPod Touch, are compatible with the 275 MB update published to fix the vulnerability.

12.5.6, build 16H71, is the most recent version of the software. It appears to close the security flaw that the business recently fixed in the iOS 15.6.1 release, listed as CVE-2022-32893. 

After fixing two bugs in iOS 15.6.1, iPadOS 15.6.1, macOS 12.5.1, and Safari 15.6.1 as part of updates released on August 18, 2022, the iPhone manufacturer has released a new round of patches. 

The Cybersecurity and Infrastructure Security Agency (CISA), which discovered the significant bug and gave it a CVSS rating of 8.8, also identified it and published a warning about it last month.

Although specifics about the assaults' nature are unknown, Apple confirmed in a boilerplate statement that it was aware that this problem may have been actively exploited.

On September 7, Apple will also unveil the iPhone 14 series and iOS 16. Unfortunately, iOS 16 will not be made available to users of iPhone 8. Furthermore, older iOS device owners are urged to update as soon as possible to reduce security risks.

Kaspersky VPN Secure Connection Vulnerability Discovered

Kaspersky's VPN Secure Connection for Microsoft Windows has a local privilege-escalation (LPE) vulnerability that could allow an already-authenticated hacker to access administrative privileges and potentially seize total control of a victim's computer.

Researchers disagree over the bug's CVSS score, which is tracked as CVE-2022-27535. The bug has a high-severity CVSS score of 7.8 out of 10 as per a Synopsys alert published, but Kaspersky scores it as moderate with a 5.0 CVSS level.

In either case, it is present in the Support Tools section of the app and would enable root access to Server, the highest level possible in the Windows environment, allowing an authenticated hacker to delete any file at will from the system.

The Kaspersky team has fixed a flaw in the Kaspersky VPN Secure Connection that was exploited by an authorized hacker to trigger arbitrary file deletion on the host. It might result in device malfunction or the deletion of crucial system files necessary for proper system operation. 

An attacker needed to create a specific file and persuade customers to utilize the 'Delete all service data and reports' or 'Save report on your computer' product capabilities in order to carry out this attack.

Users should upgrade to version 21.6 or later to patch their systems because Kaspersky has solved the problem.

PrestaShop Sites Hit by Severe Security Flaw


Hackers are using a blend of known and undiscovered security flaws to insert malicious software into e-commerce websites running the PrestaShop platform, according to an urgent advisory from PrestaShop. There are currently 300,000 stores using PrestaShop, which is available in 60 different languages.

Operation objective:

Hackers exploit businesses that are utilizing out-of-date software or modules, susceptible third-party modules, or a vulnerability that has not yet been identified. The store must be vulnerable to SQL injection attacks for the attack to succeed. PrestaShop versions and later and versions and after running modules susceptible to SQL injection are also affected by the vulnerability.

The repeating method is stated in the PrestaShop security bulletin as follows:
  • A POST request is made by the hacker to a vulnerability endpoint to SQL injection.
  • The hacker sends a GET request to the homepage without any parameters after around a second.
  • This triggers the creation of a PHP file with the name blm.php at the root of the shop's directory.
  • The attacker now sends a GET request to the newly constructed file, blm.php, enabling them to carry out any command.
The hackers likely exploited this web shell to insert a scam payment form on the store's checkout page and steal payment card information from customers. To keep the site owner from learning that they had been compromised, the remote threat actors erased their trails after the attack.

Security measures 

Ensure that the site is updated to the most recent version, as well as all of its modules. Compromise site managers may discover entries in the web server's access logs for clues that they were compromised if the hackers weren't careful with the cleanup of evidence.

The addition of malicious software to files through file modifications and the activation of the MySQL Smarty cache storage, which is a component of the attack chain, are additional indications of compromise.

Because of the exploit's intricacy, there are various techniques to use it, and hackers might also try to cover their traces. To ensure that no file has been edited or malicious software has been installed, think about hiring a professional to conduct a thorough audit of the website.