IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.16.0could allow an authenticated user to obtain sensitive version information that could aid in further attacks against the system.  IBM X-Force ID:  233665.

CVE-2022-36777: Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

By Deeba Ahmed
Patches for all affected versions of Apache ActiveMQ have been released, and clients are strongly advised to upgrade their systems.
This is a post from HackRead.com Read the original post: Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw

Active since 2020, the resurgence of the Kinsing malware poses a significant threat to Linux-based systems, infiltrating servers and rapidly spreading across networks.

Cybersecurity researchers at Trend Micro have identified cybercriminals exploiting a critical vulnerability in Apache ActiveMQ (CVE-2023-46604) to infect Linux systems with the **Kinsing malware** (also known as h2miner). This vulnerability enables attackers to execute arbitrary code on affected systems, installing cryptocurrency miners and rootkits.

****What is Kinsing Malware?****

The Kinsing malware poses a significant threat to Linux-based systems, infiltrating servers and rapidly spreading across networks. It exploits vulnerabilities in web applications or misconfigured container environments to gain access, specifically targeting Linux systems. Its primary objectives include cryptocurrency mining, such as Bitcoin, and establishing persistence on the infected host.

Interestingly, the malware detects and eradicates competing cryptocurrency miners, targeting processes, active network connections, and crontabs that exploit vulnerabilities like **WebLogic** or **Log4Shell**. This strategic approach allows the malware to gain complete control of the system’s resources.

Furthermore, it ensures persistence by adding a cronjob to download and execute its malicious bootstrap script every minute, ensuring the latest malicious Kinsing binary is consistently available on the infected host.

“Kinsing doubles down on its persistence and compromise by loading its rootkit in /etc/ld.so.preload, which completes a full system compromise,” researchers noted.

Recently, attackers using Kinsing malware have utilized high-profile vulnerabilities like CVE-2023-4911 (**Looney Tunables**).

Image: Trend Micro

****About the Vulnerability****

Since early November 2023, Trend Micro researchers observed that CVE-2023-46604 is being exploited. It is a critical severity vulnerability **assigned** a CVSS score of 9.8. The vulnerability stems from OpenWire commands failing to validate throwable class type, thus enabling RCE.

“When the marshaller fails to validate the class type of a Throwable, it inadvertently allows the creation and execution of instances of any class. This opens the door to remote code execution (RCE) vulnerabilities, enabling attackers to execute arbitrary code on the affected server or application,” Trend Micro researchers explained in a **blog post**.

Apache ActiveMQ is a popular open-source message and integration platform written in Java. It implements message-oriented middleware (**MOM**) and facilitates communication between different applications. It offers different features, including OpenWire, STOMP, and Jakarta Messaging (JMS). OpenWire is a binary protocol designed for MOM and serves as the native wire format for ActiveMQ. It offers several benefits, such as bandwidth efficiency and support for various message types.

****How Does the Attack Work?****

The Kinsing malware exploits the CVE-2023-46604 vulnerability discovered in Apache ActiveMQ, which enables remote code execution (RCE). The vulnerability allows attackers to execute arbitrary code on the impacted system. After gaining access to the vulnerable server and executing the Kinsing binary, it becomes possible to install rootkits and cryptominers, steal sensitive data, disrupt operations, and install malware.

****Impacted versions****

Apache ActiveMQ versions 5.18.0 before 5.18.3, 5.17.0 before 5.17.6, and 5.16.0 before 5.16.5 are vulnerable to this attack. Apache ActiveMQ has **released** patches for all affected versions. Users are advised to update their ActiveMQ installations as soon as possible. In addition, keep OpenWire disabled if not required, restrict access to ActiveMQ management interfaces and isolate ActiveMQ deployments through network segmentation to stay protected.

Ken Dunham, Director of Cyber Threat at Foster City, Calif.-based **Qualys**, a disruptive cloud-based IT, security and compliance solutions provider, shared with Hackread.com that there’s a dire need for proper configuration of the cloud platform.

“The main takeaway I get here is around how the cloud is rarely configured properly and malware is exploiting that. We don’t want to allow malware like this to be proof of poor configurations and lack of security in our systems, especially around lateral movement tools, tactics and procedures (TTPs) used by the group.”

Dunham noted that Kinsing has been a significant threat **since 2020**.

“Kinsing has successfully preyed upon poorly authenticated and configured cloud Docker containers dating back to 2020, then performing lateral movement attempts leveraging brute force attacks,“ Dunham explained.

**Irfan Asrar**, Director, of Malware and Threat Research at Qualys, told Hackread.com that researchers have discovered a major gap in the cloud.

“This discovery highlights a major gap in the cloud not commonly defended against; most web apps/cloud infrastructure are not scanning for malware in their cloud infrastructure, mostly just attempting to screen web traffic, which allows the Kinsing malware to take advantage and gain persistency. I see this gap being taken advantage of in the future by other groups.”

****_RELATED ARTICLES_****

1.  **Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer**
2.  **Microsoft Azure Exploited to Create Undetectable Cryptominer**
3.  **Hackers actively exploiting 0-day in Ubiquitous Apache Log4j tool**
4.  **Golang malware infecting Windows, Linux servers with XMRig miner**
5.  **Nitrokod Crypto Miner Hiding in Fake Microsoft, Google Translate Apps**

Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AazzTech WooCommerce Product Carousel Slider plugin <= 3.3.5 versions.

**Solution**

 No fix

No patched version is available. This plugin has been closed as of June 28, 2023 and is not available for download. This closure is permanent. Reason: Author Request.

Found this useful? Thank Abdi Pranata for reporting this vulnerability. Buy a coffee ☕

Abdi Pranata discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WooCommerce Product Carousel Slider Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47755: WordPress WooCommerce Product Carousel Slider plugin <= 3.3.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to Login Credential Leakage via Audit Entries.

Published CVE numbers:

*   https://www.cve.org/CVERecord?id=CVE-2023-47312
    
*   https://nvd.nist.gov/vuln/detail/CVE-2023-47312
    

Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to Login Credential Leakage via Audit Entries.

The Audit plugin provides a detailed list of the web panel’s operations. When a configuration is updated, the set password is stored in an audit entry and returned without being masked. Due to the missing permission control, the audit plugin may not be accessible to lower-level users.

**Exploitation’s steps**

Authentication: Required (low-level user access is enough)

*   Due to the vulnerability of CVE-2023-47316, even low-level users can access the Functions tab and the menu item _Audit_ under this tab.​
    

Accessible Audit function

*   Users can retrieve all details belonging to the given log entry by clicking the search icon.
    

Password property contains a plaintext password to the given configuration

*   Affected API call: /rest/plugins/audit/private/log/search (POST)

CVE-2023-47312: CVE-2023-47312 – Headwind MDM Web panel 5.22.1 – Login Credential Leakage via Audit Entries - Boltonshield

Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control. The Web panel allows users to gain access to potentially sensitive API calls such as listing users and their data, file management API calls and audit-related API calls.

Published CVE numbers:

*   https://www.cve.org/CVERecord?id=CVE-2023-47316
    
*   https://nvd.nist.gov/vuln/detail/CVE-2023-47316
    

Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control. The Web panel allows users to gain access to potentially sensitive API calls such as listing users and their data, file management API calls and audit-related API calls.

**Exploitation’s steps**

Authentication: Required (A low-level user access is enough)

*   Login to the web panel with the low-level user
    
*   By modifying the cookie _user_ so that the _superadmin_ property is set to _True,_ the user interface will show sensitive functions such as user management, file upload, and audit-related functions. These functions are not supposed to be accessible to low-level users. It is important to note that mostly only API calls using GET method can be called this way with the permission of a low-level user. The only exception is the file add function (/rest/private/web-ui-files POST).
    

Available functions before modifying the user cookie

Available functions after changing the user cookie

​

Setting up an attacker proxy like Burp to intercept outgoing HTTP requests and modify them (if it is needed)

*   By uploading files, attackers may be able to exploit other vulnerabilities; By retrieving the audit function, attackers may learn sensitive information, including login credentials; By retrieving the users’ list, attackers may be able to get the authToken of other users and to get the password reset token (in case the password reset feature is enabled)
    
*   Important note: This vulnerability may aid attackers in exploiting other issues, such as CVE-2023-47315, by allowing them to learn the _authToken_ of other users.

CVE-2023-47316: CVE-2023-47316 – Headwind MDM Web panel 5.22.1 – Missing Permission Control - Boltonshield

Headwind MDM Web panel 5.22.1 is vulnerable to Cross Site Scripting (XSS) via Uncontrolled File Upload.

Published CVE numbers:

*   https://www.cve.org/CVERecord?id=CVE-2023-47314
    
*   https://nvd.nist.gov/vuln/detail/CVE-2023-47314
    

Headwind MDM Web panel 5.22.1 is vulnerable to cross-site scripting (XSS).

The file upload function allows APK and arbitrary files to be uploaded. By exploiting this issue, attackers may upload HTML files and share the download URL pointing to these files with the victims. As the file download function returns the file in inline mode, the victim’s browser will immediately render the content of the HTML file as a web page. As a result, the uploaded client-side code will be evaluated and executed in the victim’s browser, allowing attackers to perform common XSS attacks.

**Exploitation’s steps**

Authentication: Required (a low-level access is enough)

*   Due to the vulnerability CVE-2023-47316, even low-level users can access the tab _Files_
    
*   Uploading an HTML file with arbitrary content by using the add file function under the tab _Files_
    

Uploading an HTML file using the Add file function​

Uploading an HTML file

   

*   Intercepting/modifying the outgoing HTTP requests is not necessary
    
*   The uploaded file can be downloaded by using the following URL: https://{server-address}/files/{original-name-of-the-uploaded-file}
    

HTML file can be rendered

​

*   The above URL is accessible even for unauthenticated users

CVE-2023-47314: CVE-2023-47314 – Headwind MDM Web panel 5.22.1 – XSS via Uncontrolled File Upload - Boltonshield

Headwind MDM Web panel 5.22.1 is vulnerable to Directory Traversal.

Published CVE numbers:

*   https://www.cve.org/CVERecord?id=CVE-2023-47313
    
*   https://nvd.nist.gov/vuln/detail/CVE-2023-47313
    

Headwind MDM Web panel 5.22.1 is vulnerable to Directory Traversal. The application uses an API call to move the uploaded temporary file to the file directory during the file upload process. This API call receives two input parameters, such as path and localPath. The first one refers to the temporary file with an absolute path without validating it. Attackers may modify this API call by referring to arbitrary files. As a result, arbitrary files can be moved to the files directory and so they can be downloaded.

**Exploitation’s steps**

Authentication: Required (a low-level user access is enough)

*   due the vulnerability CVE-2023-47316 even low-level users can access the file-management function
    
*   setting up an attacker proxy like burp to intercept and to modify outgoing HTTP requests
    
*   Adding a file with an arbitrary filename and content and intercepting the outgoing HTTP requests
    
*   The first request just uploads the file in binary format. It is not needed to modify it.
    
*   The second request (/rest/private/web-ui-files/move POST) is the one to be modified as this one moves the uploaded file from the temporary location to the files directory located under the web root. Attackers can modify the _path_ parameter according to what they want to retrieve.
    

Moving the /etc/hosts file to the files directory

​​

Hosts file can be downloaded

   

​

CVE-2023-47313: CVE-2023-47313 – Headwind MDM Web panel 5.22.1 – File Reading via Uncontrolled File Operation - Boltonshield

Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to a hard-coded JWT Secret.

Published CVE numbers:

*   https://www.cve.org/CVERecord?id=CVE-2023-47315
*   https://nvd.nist.gov/vuln/detail/CVE-2023-47315

Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to a hard-coded JWT Secret.

The secret is hardcoded into the source code available to anyone on Git Hub. This secret is used to sign the application’s JWT token and verify the incoming user-supplied tokens.

Hardcoded JWT secret

Affected URL to the source code:

*   https://github.com/h-mdm/hmdm-server/blob/master/jwt/src/main/java/com/hmdm/security/jwt/TokenProvider.java
    

By exploiting this issue, attackers may craft their own JWT tokens on behalf of arbitrary users.

JWT token structure:

 {  
   "sub": "<username>",  
   "token": "<authToken>",  
   "exp": <when\_expired\_in\_unix\_timestamp\>  
 }

**Exploitation’s steps**

Authentication: Required (A low-level user access is enough to obtain the authToken of the targeted user)

*   Getting a sample JWT token by calling the API endpoint of the target web panel instance /rest/public/jwt/login (POST).
    
*   Modifying the JWT token by setting the _sub_ parameter to _admin_ and the parameter _token_ to the current _authToken_ of the admin user, then signing the JWT token with the hardcoded secret. Important note: due to an authorization issue affecting the web panel (CVE-2023-47316), the _authToken_ of other users can also be retrieved even by a low-level user by calling the /rest/private/users/all (GET) API endpoint.
    

Crafting a new JWT token

   

*   Putting the crafted JWT token into the Authorization header of the HTTP request targeting the victim’s H-MDM web panel:
    

Using the crafted JWT token

​

CVE-2023-47315: CVE-2023-47315 – Headwind MDM Web panel 5.22.1 – Hardcoded JWT Secret - Boltonshield

Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.

Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI.

We found this vulnerability internally.

**Affected Versions**: \* 2.2.0 \* 2.1.0 \* 2.0.0

**Vulnerability Management**: We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H. We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities.

**Changes**: This Werk strips the relevant parameters of newlines.

To the list of all Werks

CVE-2023-6157: Livestatus Injections

Adobe recently patched two use-after-free vulnerabilities in its Acrobat PDF reader that Talos discovered, both of which could lead to arbitrary code execution.

Wednesday, November 22, 2023 12:00

Cisco Talos’ Vulnerability Research team recently worked with Adobe and Microsoft to patch multiple vulnerabilities in the Acrobat and Excel software, respectively, that could lead to arbitrary code execution. 

Talos also disclosed six vulnerabilities in the Weston Embedded µC-HTTP HTTP server implementation, some of which could also lead to code execution. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Adobe Acrobat Reader use-after-free vulnerabilities **

_Discovered by Jaewon Min and Aleksandar Nikolic of Cisco Talos._ 

Adobe recently patched two use-after-free vulnerabilities in its Acrobat PDF reader that Talos discovered, both of which could lead to arbitrary code execution. Acrobat is one of the most popular PDF readers currently available, especially in the U.S., and many browsers utilize an Acrobat plugin. This means an attacker could trick a user into opening a specially crafted, malicious file in the browser as a file or tricking them into opening it in the desktop application. 

a TALOS-2023-1794 (CVE-2023-44336) exists in the Thermometer JavaScript object in Acrobat Reader. An attacker who exploits this vulnerability could use specially crafted JavaScript code to cause a use-after-free vulnerability, which can lead to memory corruption and arbitrary code execution. 

TALOS-2023-1842 (CVE-2023-44372) works in the same way, but in this case, the vulnerability affects the page event processing in Acrobat Reader. 

**Arbitrary code execution vulnerability in Microsoft Excel **

_Discovered by Marcin “Icewall” Noga of Cisco Talos._ 

Talos discovered a vulnerability in Microsoft Office Professional Plus 2019 (specifically the spreadsheet creation software Excel) that could lead to arbitrary code execution. 

Microsoft patched this vulnerability, CVE-2023-36041 (TALOS-2023-1835), as part of its monthly security update earlier this month. 

This use-after-free vulnerability exists in the ElementType attribute parsing in Microsoft Office Professional Plus 2019 Excel and could allow an attacker to execute remote code on the targeted machine. An adversary would need to trick the targeted user into opening a specially crafted Excel spreadsheet to exploit this vulnerability. 

**6 vulnerabilities in open-source embedded operating system **

_Discovered by Kelly Patterson of Cisco Talos._ 

Cisco Talos recently discovered multiple vulnerabilities in Weston Embedded µC-HTTP, the open-source embedded HTTP server and client module for µC/TCP-IP. µC/TCP-IP is an embedded operating system first developed by Micrium, and is now maintained by Weston Embedded Solutions. 

TALOS-2023-1732 (CVE-2023-28391), TALOS-2023-1738 (CVE-2023-28379) and TALOS-2023-1746 (CVE-2023-31247) are memory corruption vulnerabilities that could lead to arbitrary code execution on the targeted device. An adversary could exploit these vulnerabilities by sending a specially crafted packet. There are various mitigation options for these issues, as outlined in Talos’ advisories, that can prevent the exploitation of these vulnerabilities. 

TALOS-2023-1726 (CVE-2023-25181) and TALOS-2023-1733 (CVE-2023-27882) both also lead to code execution, but in these cases, are caused by buffer overflows in the operating system triggered by a specially crafted packet. 

There is also TALOS-2023-1725 (CVE-2023-24585), an out-of-bounds write vulnerability that could lead to memory corruption. This vulnerability occurs when parsing the method of an HTTP request and could lead to heap corruption.

Tag

#web