• chevron_right

      Ivanti warns of critical vulnerability in its popular line of endpoint protection software

      news.movim.eu / ArsTechnica · Friday, 5 January - 22:33 · 1 minute

    Ivanti warns of critical vulnerability in its popular line of endpoint protection software

    Enlarge

    Software maker Ivanti is urging users of its end-point security product to patch a critical vulnerability that makes it possible for unauthenticated attackers to execute malicious code inside affected networks.

    The vulnerability, in a class known as a SQL injection , resides in all supported versions of the Ivanti Endpoint Manager . Also known as the Ivanti EPM, the software runs on a variety of platforms, including Windows, macOS, Linux, Chrome OS, and Internet of Things devices such as routers. SQL injection vulnerabilities stem from faulty code that interprets user input as database commands or, in more technical terms, from concatenating data with SQL code without quoting the data in accordance with the SQL syntax. CVE-2023-39366, as the Ivanti vulnerability is tracked, carries a severity rating of 9.6 out of a possible 10.

    “If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication,” Ivanti officials wrote Friday in a post announcing the patch availability. “This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server.”

    Read 11 remaining paragraphs | Comments

    • chevron_right

      Millions still haven’t patched Terrapin SSH protocol vulnerability

      news.movim.eu / ArsTechnica · Wednesday, 3 January - 21:49 · 1 minute

    Millions still haven’t patched Terrapin SSH protocol vulnerability

    Enlarge (credit: Getty Images)

    Roughly 11 million Internet-exposed servers remain susceptible to a recently discovered vulnerability that allows attackers with a foothold inside affected networks. Once they're in, attackers compromise the integrity of SSH sessions that form the lynchpin for admins to securely connect to computers inside the cloud and other sensitive environments.

    Terrapin, as the vulnerability has been named, came to light two weeks ago in a research paper published by academic researchers. Tracked as CVE-2023-48795, the attack the researchers devised works when attackers have an adversary-in-the-middle attack (also abbreviated as AitM and known as man-in-the-middle or MitM), such as when they’re positioned on the same local network and can secretly intercept communications and assume the identity of both the recipient and the sender.

    In those instances, Terrapin allows attackers to alter or corrupt information transmitted in the SSH data stream during the handshake—the earliest connection stage, when the two parties negotiate the encryption parameters they will use to establish a secure connection. As such, Terrapin represents the first practical cryptographic attack targeting the integrity of the SSH protocol itself. It works by targeting BPP ( Binary Packet Protocol), which is designed to ensure AitMs can’t add or drop messages exchanged during the handshake. This prefix truncation attack works when implementations support either the "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC," cipher modes, which, at the time the paper was published, was found in 77 percent of SSH servers.

    Read 8 remaining paragraphs | Comments

    • chevron_right

      “This vulnerability is now under mass exploitation.” Citrix Bleed bug bites hard

      news.movim.eu / ArsTechnica · Monday, 30 October - 21:39

    “This vulnerability is now under mass exploitation.” Citrix Bleed bug bites hard

    Enlarge (credit: Getty Images)

    A vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using hardware sold by Citrix is under mass exploitation by ransomware hackers despite a patch being available for three weeks.

    Citrix Bleed, the common name for the vulnerability, carries a severity rating of 9.4 out of a possible 10, a relatively high designation for a mere information-disclosure bug. The reason: the information disclosed can include session tokens, which the hardware assigns to devices that have already successfully provided credentials, including those providing MFA. The vulnerability, tracked as CVE-2023-4966 and residing in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, has been under active exploitation since August . Citrix issued a patch on October 10.

    Repeat: This is not a drill

    Attacks have only ramped up recently, prompting security researcher Kevin Beaumont on Saturday to declare : “This vulnerability is now under mass exploitation.” He went on to say, “From talking to multiple organizations, they are seeing widespread exploitation.”

    Read 7 remaining paragraphs | Comments

    • chevron_right

      With 0-days hitting Chrome, iOS, and dozens more this month, is no software safe?

      news.movim.eu / ArsTechnica · Wednesday, 13 September - 22:11

    The phrase Zero Day can be spotted on a monochrome computer screen clogged with ones and zeros.

    Enlarge (credit: Getty Images )

    End users, admins, and researchers better brace yourselves: The number of apps being patched for zero-day vulnerabilities has skyrocketed this month and is likely to get worse in the following weeks.

    People have worked overtime in recent weeks to patch a raft of vulnerabilities actively exploited in the wild, with offerings from Apple, Microsoft, Google, Mozilla, Adobe, and Cisco all being affected since the beginning of the month. The total number of zero-days in September so far is 10, compared with a total of 60 from January through August, according to security firm Mandiant. The company tracked 55 zero-days in 2022 and 81 in 2021.

    The number of zero-days tracked this month is considerably higher than the monthly average this year. A sampling of the affected companies and products includes iOS and macOS, Windows, Chrome, Firefox, Acrobat and Reader, the Atlas VPN, and Cisco’s Adaptive Security Appliance Software and its Firepower Threat Defense. The number of apps is likely to grow because a single vulnerability that allows hackers to execute malicious code when users open a booby-trapped image included in a message or web page is present in possibly hundreds of apps.

    Read 9 remaining paragraphs | Comments

    • chevron_right

      WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April

      news.movim.eu / ArsTechnica · Wednesday, 23 August, 2023 - 19:34

    Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word "exploit"

    Enlarge (credit: Getty Images)

    A newly discovered zeroday in the widely used WinRAR file-compression program has been under exploit for four months by unknown attackers who are using it to install malware when targets open booby-trapped JPGs and other innocuous inside file archives.

    The vulnerability, residing in the way WinRAR processes the ZIP file format, has been under active exploit since April in securities trading forums, researchers from security firm Group IB reported Wednesday . The attackers have been using the vulnerability to remotely execute code that installs malware from families including DarkMe, GuLoader, and Remcos RAT.

    From there, the criminals withdraw money from broker accounts. The total amount of financial losses and total number of victims infected is unknown, although Group-IB said it has tracked at least 130 individuals known to have been compromised. WinRAR developers fixed the vulnerability, tracked as CVE-2023-38831, earlier this month.

    Read 10 remaining paragraphs | Comments

    • chevron_right

      “Downfall” bug affects years of Intel CPUs, can leak encryption keys and more

      news.movim.eu / ArsTechnica · Wednesday, 9 August, 2023 - 19:12

    An 8th-generation Intel Core desktop CPU, one of several CPU generations affected by the Downfall bug.

    Enlarge / An 8th-generation Intel Core desktop CPU, one of several CPU generations affected by the Downfall bug. (credit: Mark Walton)

    It's a big week for CPU security vulnerabilities. Yesterday, different security researchers published details on two different vulnerabilities, one affecting multiple generations of Intel processors and another affecting the newest AMD CPUs. " Downfall " and " Inception " (respectively) are different bugs, but both involve modern processors' extensive use of speculative execution (a la the original Meltdown and Spectre bugs ), both are described as being of "medium" severity, and both can be patched either with OS-level microcode updates or firmware updates with fixes incorporated.

    AMD and Intel have both already released OS-level microcode software updates to address both issues. Both companies have also said that they're not aware of any active in-the-wild exploits of either vulnerability. Consumer, workstation, and server CPUs are all affected, making patching particularly important for server administrators.

    It will be up to your PC, server, or motherboard manufacturer to release firmware updates with the fixes after Intel and AMD make them available.

    Read 13 remaining paragraphs | Comments

    • chevron_right

      Zyxel users still getting hacked by DDoS botnet emerge as public nuisance No. 1

      news.movim.eu / ArsTechnica · Friday, 21 July, 2023 - 18:51

    Cartoon image of a desktop computer under attack from viruses.

    Enlarge (credit: Aurich Lawson / Ars Technica )

    Organizations that have yet to patch a 9.8-severity vulnerability in network devices made by Zyxel have emerged as public nuisance No. 1 as a sizable number of them continue to be exploited and wrangled into botnets that wage DDoS attacks.

    Zyxel patched the flaw on April 25. Five weeks later, Shadowserver, an organization that monitors Internet threats in real time, warned that many Zyxel firewalls and VPN servers had been compromised in attacks that showed no signs of stopping. The Shadowserver assessment at the time was: “If you have a vulnerable device exposed, assume compromise .”

    On Wednesday—12 weeks since Zyxel delivered a patch and seven weeks since Shadowserver sounded the alarm—security firm Fortinet published research reporting a surge in exploit activity being carried out by multiple threat actors in recent weeks. As was the case with the active compromises Shadowserver reported, the attacks came overwhelmingly from variants based on Mirai, an open source application hackers use to identify and exploit common vulnerabilities in routers and other Internet of Things devices.

    Read 8 remaining paragraphs | Comments

    • chevron_right

      Exploited 0-days, an incomplete fix, and a botched disclosure: Infosec snafu reigns

      news.movim.eu / ArsTechnica · Tuesday, 18 July, 2023 - 20:22

    Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word "exploit"

    Enlarge (credit: Getty Images)

    Organizations big and small are once again scrambling to patch critical vulnerabilities that are already under active exploitation and cause the kind of breaches coveted by ransomware actors and nation-state spies.

    The exploited vulnerabilities—one in Adobe ColdFusion and the other in various Citrix NetScaler products—allow for the remote execution of malicious code. Citrix on Tuesday patched the vulnerabilities, but not before threat actors exploited them . The most critical vulnerability, tracked as CVE-2023-3519, lurks in Citrix’s NetScaler ADC and NetScaler Gateway products. It carries a severity rating of 9.8 out of a possible 10 because it allows hackers to execute code remotely with no authentication required.

    “This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly,” researchers from Rapid7, the security firm that detected the attacks, warned Tuesday .

    Read 7 remaining paragraphs | Comments

    • chevron_right

      Critical Windows code-execution vulnerability went undetected until now

      news.movim.eu / ArsTechnica · Monday, 19 December, 2022 - 18:46

    Skull and crossbones in binary code

    Enlarge (credit: Getty Images )

    Researchers recently discovered a Windows code-execution vulnerability that has the potential to rival EternalBlue, the name of a different Windows security flaw used to detonate WannaCry, the ransomware that shut down computer networks across the world in 2017.

    Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. The wormability of EternalBlue allowed WannaCry and several other attacks to spread across the world in a matter of minutes with no user interaction required.

    But unlike EternalBlue, which could be exploited when using only the SMB, or server message block, a protocol for file and printer sharing and similar network activities, this latest vulnerability is present in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability.

    Read 6 remaining paragraphs | Comments