USN-5370-1: Firefox vulnerabilities

Read Time:38 Second

Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, execute script
unexpectedly, obtain sensitive information, conduct spoofing attacks,
or execute arbitrary code. (CVE-2022-1097, CVE-2022-24713, CVE-2022-28281,
CVE-2022-28282, CVE-2022-28284, CVE-2022-28285, CVE-2022-28286,
CVE-2022-28288, CVE-2022-28289)

A security issue was discovered with the sourceMapURL feature of devtools.
An attacker could potentially exploit this to include local files that
should have been inaccessible. (CVE-2022-28283)

It was discovered that selecting text caused Firefox to crash in some
circumstances. An attacker could potentially exploit this to cause a
denial of service. (CVE-2022-28287)

Read More

VMware Patches Multiple Vulnerabilities in Workspace ONE, Identity and Lifecycle Manager and vRealize (VMSA-2022-0011)

Read Time:3 Minute, 10 Second

VMware cautions organizations to patch or mitigate several serious vulnerabilities across multiple products.

Background

On April 6, VMware published an advisory (VMSA-2022-0011) addressing eight vulnerabilities across a number of VMware products:

CVE
Description
CVSSv3

CVE-2022-22954
Server-side Template Injection Remote Code Execution Vulnerability
9.8

CVE-2022-22955
OAuth2 ACS Authentication Bypass Vulnerability
9.8

CVE-2022-22956
OAuth2 ACS Authentication Bypass Vulnerability
9.8

CVE-2022-22957
JDBC Injection Remote Code Execution Vulnerability
9.1

CVE-2022-22958
JDBC Injection Remote Code Execution Vulnerability
9.1

CVE-2022-22959
Cross SIte Request Forgery Vulnerability
8.8

CVE-2022-22960
Local Privilege Escalation Vulnerability
7.8

CVE-2022-22961
Information Disclosure Vulnerability
5.3

Affected products include:

VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
VMware vRealize Automation (vRA)
VMware Cloud Foundation
vRealize Suite Lifecycle Manager

All eight vulnerabilities were disclosed to VMware by Steven Seeley, a security researcher with Qihoo 360 Vulnerability Research Institute.

Analysis

CVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspace ONE Access and Identity Manager. This vulnerability was assigned a CVSSv3 score of 9.8. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw.

CVE-2022-22955 and CVE-2022-22956 are a pair of authentication bypass vulnerabilities in the OAuth 2.0 Access Control Services (ACS) framework within VMware Workspace ONE. Both of these vulnerabilities were assigned a CVSSv3 score of 9.8. An unauthenticated attacker could send specially crafted requests to vulnerable and exposed OAuth2.0 endpoints in VMware Workspace ONE in order to successfully authenticate to the Workspace ONE instance.

These three vulnerabilities are the only ones patched in this advisory that do not require authentication prior to exploitation. The remaining five do, and as such, have been assigned lower CVSSv3 scores.

Russian state-sponsored actors have targeted VMware Workspace ONE in the past

In December 2020, the National Security Agency revealed that Russian state-sponsored threat actors had exploitedCVE-2020-4006, a command injection flaw in the administrative configurator component across a number of VMware products including Workspace ONE Access, Identity Manager, Cloud Foundation and vRealize Suite Lifecycle Manager.

While the vulnerabilities in VMSA-2022-0011 were addressed as part of a coordinated disclosure, attackers do routinely target legacy vulnerabilities.

Proof of concept

At the time this blog post was published, no proof-of-concept exploits had been shared for any of the vulnerabilities.

Solution

VMware released patches for the vulnerabilities in the following affected products:

Product/Component
Affected Versions

VMware Workspace ONE Access Appliance
21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0

VMware Identity Manager Appliance
3.3.3, 3.3.4, 3.3.5, 3.3.6

VMware vRealize Automation
7.6

VMware urges organizations to take immediate action

As part of an FAQ document for VMSA-2022-0011, VMware has stressed that these vulnerabilities “should be patched or mitigated immediately” and that the “ramifications” are “serious.” If patching these flaws is not feasible, VMware has also shared workaround instructions as a temporary solution, but states that patching is the only way to remove these flaws entirely

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

VMWare Advisory: VMSA-2022-0011
VMware VMSA-2022-0011 FAQ
Workaround Instructions for VMSA-2022-0011

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

CrowdStrike and Mandiant form strategic partnership to protect organizations against cyber threats

Read Time:25 Second

Cybersecurity vendors CrowdStrike and Mandiant have announced a strategic partnership to help joint customers investigate, remediate and defend against increasingly sophisticated cybersecurity events. In the collaboration, Mandiant will use the CrowdStrike Falcon endpoint protection platform and subscription offerings for its incident response services and proactive consulting engagements, the firms said in a press release. Furthermore, the Mandiant Managed Defense offering intends to include support for customers leveraging the Falcon platform later this year.

To read this article in full, please click here

Read More

libbson-1.3.5-7.el7

Read Time:17 Second

FEDORA-EPEL-2022-14d598751d

Packages in this update:

libbson-1.3.5-7.el7

Update description:

This release prevents from a memory corruption when dealing with a too large (larger than a half of a address space) JSON documents. The prevention results in terminating the offended process. The same meassure which libbson triggers on a memory exhaustion.

Read More

US Disrupts Russian Botnet

Read Time:59 Second

The Justice Department announced the disruption of a Russian GRU-controlled botnet:

The Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the U.S. government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as “bots,” the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control.

The botnet “targets network devices manufactured by WatchGuard Technologies Inc. (WatchGuard) and ASUSTek Computer Inc. (ASUS).” And note that only the command-and-control mechanism was disrupted. Those devices are still vulnerable.

The Justice Department made a point that they did this before the botnet was used for anything offensive.

Four more news articles. Slashdot post.

Read More