Read Time:5 Second
The hacker breached the DLP company’s internal update servers to deliver malware within its network
Daily Archives: March 15, 2023
“FakeCalls” Android Malware Targets Financial Firms in South Korea
Read Time:4 Second
CPR discovered 2500 samples of the malware, impersonating 20 financial institutions in the region
Humans Still More Effective Than ChatGPT at Phishing
Read Time:5 Second
The research paper by HoxHunt analyzed 53,127 emails sent to users in over 100 countries
Drupal core – Moderately critical – Access bypass – SA-CORE-2023-004
Read Time:1 Minute, 24 Second
Project:
Date:
2023-March-15
Vulnerability:
Access bypass
Affected versions:
<7.95 || >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5
Description:
Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.
If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.
This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.
Solution:
Install the latest version:
If you are using Drupal 10.0, update to Drupal 10.0.5.
If you are using Drupal 9.5, update to Drupal 9.5.5.
If you are using Drupal 9.4, update to Drupal 9.4.12.
If you are using Drupal 7, update to Drupal 7.95.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Reported By:
Fixed By:
Damien McKenna of the Drupal Security Team
Elar Lang
Lee Rowlands of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Joseph Zhao Provisional Member of the Drupal Security Team
Drew Webber of the Drupal Security Team
Jen Lampton Provisional Member of the Drupal Security Team
Nate Lampton
Greg Knaddison of the Drupal Security Team
Elar Lang
Lee Rowlands of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Joseph Zhao Provisional Member of the Drupal Security Team
Drew Webber of the Drupal Security Team
Jen Lampton Provisional Member of the Drupal Security Team
Nate Lampton
Greg Knaddison of the Drupal Security Team
Drupal core – Moderately critical – Information Disclosure – SA-CORE-2023-003
Read Time:1 Minute, 21 Second
Project:
Date:
2023-March-15
Vulnerability:
Information Disclosure
Affected versions:
>=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5
Description:
The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.
The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.
This advisory is not covered by Drupal Steward.
Solution:
Install the latest version:
If you are using Drupal 10.0, update to Drupal 10.0.5.
If you are using Drupal 9.5, update to Drupal 9.5.5.
If you are using Drupal 9.4, update to Drupal 9.4.12.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.
Reported By:
Fixed By:
Jan Kellermann
Lee Rowlands of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Benji Fisher of the Drupal Security Team
Jess of the Drupal Security Team
Sascha Grossenbacher
Neil Drumm of the Drupal Security Team
Dave Long of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Benji Fisher of the Drupal Security Team
Jess of the Drupal Security Team
Sascha Grossenbacher
Neil Drumm of the Drupal Security Team
Dave Long of the Drupal Security Team
Drupal core – Moderately critical – Information Disclosure – SA-CORE-2023-002
Read Time:1 Minute, 15 Second
Project:
Date:
2023-March-15
Vulnerability:
Information Disclosure
Affected versions:
>=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5
Description:
The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.
This release was coordinated with SA-CONTRIB-2023-010.
This advisory is not covered by Drupal Steward.
Solution:
Install the latest version:
If you are using Drupal 10.0, update to Drupal 10.0.5.
If you are using Drupal 9.5, update to Drupal 9.5.5.
If you are using Drupal 9.4, update to Drupal 9.4.12.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Media Library module and therefore is not affected.
Reported By:
Fixed By:
Lee Rowlands of the Drupal Security Team
James Williams
Jess of the Drupal Security Team
Dave Long of the Drupal Security Team
Dan Flanagan
Jen Lampton Provisional Member of the Drupal Security Team
Joseph Zhao Provisional Member of the Drupal Security Team
Benji Fisher of the Drupal Security Team
James Williams
Jess of the Drupal Security Team
Dave Long of the Drupal Security Team
Dan Flanagan
Jen Lampton Provisional Member of the Drupal Security Team
Joseph Zhao Provisional Member of the Drupal Security Team
Benji Fisher of the Drupal Security Team
USN-5957-1: LibreCAD vulnerabilities
Read Time:1 Minute, 0 Second
Cody Sixteen discovered that LibreCAD incorrectly
handled memory when parsing DXF files. An attacker could
use this issue to cause LibreCAD to crash, leading to a
denial of service. This issue only affected
Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. (CVE-2018-19105)
Lilith of Cisco Talos discovered that LibreCAD incorrectly
handled memory when parsing DWG files. An attacker could
use this issue to cause LibreCAD to crash, leading to a
denial of service, or possibly execute arbitrary code.
(CVE-2021-21898, CVE-2021-21899)
Lilith of Cisco Talos discovered that LibreCAD incorrectly
handled memory when parsing DRW files. An attacker could
use this issue to cause LibreCAD to crash, leading to a
denial of service, or possibly execute arbitrary code.
(CVE-2021-21900)
Albin Eldstål-Ahrens discovered that LibreCAD incorrectly
handled memory when parsing JWW files. An attacker could
use this issue to cause LibreCAD to crash, leading to a
denial of service, or possibly execute arbitrary code.
(CVE-2021-45341, CVE-2021-45342)
Albin Eldstål-Ahrens discovered that LibreCAD incorrectly
handled memory when parsing DXF files. An attacker could
use this issue to cause LibreCAD to crash, leading to a
denial of service. (CVE-2021-45343)
Microsoft Patch Tuesday, March 2023 Edition
Read Time:2 Minute, 45 Second
Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.
The Outlook vulnerability (CVE-2023-23397) affects all versions of Microsoft Outlook from 2013 to the newest. Microsoft said it has seen evidence that attackers are exploiting this flaw, which can be done without any user interaction by sending a booby-trapped email that triggers automatically when retrieved by the email server — before the email is even viewed in the Preview Pane.
While CVE-2023-23397 is labeled as an “Elevation of Privilege” vulnerability, that label doesn’t accurately reflect its severity, said Kevin Breen, director of cyber threat research at Immersive Labs.
Known as an NTLM relay attack, it allows an attacker to get someone’s NTLM hash [Windows account password] and use it in an attack commonly referred to as “Pass The Hash.”
“The vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person’s password,” Breen said. “This is on par with an attacker having a valid password with access to an organization’s systems.”
Security firm Rapid7 points out that this bug affects self-hosted versions of Outlook like Microsoft 365 Apps for Enterprise, but Microsoft-hosted online services like Microsoft 365 are not vulnerable.
The other zero-day flaw being actively exploited in the wild — CVE-2023-24800 — is a “Security Feature Bypass” in Windows SmartScreen, part of Microsoft’s slate of endpoint protection tools.
Patch management vendor Action1 notes that the exploit for this bug is low in complexity and requires no special privileges. But it does require some user interaction, and can’t be used to gain access to private information or privileges. However, the flaw can allow other malicious code to run without being detected by SmartScreen reputation checks.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said CVE-2023-24800 allows attackers to create files that would bypass Mark of the Web (MOTW) defenses.
“Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen,” Childs said.
Seven other vulnerabilities Microsoft patched this week earned its most-dire “critical” severity label, meaning the updates address security holes that could be exploited to give the attacker full, remote control over a Windows host with little or no interaction from the user.
Also this week, Adobe released eight patches addressing a whopping 105 security holes across a variety of products, including Adobe Photoshop, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, Cloud Desktop Application, and Illustrator.
For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.
USN-5956-1: PHPMailer vulnerabilities
Read Time:1 Minute, 36 Second
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yongxiang Li discovered that PHPMailer was not properly converting
relative paths provided as user input when adding attachments to messages,
which could lead to relative image URLs being treated as absolute local
file paths and added as attachments. An attacker could possibly use this
issue to access unauthorized resources and expose sensitive information.
This issue only affected Ubuntu 16.04 ESM. (CVE-2017-5223)
Sehun Oh discovered that PHPMailer was not properly processing untrusted
non-local file attachments, which could lead to an object injection. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2018-19296)
Elar Lang discovered that PHPMailer was not properly escaping file
attachment names, which could lead to a misinterpretation of file types
by entities processing the message. An attacker could possibly use this
issue to bypass attachment filters. This issue was only fixed in Ubuntu
16.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-13625)
It was discovered that PHPMailer was not properly handling callables in
its validateAddress function, which could result in untrusted code being
called should the global namespace contain a function called ‘php’. An
attacker could possibly use this issue to execute arbitrary code. This
issue was only fixed in Ubuntu 20.04 ESM and Ubuntu 22.04 ESM.
(CVE-2021-3603)
Dell beefs up security portfolio with new threat detection and recovery tools
Read Time:36 Second
Dell Technologies has added a slew of in-house as well as partnered capabilities to its security portfolio in a bid to beef up its capabilities in areas including threat security, management, and incident response.
“Through ongoing innovation and a powerful ecosystem of partners, we’re committed to helping organizations protect against threats, withstand and recover from attacks and provide confidence that their environments are secure,” said Matt Baker, senior vice president, corporate strategy at Dell Technologies.
The added capabilities include a tiered upgrade to Dell’s managed detection and response (MDR) platform, partnered threat management with CrowdStrike’s Falcon, component verification for Dell’s commercial PCs, and an incident recovery solution.