FortiGuard Labs is aware that the Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2020-5741 (Plex Media Server remote code execution vulnerability) and CVE-2021-39144 (XStream Remote Code Execution Vulnerability) to their Known Exploited Vulnerabilities (KEV) catalog on March 10, 2023. The catalog lists vulnerabilities that are being actively exploited in the wild and require federal agencies to apply patches by the due date.Why is this Significant?This is significant because CVE-2020-5741 (Plex Media Server Remote Code Execution Vulnerability) and CVE-2021-39144 (XStream Remote Code Execution Vulnerability) on the CISA’s Known Exploited Vulnerabilities Catalog were observed to be actively exploited in the wild. As such, patches should be applied to both vulnerabilities as soon as possible.What is CVE-2020-5741?CVE-2020-5741 is a Remote Code Execution (RCE) vulnerability that affects Plex Media Server version 1.19.2 and prior. Successful exploitation allows a remote attacker to execute arbitrary Python code within the context of the application.What is CVE-2021-39144?CVE-2021-39144 is an Insecure Deserialization vulnerability that affects VMware library XStream version 1.4.17 and prior. The vulnerability is due to insufficient sanitizing of user supplied inputs in the application. A remote attacker could exploit this to execute arbitrary code within the context of the application, via uploading a crafted XML file.Have the Vendors Released a Patch for CVE-2020-5741 and CVE-2021-39144?Yes. Patches for CVE-2020-5741 and CVE-2021-39144 are available.What is the Status of Protection?FortiGuard Labs has the following IPS protection in place for CVE-2020-5741 and CVE-2021-39144:Plex.Media.Server.Dict.File.Remote.Code.Execution (CVE-2020-5741)VMWare.NSX.Manager.XStream.CVE-2021-39144.Deserialization (CVE-2021-39144)
Dave McDaniel discovered that the SQLite3 bindings for Node.js were
susceptible to the execution of arbitrary JavaScript code if a binding
parameter is a crafted object.
A Buffer Overflow vulnerabilityexists in Pev 0.81 via the pe_exports function from exports.c.. The array offsets_to_Names is dynamically allocated on the stack using exp->NumberOfFunctions as its size. However, the loop uses exp->NumberOfNames to iterate over it and set its components value. Therefore, the loop code assumes that exp->NumberOfFunctions is greater than ordinal at each iteration. This can lead to arbitrary code execution.
The recently identified Dark Pink advanced persistent threat (APT) group is likely behind a fresh set of KamiKakaBot malware attacks on ASEAN governments and military entities, according to Netherlands-based cybersecurity company ElecticIQ.
The attacks, which took place in February, were “almost identical” to those reported by Russia-based cybersecurity firm Group-IB on January 11, ElectricIQ said. Multiple overlapping techniques used in the campaigns helped EclecticIQ analysts attribute the recent attacks as likely to be the work of the Dark Pink APT group.
The recently identified Dark Pink advanced persistent threat (APT) group is likely behind a fresh set of KamiKakaBot malware attacks on ASEAN governments and military entities, according to Netherlands-based cybersecurity company ElecticIQ.
The attacks, which took place in February, were “almost identical” to those reported by Russia-based cybersecurity firm Group-IB on January 11, 2023, ElectricIQ said. Multiple overlapping techniques used in the campaigns helped EclecticIQ analysts to attribute the recent attacks as likely to be the work of the Dark Pink APT group.
