Category Archives: Advisories

USN-5333-1: Apache HTTP Server vulnerabilities

Read Time:49 Second

Chamal De Silva discovered that the Apache HTTP Server mod_lua module
incorrectly handled certain crafted request bodies. A remote attacker could
possibly use this issue to cause the server to crash, resulting in a denial
of service. (CVE-2022-22719)

James Kettle discovered that the Apache HTTP Server incorrectly closed
inbound connection when certain errors are encountered. A remote attacker
could possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-22720)

It was discovered that the Apache HTTP Server incorrectly handled large
LimitXMLRequestBody settings on certain platforms. In certain
configurations, a remote attacker could use this issue to cause the server
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2022-22721)

Ronald Crane discovered that the Apache HTTP Server mod_sed module
incorrectly handled memory. A remote attacker could use this issue to cause
the server to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2022-23943)

Read More

USN-5332-1: Bind vulnerabilities

Read Time:23 Second

Xiang Li, Baojun Liu, Chaoyi Lu, and Changgen Zou discovered that Bind
incorrectly handled certain bogus NS records when using forwarders. A
remote attacker could possibly use this issue to manipulate cache results.
(CVE-2021-25220)

It was discovered that Bind incorrectly handled certain crafted TCP
streams. A remote attacker could possibly use this issue to cause Bind to
consume resources, leading to a denial of service. This issue only affected
Ubuntu 21.10. (CVE-2022-0396)

Read More

Joint CyberSecurity Advisory Alert on Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability (AA22-074A)

Read Time:3 Minute, 54 Second

FortiGuard Labs is aware of a recent report issued by the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) that Russian state-sponsored cyber actors have gained network access to a non-governmental organization (NGO) through exploitation of default Multi-Factor Authentication (MFA) protocols and the “PrintNightmare” vulnerability (CVE-2021-34527). The attack resulted in data exfiltration from cloud and email accounts of the target organization.Why is this Significant?This is significant because the advisory describes how a target organization was compromised by Russian state-sponsored cyber actors. The advisory also provides mitigations.How did the Attack Occur?The advisory provides the following attack sequence:”Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527) to obtain administrator privileges. The actors also modified a domain controller file, c:windowssystem32driversetc hosts, redirecting Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate MFA login-this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. Note: “fail open” can happen to any MFA implementation and is not exclusive to Duo.After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity. Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim’s cloud storage and email accounts and access desired content.”What is the “PrintNightmare” vulnerability (CVE-2021-34527)?The “PrintNightmare” vulnerability” was a critical vulnerability affecting Microsoft Windows Print Spooler. Microsoft released an out-of-bound advisory for the vulnerability on July 6th, 2021.Has Microsoft Released a Patch for the “PrintNightmare” vulnerability (CVE-2021-34527)?Yes, Microsoft released an out-of-bound patch for the “PrintNightmare” vulnerability in July, 2021.Due to its severity, Microsoft made the patches available for unsupported OS such as Windows 7 and Windows Server 2012.Successful exploitation of the vulnerability allows an attack to run arbitrary code with SYSTEM privileges.FortiGuard Labs released an Outbreak Alert and Threat Signal for PrintNightmare. See the Appendix for a link to “Fortinet Outbreak Alert: Microsoft PrintNightmare” and “#PrintNightmare Zero Day Remote Code Execution Vulnerability”.What is the Status of Coverage?FortiGuard Labs has IPS coverage in place for the “PrintNightmare” vulnerability (CVE-2021-34527):MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.EscalationAll known network IOC’s are blocked by the FortiGuard WebFiltering client.Any Other Suggested Mitigation?The advisory recommends the following mitigations:Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.Implement time-out and lock-out features in response to repeated failed login attempts.Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).

Read More

Drupal core – Moderately critical – Third-party libraries – SA-CORE-2022-005

Read Time:1 Minute, 50 Second
Project: 
Date: 
2022-March-16
Vulnerability: 
Third-party libraries
CVE IDs: 
CVE-2022-24728
CVE-2022-24729
Description: 

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.

For more information, see CKEditor’s security advisories:

CVE-2022-24728: HTML processing vulnerability allowing to execute JavaScript code
CVE-2022-24729: Regular expression Denial of Service in dialog plugin

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.3, update to Drupal 9.3.8.
If you are using Drupal 9.2, update to Drupal 9.2.15.

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Instructions for Drupal 7 and contributed modules

Drupal 7 core is not affected, although Drupal 7, 8, and 9 site owners should review their site following the protocol for managing external libraries and plugins previously suggested by the Drupal Security Team, as contributed projects may use additional CKEditor plugins not packaged in Drupal core.

Users of the Webform module should ensure Webform’s version of CKEditor 4 is also up-to-date after updating Drupal core and libraries for any affected contributed modules. If it is not, Webform users can try the following steps to update it:

If using Composer, run drush webform:libraries:composer > DRUPAL_ROOT/composer.libraries.json and run composer update
If using Drush without Composer, run drush webform:libraries:update.

Learn more about updating Webform libraries.

Reported By: 
Fixed By: 
Jess of the Drupal Security Team
Wim Leers
Lee Rowlands of the Drupal Security Team

Read More

CVE-2021-20299

Read Time:11 Second

A flaw was found in OpenEXR’s Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.

Read More

CVE-2021-23158

Read Time:12 Second

A flaw was found in htmldoc in v1.9.12. Double-free in function pspdf_export(),in ps-pdf.cxx may result in a write-what-where condition, allowing an attacker to execute arbitrary code and denial of service.

Read More