| title | date | draft | logo |
|---|---|---|---|
Jan 30, 2023 |
2023-01-30 00:00:00 +0545 |
false |
images/infosec/default.png |
{{< toc >}}
A cyber threat actor believed to be linked to China has been found to have exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN, known as CVE-2022-42475, in attacks against a European government entity and an African managed service provider (MSP). Google-owned Mandiant gathered evidence showing the exploitation occurred as early as October 2022, nearly two months before fixes were released. The attacks used a sophisticated backdoor called BOLDMOVE, which is a Linux variant specifically designed to run on Fortinet's FortiGate firewalls. The malware, written in C, can read data from a file format that's proprietary to Fortinet. The malware is also capable of carrying out a system survey, receiving commands from a command-and-control (C2) server and relay traffic via the infected host. Mandiant noted that the exploitation of zero-day vulnerabilities in networking devices and the installation of custom implants is consistent with previous Chinese exploitation of networking devices.
Fortinet FortiOS SSL-VPN
https://www.securityweek.com/chinese-hackers-exploited-fortinet-vpn-vulnerability-zero-day
Keep Software up to date. Conduct Regular Security Assessments Monitor network security
CVE-2022-42475
Two security weaknesses in Samsung's Galaxy Store app for Android have been discovered, which might be abused by a local attacker to install arbitrary programs or redirect prospective victims to fake web landing sites. The vulnerabilities, identified as CVE-2023-21433 and CVE-2023-21434, were found by NCC Group in November and December 2022 and reported to the South Korean chaebol. Samsung classed the issues as moderately dangerous and fixed them in version 4.5.49.8, which was published earlier this month. CVE-2023-21433, the first of the two vulnerabilities, may allow a previously installed rogue Android app on a Samsung smartphone to install any program accessible on the Galaxy Store. Samsung classified it as an instance of poor access control that has now been fixed with sufficient permissions to prevent unwanted access. It's worth noting that the issue only affects Samsung handsets running Android 12 and earlier, not those running the most recent version (Android 13). The update comes as Samsung rolled out security updates for the month of January 2023 to remediate several flaws, some of which could be exploited to modify carrier network parameters, control BLE advertising without permission, and achieve arbitrary code execution.
Samsung’s devices
https://thehackernews.com/2023/01/samsung-galaxy-store-app-found.html
Update the app to the latest version as soon as possible.
CVE-2023-21433 CVE-2023021434
The IoT Security Foundation (IoTSF) released a report that shows that only 27.1% of IoT vendors have a vulnerability disclosure policy, which is a concern as it is a best practice for connected product security and there is a potential for penalties for non-compliance with the UK's new Product Security and Telecoms Infrastructure regulations. The study also found that vendors from Asia tend to have better vulnerability disclosure programs compared to European suppliers. The study was based on a review of 332 companies that sell consumer focused IoT products and covered a range of products from tablets and routers to smart home lighting controls. Lawmakers are pushing for regulations to improve the security of IoT products, and the study also found an increase in the use of 'security.txt' files and a decline in PGP key usage for secure submissions, as well as an increase in the use of third-party 'proxy services' to host and maintain policies.
IoT
IoT vendors should establish vulnerability disclosure programs, have a dedicated point of contact for security researchers, have a clear process for addressing reported vulnerabilities and be transparent with customers about the status of vulnerabilities and steps taken to address them.
The latest BIND updates patch multiple remotely exploitable vulnerabilities that could lead to denial-of-service (DoS)
The IoT Security Foundation (IoTSF) has released a report that states that only 27.1% of IoT vendors have a vulnerability disclosure policy. This is a concern as it is a best practice for connected product security and there is potential for penalties for non-compliance with the UK's new Product Security and Telecoms Infrastructure regulations. The study also found that vendors from Asia tend to have better vulnerability disclosure programs compared to European suppliers. The study was conducted by reviewing 332 companies that sell consumer focused IoT products, which covered a range of products from tablets and routers to smart home lighting controls. The report also highlights that there is an increase in the use of 'security.txt' files and a decline in PGP key usage for secure submissions, as well as an increase in the use of third-party 'proxy services' to host and maintain policies.
BIND
https://securityaffairs.com/141465/security/isc-fixed-bind-flaws.html
Upgrade to the latest versions of BIND (9.16.37, 9.18.11, and 9.19.9) as soon as possible. Limit the number of clients that are permitted to make dynamic zone changes. Configure the stale-answer-client-timeout option to a positive integer. Monitor logs for any suspicious activity. Restrict access to DNS servers to trusted hosts only.
CVE-2022-3094 CVE-2022-3736 CVE-2022-3924
VMware addressed multiple vulnerabilities, tracked as CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, and CVE-2022-31711, in its vRealize Log Insight appliance. VRealize Log Insight is a log collection and analytics virtual appliance that enables administrators to collect, view, manage and analyze syslog data. Log Insight provides real-time monitoring of application logs, network traces, configuration files, messages and performance data.The most severe flaws impacting the product are a Directory Traversal Vulnerability tracked as CVE-2022-31706 (CVSS score 9.8), and a broken access control vulnerability tracked as CVE-2022-31704 (CVSS score 9.8).An unauthenticated, attacker can exploit one of the two flaws to inject files into the operating system of an impacted appliance which can result in remote code execution. CVE-2022-31710 – Deserialization Vulnerability (CVSS score 7.5) that can be exploited by a remote attacker to trigger the deserialization of untrusted data which could result in a denial of service.CVE-2022-31711 – Information Disclosure Vulnerability (CVSS score 7.5) which can be exploited by a remote attacker to collect sensitive session and application information without authentication.
VMware vRealize
https://securityaffairs.com/141298/security/vmware-vrealize-log-insight-rce.html
Patch or update provided by VMware as soon as possible
CVE-2023-21433 CVE-2023021434