| title | date | draft | logo |
|---|---|---|---|
Apr 10, 2023 |
2023-04-10 00:00:00 +0545 |
false |
images/infosec/default.png |
{{< toc >}}
On Friday, Apple released security updates for several of its products, including iOS, iPadOS, macOS, and Safari, to address two zero-day vulnerabilities that are currently being exploited by attackers. The first vulnerability (CVE-2023-28205) involves a "use after free" issue in WebKit that could allow attackers to execute arbitrary code by sending specifically crafted web content. The second vulnerability (CVE-2023-28206) is an "out-of-bounds write" issue in IOSurfaceAccelerator that could enable an app to execute arbitrary code with kernel privileges. Apple has improved memory management and input validation to address the two issues respectively. The tech giant acknowledges that the vulnerabilities "may have been actively exploited" and has withheld further details to prevent more attackers from exploiting them. The updates are available for various Apple devices, including iPhone 8 and later, iPad Pro, Macs running macOS Big Sur, Monterey, and Ventura. These updates mark the third zero-day fix by Apple since the start of the year. Google's Threat Analysis Group (TAG) and Amnesty International's Security Lab discovered and reported the two vulnerabilities. The recent disclosure by Google TAG reveals that commercial spyware vendors are exploiting zero-day vulnerabilities in Android and iOS to infect mobile devices with surveillance malware.
IOS, iPadOS, macOS, and Safari web browser
https://support.apple.com/en-us/HT213720
• Use Multi-Layered Security • Keep Software and Devices Up-to-Date
CVE-2023-28205 CVE-2023-28206 CVE-2023-23529 (previously addressed by Apple in February 2023)
On April 6, 2023, researchers from KAIST WSP Lab in South Korea discovered a critical flaw in the vm2 JavaScript sandbox module that could be exploited to execute arbitrary shellcode and break out of security boundaries. The flaw affects all versions of the module, including version 3.9.14 and prior. After being notified of the vulnerability, vm2 released version 3.9.15 to address the issue. The vulnerability, identified as CVE-2023-29017, has a CVSS score of 9.8 and is caused by the module's inability to handle errors that occur in asynchronous functions. The vm2 module is a popular library that is widely used to run untrusted code in a secure environment on Node.js. It has almost four million weekly downloads and is utilized in 721 packages. KAIST security researcher Seongil Wi has created two proof-of-concept (PoC) exploits that circumvent the sandbox protections and allow the creation of an empty file named "flag" on the host. It is important for users of the vm2 module to update to the latest version as soon as possible to avoid potential attacks. This is the second critical vulnerability that has been discovered in the vm2 module in recent months. In 2022, vm2 addressed another critical bug (CVE-2022-36067, CVSS score: 10) that could be used to perform arbitrary operations on the underlying machine.
Vm2 nodejs
• Update vm2 module to latest version (3.9.15) to patch the critical flaw (CVE-2023-29017). • Practice secure coding and conduct regular security audits to minimize risks of vulnerabilities in applications and dependencies.
CVE-2023-29017
The recent discovery of a severe vulnerability in the Elementor Pro plugin has caused alarm for many WordPress website owners. The vulnerability, described as a broken access control issue, can be exploited on websites with the WooCommerce plugin installed, allowing attackers to change any WordPress setting. However, the attacker needs to be authenticated as a low-privileged user, such as a subscriber or customer, to exploit the bug.Security firm Patchstack has warned that this vulnerability can be used to enable the registration page of a website and set the default user role to administrator. Attackers can then create a new user account that has administrator privileges, allowing them to redirect the site to a malicious domain or inject malicious code such as a plugin with a backdoor.Patchstack has observed malicious attacks targeting this vulnerability originating from multiple IP addresses, with attackers injecting malicious .zip and .php files. The vulnerability has a CVSS score of 8.8, indicating that it is a high-severity issue. However, it currently has no CVE identifier.The Elementor Pro vulnerability was addressed with the release of version 3.11.7, which improved code security enforcement in WooCommerce components. Elementor Pro users are advised to update to a patched version of the plugin as soon as possible.With over 5 million active installations, the Elementor plugin is a popular drag-and-drop website builder that allows users to create websites without having to write code. The paid version of the plugin, Elementor Pro, provides additional features and tools for site building.
Elementor Pro WordPress plugin
• Update the plugin
CVE-2022-29455
A new malware called CryptoClippy is targeting Portuguese users in a malvertising campaign using SEO poisoning to lure victims searching for "WhatsApp web" to rogue domains hosting the malware. CryptoClippy is a clipper malware that substitutes cryptocurrency addresses in the victim's clipboard with a wallet address controlled by the threat actor. The malware has earned its operators about $983, with victims found in manufacturing, IT services, and real estate industries. The malware uses regular expressions to identify what type of cryptocurrency the address pertains to. Threat actors associated with the GootLoader malware also use the same approach to deliver malware. A traffic direction system is used to check the user's preferred browser language to determine suitable targets. The malware is capable of harvesting data from web browsers, cryptocurrency wallets, and a variety of apps such as AnyDesk, FileZilla, KeePass, Steam, and Telegram.
Web browsers and Cryptocurrency Wallets
https://thehackernews.com/2023/04/cryptoclippynew-clipper-malware.html
• Update antivirus software regularly • Use reliable ad blockers or browser extensions. • Be cautious when clicking on links or downloading attachments from unknown sources.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued eight advisories warning of critical vulnerabilities in industrial control systems (ICS) products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx. One of the most serious vulnerabilities, CVE-2022-3682, affects Hitachi Energy's MicroSCADA System Data Manager SDM600, which could allow a remote attacker to take control of the product. The other critical vulnerabilities relate to command injection bugs in mySCADA myPRO, and a security bug in Industrial Control Links ScadaFlex II SCADA Controllers. Additionally, there are five unpatched vulnerabilities in garage door controllers, smart plugs, and smart alarms sold by Nexx. CISA advises users to update their systems to the latest versions and to minimize network exposure to reduce potential risks.
Hitachi, my SCADA, ICL and Nexx Products
https://thehackernews.com/2023/04/cisa-warns-of-critical-ics-flaws-in.html
• Updating affected products to the latest versions, minimizing network exposure, isolating control system networks.