Category: Security

First Malware Targeting AWS Lambda Serverless Platform Discovered

A first-of-its-kind malware targeting Amazon Web Services’ (AWS) Lambda serverless computing platform has been discovered in the wild.

Dubbed “Denonia” after the name of the domain it communicates with, “the malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls,” Cado Labs researcher Matt Muir said.

The artifact analyzed by the cybersecurity company was uploaded to the VirusTotal database on February 25, 2022, sporting the name “python” and packaged as a 64-bit ELF executable.

However, the filename is a misnomer, as Denonia is programmed in Go and harbors a customized variant of the XMRig cryptocurrency mining software. That said, the mode of initial access is unknown, although it’s suspected it may have involved the compromise of AWS Access and Secret Keys.

Another notable feature of the malware is its use of DNS over HTTPS (DoH) for communicating with its command-and-control server (“gw.denonia[.]xyz”) by concealing the traffic within encrypted DNS queries.

In a statement shared with The Hacker News, Amazon stressed that “Lambda is secure by default, and AWS continues to operate as designed,” and that users violating its acceptable use policy (AUP) will be prohibited from using its services.

While Denonia has been clearly designed to target AWS Lambda since it checks for Lambda environment variables prior to its execution, Cado Labs also found that it can be run outside of it in a standard Linux server environment.

“The software described by the researcher does not exploit any weakness in Lambda or any other AWS service,” the company said. “Since the software relies entirely on fraudulently obtained account credentials, it is a distortion of facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system by itself.”

However, “python” isn’t the only sample of Denonia unearthed so far, what with Cado Labs finding a second sample (named “bc50541af8fe6239f0faa7c57a44d119.virus“) that was uploaded to VirusTotal on January 3, 2022.

“Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” Muir said.

Source :
https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html

World Backup Day: Because Real Life Can Have Save Points Too

March 31 is World Backup Day. Get 1-up on theft, device failure and data loss by creating and checking backups — both for your organization and for yourself. 

You’ve been playing for hours. You’ve faced two tough enemies in a row, and all signs indicate you’re about to take your remaining 12 hit points straight into a boss fight.

Up ahead a glowing stone beckons like a glimmering oasis.

“Would you like to save your progress?” a popup asks as you approach.

Um. YES!

But as obvious a choice as that seems, when the same opportunity presents itself in real life, a shocking number of people don’t take advantage of it.

What Do You Have to Lose?

The digital revolution has brought about unprecedented efficiency and convenience, ridding us of the need for bulky filing cabinets, media storage, photo albums, rolodexes and more. But every time we outsource the storage of our data to the cloud, we become a little more reliant on digital devices that are anything but infallible.

According to WorldBackupDay.com, more than 60 million computers worldwide will fail this year, and more than 200,000 smartphones—113 every minute—will be lost or stolen. But while the devices themselves are replaceable, their contents often aren’t. Imagine what could be at stake: All the photos you’ve taken of your children over the past two years. Every message you ever sent your spouse, all the way back to the very beginning. The last voicemail you ever got from your grandmother. All could disappear in an instant, even when associated with cloud accounts, as experienced below.

But the loss isn’t always just sentimental. Sometimes it’s professional too, as journalist Matt Honan found out in 2012. Honan used an iCloud account for his data, but had no backups — and when hackers gained access to the account, they remotely wiped his phone, tablet and computer. They also took over and deleted his Google account. “In the space of one hour,” Honan told Wired, “my entire digital life was destroyed.”

Good Backups Are Good Business

Businesses have fallen victim to devastating data loss, as well. In 1998, Pixar lost 90% of its film “Toy Story 2,” then in progress, due to the combination of a faulty command and insufficient backups.

And when social media/bookmarking site Ma.gnolia.com experienced a database failure resulting in the loss of all user data, it ultimately shuttered the company. “I made a huge mistake in how I set up my [backup] system,” founder Larry Halff said of the incident. 

The Cultural Cost of Insufficient Backups

While World Backup Day’s primary goal is to encourage people to create and check their backups, it also aims to spark discussion of an enormous task: how to preserve our increasingly digital heritage and cultural works for future generations.

Due to insufficient archiving and backup practices, many cultural properties have already disappeared. For example, an entire season of the children’s TV show “Zodiac Island” was lost forever when a former employee at the show’s internet service provider deleted over 300GB of video files, resulting in a lawsuit over the ISP’s lack of backups.

And decades before, a similar fate befell the now-iconic sci-fi series “Dr. Who.” The Film Library of Britain and BBC Enterprises each believed the other party was responsible for archiving the material. As a result, the BBC destroyed its own copies at will, resulting in the master videotapes of the series’ first 253 episodes being recorded over or destroyed. Despite the existence of secondary recordings and showrunners obtaining copies from as far away as Nigeria, 97 episodes are still unaccounted for and presumed lost for good.

How to Ensure Your Digital Future Today

With so much at stake, you’d think almost everyone would back up their data at least occasionally. This isn’t the case, however. According to WorldBackupDay.com, only about 1 in 4 people are backing up their data regularly, and an astounding 21% have never made a backup.

This phenomenon is also seen at the corporate level. While 45% of companies have reported downtime from hardware failure and 28% reported a data loss event in the past 12 months, FEMA reports that 1 in 5 companies don’t have a disaster recovery/business continuity plan (and thus don’t typically have current backups.) With 20% of SMBs facing catastrophic data loss every five years, being left unprepared is much less an “if” than a “when.”

The difference in outcome for these businesses is stark. Ninety-three of businesses that experienced data loss and more than ten days of downtime filed for bankruptcy within a year. But 96% of businesses that had a disaster recovery plan fully recovered operations.

While a good backup plan will require ongoing attention, today is a great day to start — and even one backup is a tremendous improvement over no backups at all. The World Backup Day website is full of information on online backup services, external hard drive backup, computer backup, smartphone backup, creating a NAS backup, and other methods of preserving your data.

If you’re like many IT professionals and already understand the importance of backups, today’s a perfect day to test your backups out and make sure they’re still fully operational. It’s also a good opportunity to share the importance of backups with bosses, colleagues and friends.

After all, if you’re an individual, you won’t get an “extra life” to go back and relive all the memories you might lose if your device fails. And if you’re a small- or medium-sized business owner and lose all your data, having backups might be the difference between “Continue” and “Game Over.” On World Backup Day and every day, the choice is up to you.

To learn more about backups, visit WorldBackupDay.com.

Source :
https://blog.sonicwall.com/en-us/2022/03/world-backup-day-because-real-life-can-have-save-points-too/

Hackers can crash Cisco Secure Email gateways using malicious emails

Cisco has addressed a high severity vulnerability that could allow remote attackers to crash Cisco Secure Email appliances using maliciously crafted email messages.

The security flaw (tracked as CVE-2022-20653) was found in DNS-based Authentication of Named Entities (DANE), a Cisco AsyncOS Software component used by Cisco Secure Email to check emails for spam, phishing, malware, and other threats.

This bug is due to an insufficient error handling issue in DNS name resolution found and reported to Cisco by Rijksoverheid Dienst ICT Uitvoering (DICTU) security researchers.

“An attacker could exploit this vulnerability by sending specially formatted email messages that are processed by an affected device,” Cisco explained.

“A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS [Denial-of-Service] condition.”

To make things even worse, continued attacks can cause the targeted devices to become completely unavailable, which results in a persistent DoS condition.

The company’s Product Security Incident Response Team (PSIRT) said that it found no evidence of malicious exploitation in the wild before the security advisory was published on Wednesday.

Vulnerable component not enabled by default

While the security vulnerability can be exploited remotely by unauthenticated attackers, Cisco says the vulnerable DANE email verification component is not enabled by default.

Admins can check if DANE is configured by going to the Mail Policies > Destination Controls > Add Destination web UI page and confirming whether the DANE Support option is toggled on.

Cisco has also confirmed that CVE-2022-20653 does not impact Web Security Appliance (WSA) and Secure Email and Web Manager or devices without the DANE feature enabled.

The company also provided a workaround requiring customers to configure bounce messages from Cisco ESA instead of from downstream dependent mail servers to block exploitation attempts.

Earlier this month, Cisco patched several maximum severity flaws with proof-of-concept exploit code available that would enable threat actors to take control of Small Business RV Series routers without authentication.

Source :
https://www.bleepingcomputer.com/news/security/hackers-can-crash-cisco-secure-email-gateways-using-malicious-emails/

OpenSSL cert parsing bug causes infinite denial of service loop

OpenSSL has released a security update to address a vulnerability in the library that, if exploited, activates an infinite loop function and leads to denial of service conditions.

Denial of service attacks may not be the most disastrous security problem. However, it can still cause significant business interruption, long-term financial repercussions, and brand reputation degradation for those affected.

That is especially the case for software like OpenSSL, a ubiquitous secure communication library used by many large online platforms. Therefore, any vulnerability that affects the library can significantly impact a large number of users.

Certificates causing DoS

In this case, the high-severity OpenSLL problem lies in a bug on the BN_mod_sqrt() function, that if served a maliciously crafted certificate to parse, it will enter an infinite loop.

The certificate has to contain elliptic curve public keys in compressed form or elliptic curve parameters with a base point encoded in compressed form to trigger the flaw.

“Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack,” describes OpenSSL’s security notice.

“The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.” 

Unfortunately, the problem impacts quite a few deployment scenarios, such as: 

  • TLS clients consuming server certificates
  • TLS servers consuming client certificates
  • Hosting providers taking certificates or private keys from customers
  • Certificate authorities parsing certification requests from subscribers
  • Anything else which parses ASN.1 elliptic curve parameters

The vulnerability is tracked as CVE-2022-0778, and affects OpenSSL versions 1.0.2 to 1.0.2zc, 1.1.1 to 1.1.1n, and 3.0 to 3.0.1. 

Google’s security researcher Tavis Ormandy discovered the certificate parsing vulnerability and reported his findings to the OpenSSL team on February 24, 2022.https://platform.twitter.com/embed/Tweet.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3NrZWxldG9uX2xvYWRpbmdfMTMzOTgiOnsiYnVja2V0IjoiY3RhIiwidmVyc2lvbiI6bnVsbH0sInRmd19zcGFjZV9jYXJkIjp7ImJ1Y2tldCI6Im9mZiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1503771787733069826&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fopenssl-cert-parsing-bug-causes-infinite-denial-of-service-loop%2F&sessionId=311e29408eba4153b418ae523e23f843cf490dd1&siteScreenName=BleepinComputer&theme=light&widgetsVersion=f9f80a909a60b%3A1648751432723&width=550px

The fixed versions released yesterday are 1.1.1n and 3.0.2, while only premium users of 1.0.2 will be offered a fix through 1.0.2zd.

Because version 1.0.2 does not parse the public key during the parsing of the certificate, the infinite loop is slightly more complicated to trigger than the other versions, but it’s still doable.

OpenSSL 1.0.2 has reached EOL and is not actively supported, so non-premium users are advised to upgrade to a new release branch as soon as possible.

Already exploited by threat actors?

Although OpenSSL has not said that the bug is already used by threat actors, Italy’s national cybersecurity agency, CSIRT, has marked it as actively exploited in the wild.

Bleeping Computer has contacted the OpenSSL team to request a clarification on this point, and they told us they are not aware of any active exploitation at this time.

Even if the message is mixed on that front, the low complexity of exploitation and the published information will allow threat actors to test and play quickly with the vulnerability in the future.

An OpenSSL spokesperson shared the following statement with Bleeping Computer:

The flaw is not too difficult to exploit, but the impact is limited to DoS. The most common scenario where exploitation of this flaw would be a problem would be for a TLS client accessing a malicious server that serves up a problematic certificate. TLS servers may be affected if they are using client authentication (which is a less common configuration) and a malicious client attempts to connect to it. It is difficult to guess to what extent this will translate to active exploitation.

Because most users obtain OpenSSL from a third party, there’s no centralized authority to count upgrade stats, so it’s impossible to estimate how many vulnerable deployments are out there.

Source :
https://www.bleepingcomputer.com/news/security/openssl-cert-parsing-bug-causes-infinite-denial-of-service-loop/

Critical SonicWall firewall patch not released for all devices

Security hardware manufacturer SonicWall has fixed a critical vulnerability in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE).

The security flaw is a stack-based buffer overflow weakness with a 9.4 CVSS severity score and impacting multiple SonicWall firewalls.

Tracked as CVE-2022-22274, the bug affects TZ Series entry-level desktop form factor next-generation firewalls (NGFW) for small- and medium-sized businesses (SMBs), Network Security Virtual (NSv series) firewalls designed to secure the cloud, and Network Security services platform (NSsp) high-end firewalls.

Exploitable remotely without authentication

Unauthenticated attackers can exploit the flaw remotely, via HTTP requests, in low complexity attacks that don’t require user interaction “to cause Denial of Service (DoS) or potentially results in code execution in the firewall.”

The SonicWall Product Security Incident Response Team (PSIRT) says there are no reports of public proof-of-concept (PoC) exploits, and it found no evidence of exploitation in attacks.

The company has released patches for all impacted SonicOS versions and firewalls and urged customers to update all affected products.

“SonicWall strongly urges organizations using impacted SonicWall firewalls listed below to follow the provided guidance,” the company said in a security advisory published on Friday.

ProductImpacted PlatformsImpacted VersionFixed Version
SonicWall FireWallsTZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, Nsv 270, NSv 470, NSv 8707.0.1-5050 and earlier7.0.1-5051 and higher
SonicWall NSsp FirewallNSsp 157007.0.1-R579 and earlierMid-April (Hotfix build 7.0.1-5030-HF-R844)
SonicWall NSv FirewallsNSv 10, NSv 25, NSv 50, Nsv 100, NSv 200, Nsv, 300, NSv 400, NSv 800, NSv 16006.5.4.4-44v-21-1452 and earlier6.5.4.4-44v-21-1519 and higher

NSsp 15700 firewall gets hotfix, full patch in April

The only affected firewall still waiting for a patch against CVE-2022-22274 is the NSsp 15700 enterprise-class high-speed firewall.

While a hotfix is already available for those reaching out to the support team, SonicWall estimates that a full patch to block potential attacks targeting this firewall will be released in roughly two weeks.

“For NSsp 15700, continue with the temporary mitigation to avoid exploitation or reach out to the SonicWall support team who can provide you with a hotfix firmware (7.0.1-5030-HF-R844),” the company explained.

“SonicWall expects an official firmware version with necessary patches for NSsp15700 to be available in mid-April 2022.”

Temporary workaround available

SonicWall also provides a temporary workaround to remove the exploitation vector on systems that cannot be immediately patched.

As the security vendor explained, admins are required to only allow access to the SonicOS management interface to trusted sources.

“Until the [..] patches can be applied, SonicWall PSIRT strongly recommends that administrators limit SonicOS management access to trusted sources (and/or disable management access from untrusted internet sources) by modifying the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management),” SonicWall added.

The updated access rules will ensure that the impacted devices “only allow management access from trusted source IP addresses.”

The company’s support website also provides customers with more information on how to restrict admin access and tips on when to allow access to the firewalls’ web management interface.

“SonicWall has proactively communicated mitigation guidance to any impacted organizations,” the security vendor told BleepingComputer. 

Source :
https://www.bleepingcomputer.com/news/security/critical-sonicwall-firewall-patch-not-released-for-all-devices/

Sophos warns critical firewall bug is being actively exploited

British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks.

The security flaw is tracked as CVE-2022-1040, and it received a critical severity rating with a 9.8/10 CVSS base score. 

It enables remote attackers to bypass authentication via the firewall’s User Portal or Webadmin interface and execute arbitrary code.

The vulnerability was discovered and reported by an anonymous researcher who found that it impacts Sophos Firewall v18.5 MR3 (18.5.3) and older.

“Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region,” the company said in an update to the original security advisory.

“We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.”

Hotfixes and workarounds

To address the critical bug, Sophos released hotfixes that should be automatically deployed to all vulnerable devices since the ‘Allow automatic installation of hotfixes’ feature is enabled by default.

However, hotfixes released for end-of-life versions of Sophos Firewall must manually upgrade to patch the security hole and defend against the ongoing attacks.

For these customers and those who have disabled automatic updates, there’s also a workaround requiring them to secure the User Portal and Webadmin interfaces by restricting external access.

“Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN,” Sophos added.

“Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.”

In the wild exploitation of Sophos Firewall bugs

Sophos provides detailed information on enabling the automatic hotfix installation feature and checking if the hotfix was successfully deployed.

After toggling on automatic hotfix installation, Sophos Firewall will check for new hotfixes every thirty minutes and after restarts.

Patching your Sophos Firewall instances is critically important especially since they have been previously exploited in the wild, with threat actors abusing an XG Firewall SQL injection zero-day starting with early 2020.

Asnarök trojan malware was also used to exploit the same zero-day to try and steal firewall credentials from vulnerable XG Firewall instances.

The zero-day was also exploited in attacks attempting to push Ragnarok ransomware payloads onto Windows enterprise networks.

Source :
https://www.bleepingcomputer.com/news/apple/sophos-warns-critical-firewall-bug-is-being-actively-exploited/

Trend Micro fixes actively exploited remote code execution bug

Japanese cybersecurity software firm Trend Micro has patched a high severity security flaw in the Apex Central product management console that can let attackers execute arbitrary code remotely.

Apex Central is a web-based management console that helps system admins manage Trend Micro products and services (including antivirus and content security products and services) throughout the network.

They can also use it to deploy components (e.g., antivirus pattern files, scan engines, and antispam rules) via manual or pre-scheduled updates.

The vulnerability (CVE-2022-26871) is a high severity arbitrary file upload weakness in the file handling module that unauthenticated attackers can abuse for remote code execution.

On Thursday, Trend Micro said it observed attempts to exploit the vulnerability in the wild as part of an ongoing attack.

“Trend Micro has observed an active attempt of exploitation against this vulnerability in-the-wild (ITW) in a very limited number of instances, and we have been in contact with these customers already,” the company said.

CISA orders federal agencies to patch

The Japanese antivirus vendor also urged customers of affected products (on-premise and as a Service) to update to the latest released version as soon as possible.

“Please note that the SaaS version has already been deployed on the backend and no further action is required from SaaS customers on this issue,” the company added for SaaS customers.

When asked how many customers were targeted in these attacks and if any of their networks were breached following these exploitation attempts, Trend Micro spokesperson Funda Cizgenakad told BleepingComputer that the company is “not able to comment on customers” since “this is confidential.”

On Thursday, following Trend Micro’s disclosure, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal civilian agencies to patch the actively exploited Apex Central bug within the next three weeks, until April 21, 2022.

The cybersecurity agency also urged private and public sector organizations in the US to prioritize patching this actively exploited bug to decrease their networks’ exposure to ongoing attacks.

CISA added the Trend Micro flaw to its Known Exploited Vulnerabilities Catalog, a list of security bugs exploited in the wild, with seven others, including a critical Sophos firewall bug.

Source :
https://www.bleepingcomputer.com/news/security/trend-micro-fixes-actively-exploited-remote-code-execution-bug/

Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices

Apple on Thursday rolled out emergency patches to address two zero-day flaws in its mobile and desktop operating systems that it said may have been exploited in the wild.

The shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously.

Tracked as CVE-2022-22675, the issue has been described as an out-of-bounds write vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges.

Apple said the defect was resolved with improved bounds checking, adding it’s aware that “this issue may have been actively exploited.”

The latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for CVE-2022-22674, an out-of-bounds read issue in the Intel Graphics Driver module that could enable a malicious actor to read kernel memory.

The bug was “addressed with improved input validation,” the iPhone maker noted, once again stating there’s evidence of active exploitation, while withholding additional details to prevent further abuse.

The latest updates bring the total number of actively exploited zero-days patched by Apple to four since the start of year, not to mention a publicly disclosed flaw in the IndexedDB API (CVE-2022-22594), which could be weaponized by a malicious website to track users’ online activity and identities in the web browser.

  • CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
  • CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution

In light of active exploitation of the flaws, Apple iPhone, iPad, and Mac users are highly recommended to upgrade to the latest versions of the software as soon as possible to mitigate potential threats.

The iOS and iPad updates are available to iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Source :
https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html

Zyxel Releases Patches for Critical Bug Affecting Business Firewall and VPN Devices

Networking equipment maker Zyxel has pushed security updates for a critical vulnerability affecting some of its business firewall and VPN products that could enable an attacker to take control of the devices.

“An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions,” the company said in an advisory published this week. “The flaw could allow an attacker to bypass the authentication and obtain administrative access to the device.”

The flaw has been assigned the identifier CVE-2022-0342 and is rated 9.8 out of 10 for severity. Credited with reporting the bug are Alessandro Sgreccia from Tecnical Service Srl and Roberto Garcia H and Victor Garcia R from Innotec Security.

The following Zyxel products are impacted –

  • USG/ZyWALL running firmware versions ZLD V4.20 through ZLD V4.70 (fixed in ZLD V4.71)
  • USG FLEX running firmware versions ZLD V4.50 through ZLD V5.20 (fixed in ZLD V5.21 Patch 1)
  • ATP running firmware versions ZLD V4.32 through ZLD V5.20 (fixed in ZLD V5.21 Patch 1)
  • VPN running firmware versions ZLD V4.30 through ZLD V5.20 (fixed in ZLD V5.21)
  • NSG running firmware versions V1.20 through V1.33 Patch 4 (Hotfix V1.33p4_WK11 available now, with standard patch V1.33 Patch 5 expected in May 2022)

While there is no evidence that the vulnerability has been exploited in the wild, it’s recommended that users install the firmware updates to prevent any potential threats.

CISA warns about actively exploited Sophos and Trend Micro flaws

The disclosure comes as both Sophos and SonicWall released patches this week to their firewall appliances to resolve critical flaws (CVE-2022-1040 and CVE-2022-22274) that could allow a remote attacker to execute arbitrary code on affected systems.

The critical Sophos firewall vulnerability, which has been observed exploited in active attacks against select organizations in South Asia, has since been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities Catalog.

Also added to the list is a high-severity arbitrary file upload vulnerability in Trend Micro’s Apex Central product that could allow an unauthenticated remote attacker to upload an arbitrary file, resulting in code execution (CVE-2022-26871, CVSS score: 8.6).

“Trend Micro has observed an active attempt of exploitation against this vulnerability in-the-wild (ITW) in a very limited number of instances, and we have been in contact with these customers already,” the company said. “All customers are strongly encouraged to update to the latest version as soon as possible.”

Source :
https://thehackernews.com/2022/03/zyxel-releases-patches-for-critical-bug.html

QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices

Taiwanese company QNAP this week revealed that a selected number of its network-attached storage (NAS) appliances are affected by a recently-disclosed bug in the open-source OpenSSL cryptographic library.

“An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS,” the company said in an advisory published on March 29, 2022. “If exploited, the vulnerability allows attackers to conduct denial-of-service attacks.”

Tracked as CVE-2022-0778 (CVSS score: 7.5), the issue relates to a bug that arises when parsing security certificates to trigger a denial-of-service condition and remotely crash unpatched devices.

QNAP, which is currently investigating its line-up, said it affects the following operating system versions –

  • QTS 5.0.x and later
  • QTS 4.5.4 and later
  • QTS 4.3.6 and later
  • QTS 4.3.4 and later
  • QTS 4.3.3 and later
  • QTS 4.2.6 and later
  • QuTS hero h5.0.x and later
  • QuTS hero h4.5.4 and later, and
  • QuTScloud c5.0.x

To date, there is no evidence that the vulnerability has been exploited in the wild. Although Italy’s Computer Security Incident Response Team (CSIRT) released an advisory to the contrary on March 16, the agency clarified to The Hacker News that it has “updated the alert with an errata corrige.”

The advisory comes a week after QNAP released security updates for QuTS hero (version h5.0.0.1949 build 20220215 and later) to address the “Dirty Pipe” local privilege escalation flaw impacting its devices. Patches for QTS and QuTScloud operating systems are expected to be released soon.

Source :
https://thehackernews.com/2022/03/qnap-warns-of-openssl-infinite-loop.html

Exit mobile version