#cve2023 — Public Fediverse posts

A privilege escalation from Chrome extensions (2023)

https://0x44.xyz/blog/cve-2023-4369/

#HackerNews #privilegeEscalation #ChromeExtensions #CVE2023 #cybersecurity #hackernews

"Critical RCE Flaw Uncovered in SolarWinds Access Rights Manager 🚨 #CVE2023-40057"

A newly discovered deserialization vulnerability in SolarWinds Access Rights Manager (versions up to 2023.2.2) poses a severe risk, enabling remote code execution. Classified as very critical with a CVSS score of 8.9, this flaw (CVE-2023-40057) could allow authenticated users to execute arbitrary code remotely. Despite its high impact on confidentiality, integrity, and availability, no exploit is currently available. The vulnerability underscores the importance of validating deserialized data to prevent unauthorized access. No mitigation measures have been identified yet, emphasizing the need for heightened vigilance and potential product alternatives.

Stay informed: CVE-2023-40057 Details

Tags: #CyberSecurity #Vulnerability #SolarWinds #RemoteCodeExecution #RCE #Deserialization #CVE2023-40057 #InfoSec 🛡️💡🔒

"🚨 CVE-2023-28807 - Domain Fronting Evasion in ZIA 🚨"

An evasion technique identified as CVE-2023-28807, allows attackers to bypass Zscaler Internet Access (ZIA)'s domain fronting detection by exploiting a mismatch between Connect Host and Server Name Indication (SNI) in Client Hello messages. The vulnerability exploits how ZIA handles the SNI field during the TLS handshake process. The SNI is intended to indicate which host the client wants to connect to within a shared hosting environment, allowing the server to present the correct certificate for that host. However, due to this vulnerability, an attacker can manipulate the SNI in such a way that the security mechanisms fail to correctly identify and filter malicious traffic, enabling the attacker to hide malicious activities within what appears to be legitimate traffic.
This vulnerability, discovered and addressed by Zscaler. Users are urged to upgrade to version 6.2r.290 to mitigate this risk. 🛡️💻🔐

Source: Zscaler & VulDB

Tags: #Cybersecurity #CVE2023 #DomainFronting #Zscaler #NetworkSecurity #EvasionTechniques #MITREATTACK MITRE - T1587.003 🌍🔒🔍

"🔐 #GitLabSecurityAlert - Multiple Critical Vulnerabilities Patched in GitLab 🚨"

📰 GitLab has released critical updates (16.7.2, 16.6.4, 16.5.6) addressing several security vulnerabilities, including a critical account takeover flaw and a Slack/Mattermost integration exploit. Users are urged to update immediately.

1️⃣ The most severe, CVE-2023-7028, allowed password reset emails to be sent to unverified addresses (CVSS 10.0).
2️⃣ CVE-2023-5356 permitted unauthorized execution of slash commands in Slack/Mattermost integrations (CVSS 9.6).
3️⃣ CVE-2023-4812 involved bypassing CODEOWNERS approval in merge requests (CVSS 7.6).
4️⃣ CVE-2023-6955, a medium severity issue, related to improper access control in GitLab Remote Development (CVSS 6.6).
5️⃣ The least critical, CVE-2023-2030, allowed alteration of metadata in signed commits (CVSS 3.5).

Kudos to the security researchers (@asterion04, @yvvdwf, @ali_shehab, @lotsofloops on HackerOne) and GitLab's @j.seto for identifying these issues. Stay secure, folks!

Source: GitLab Release Notes
Author: Greg Myers

Tags: #Cybersecurity #Vulnerability #GitLab #CVE2023 #PatchUpdate #InfoSec #HackerOne #DevSecOps 🛡️💻🔧

"🚨 NGINX Ingress Vulnerabilities Exposed! 🚨"

Three new vulnerabilities have been identified in the NGINX ingress controller for Kubernetes. These vulnerabilities, tagged as CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886, could potentially allow attackers to steal secret credentials from the cluster. 🕵️‍♂️🔓

• CVE-2023-5043 & CVE-2023-5044: These vulnerabilities can be exploited by attackers who can control the Ingress object's configuration. By using the annotation fields “configuration-snippet” or “permanent-redirect”, attackers can inject arbitrary code into the ingress controller process, gaining access to the service account token of the ingress controller. This token has a ClusterRole, enabling reading of all Kubernetes secrets in the cluster. 😱

• CVE-2022-4886: This vulnerability lies in the way the “path” field is used in the Ingress routing definitions. A flaw in the validation of the inner path can lead to exposure of the service account token, which is used for authentication against the API server. 🚫

Mitigation steps include updating NGINX to version 1.19 and enabling the “--enable-annotation-validation” command line configuration. 🛡️

These vulnerabilities underscore the importance of securing ingress controllers, given their high privilege scope and potential exposure to external traffic.

Source: ARMO Blog by Ben Hirschberg, CTO & Co-founder.

Tags: #NGINX #Kubernetes #Vulnerability #CyberSecurity #IngressController #CVE2023 #CVE2022 🌐🔐🔍

"🚨 #CitrixBleed Exploit Unleashed! Hackers Hijack NetScaler Accounts 🚨"

A new proof-of-concept (PoC) exploit for the 'Citrix Bleed' vulnerability (CVE-2023-4966) has emerged, enabling attackers to snatch authentication session cookies from susceptible Citrix NetScaler ADC and NetScaler Gateway appliances. This critical-severity flaw, which Citrix addressed on October 10, was exploited as a zero-day in limited attacks since late August 2023. Assetnote researchers have now shared an in-depth analysis of the exploitation method and even released a PoC exploit on GitHub. The vulnerability stems from an unauthenticated buffer-related issue, which, when exploited, can lead to buffer over-reads. By leveraging this flaw, attackers can retrieve session cookies, granting them unrestricted access to vulnerable devices. Given the public availability of this exploit, there's an anticipated surge in attacks targeting Citrix Netscaler devices. System admins are strongly urged to apply patches immediately.

Source: BleepingComputer

Tags: #Cybersecurity #Citrix #NetScaler #CVE2023 #Exploit #PoC #Assetnote #Vulnerability #InfoSec

Author: Bill Toulas

🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

Key Points:

Vulnerability Disclosure:

• In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

Exploitation by DreamBus Botnet:

• Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

Attack Timeline:

• Attacks began in early June and peaked in mid-June.
• Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

Reconnaissance and Malicious Activities:

• Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
• From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
• Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

Technical Details:

• The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
• Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
• The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

Malware Capabilities:

• The malware can perform various functions like downloading other modules and sending notifications to the server.
• It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

Implications:

• The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

Indicators of Compromise (IoCs) for DreamBus Botnet:

• IP and Servers:

  • 92[.]204.243.155: Download Server
  • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server

• Scripts and Miners:

  • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
  • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner

• DreamBus Bot Hashes:

  • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
  • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
  • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
  • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
  • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
  • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
  • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

Source: https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability

#InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️

🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

Key Points:

Vulnerability Disclosure:

• In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

Exploitation by DreamBus Botnet:

• Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

Attack Timeline:

• Attacks began in early June and peaked in mid-June.
• Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

Reconnaissance and Malicious Activities:

• Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
• From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
• Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

Technical Details:

• The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
• Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
• The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

Malware Capabilities:

• The malware can perform various functions like downloading other modules and sending notifications to the server.
• It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

Implications:

• The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

Indicators of Compromise (IoCs) for DreamBus Botnet:

• IP and Servers:

  • 92[.]204.243.155: Download Server
  • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server

• Scripts and Miners:

  • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
  • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner

• DreamBus Bot Hashes:

  • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
  • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
  • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
  • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
  • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
  • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
  • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

Source: https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability

#InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️

🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

Key Points:

Vulnerability Disclosure:

• In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

Exploitation by DreamBus Botnet:

• Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

Attack Timeline:

• Attacks began in early June and peaked in mid-June.
• Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

Reconnaissance and Malicious Activities:

• Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
• From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
• Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

Technical Details:

• The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
• Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
• The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

Malware Capabilities:

• The malware can perform various functions like downloading other modules and sending notifications to the server.
• It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

Implications:

• The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

Indicators of Compromise (IoCs) for DreamBus Botnet:

• IP and Servers:

  • 92[.]204.243.155: Download Server
  • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server

• Scripts and Miners:

  • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
  • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner

• DreamBus Bot Hashes:

  • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
  • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
  • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
  • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
  • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
  • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
  • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

Source: https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability

#InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️

🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

Key Points:

Vulnerability Disclosure:

• In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

Exploitation by DreamBus Botnet:

• Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

Attack Timeline:

• Attacks began in early June and peaked in mid-June.
• Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

Reconnaissance and Malicious Activities:

• Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
• From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
• Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

Technical Details:

• The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
• Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
• The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

Malware Capabilities:

• The malware can perform various functions like downloading other modules and sending notifications to the server.
• It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

Implications:

• The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

Indicators of Compromise (IoCs) for DreamBus Botnet:

• IP and Servers:

  • 92[.]204.243.155: Download Server
  • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server

• Scripts and Miners:

  • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
  • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner

• DreamBus Bot Hashes:

  • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
  • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
  • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
  • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
  • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
  • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
  • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

Source: https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability

#InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️

🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

Key Points:

Vulnerability Disclosure:

• In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

Exploitation by DreamBus Botnet:

• Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

Attack Timeline:

• Attacks began in early June and peaked in mid-June.
• Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

Reconnaissance and Malicious Activities:

• Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
• From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
• Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

Technical Details:

• The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
• Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
• The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

Malware Capabilities:

• The malware can perform various functions like downloading other modules and sending notifications to the server.
• It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

Implications:

• The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

Indicators of Compromise (IoCs) for DreamBus Botnet:

• IP and Servers:

  • 92[.]204.243.155: Download Server
  • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server

• Scripts and Miners:

  • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
  • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner

• DreamBus Bot Hashes:

  • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
  • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
  • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
  • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
  • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
  • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
  • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

Source: https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability

#InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed 🛡️