One of the most popular WordPress backup plugins, UpdraftPlus, has released a set of updates, x.22.3, which contain a potentially significant fix for CVE-2022-23303. This vulnerability exposes existing backups to any logged in WordPress user. This bug was found by the guys at Jetpack, who have a nice description about it. This is a combination of instances of a common problem: endpoints lacking proper authentication. The heartbeat function allows any user to access it and returns the last saved nonce.
A cryptographic nonce is a value that is not exactly a cryptographic secret, but is only used once. In some cases, this is used to mitigate replay attacks or is used as an initialization vector. In the case of UpdraftPlus, the nonce functions as a unique identifier for individual backups. Data leakage can be combined with another weak validation in the
maybe_download_backup_from_email() function, to allow a backup to be downloaded. As WordPress backups will contain sensitive information, that’s the whole point. There are no known instances of this attack in the wild, but as always, update now to stay ahead of the game.
It wouldn’t be surprising to find that many of us use the Termux app on Android. It’s almost as good as installing a real Linux distribution for command line tools, and even running some graphical Linux applications. What you might not know is that the version on the Google Play Store is very outdated, due to an Android security policy change in Android 10. It was just annoying, but now it’s c It’s a real problem, because a series of vulnerabilities have been announced in the Termux application. The two most serious problems require the
Termux:Widget add-ons, respectively. Tasker didn’t have a permission set to allow execution via intents, so any other app could trigger a command. On top of that, there was a trivial directory traversal attack, so this command could reference any binary that Termux could access.
The Widget issue is similar, but this app had at least one authentication token that was checked on incoming intents. The problem is that with a valid token, any command can be executed. In addition to this, the third vulnerability was a file permission issue, where any application could read Termux files, including issued tokens. There is another issue to consider, when considering the severity of this bug, and that is rooted phones. If you run a
su binary and you have granted root permissions to Termux, the above vulnerabilities are suddenly much more severe.
Magento and Adobe Commerce
There is a really nasty vulnerability in the Magento project, and by extension, Adobe Commerce. CVE-2022-24086 was announced on February 13 as an RCE accessible without authentication. Worse, it appears to be quite simple to exploit, although an accurate PoC has yet to be made public. Adobe patched the vulnerability, and within days researchers bypassed their patch, resulting in the release of CVE-2022-24087. Sansec researchers have seen attacks in the wild before. Fix now and examine any Magento installation very closely for potential malware.
A new patch has been released for Magento 2, to mitigate pre-authenticated remote code execution. If you patched with the first patch, THAT IS NOT SUFFICIENT to be sure.
Please update again! https://t.co/vtYj9Ic6ds@ptswarm (as you had a PoC too!)#magento
— Blaklis (@Blaklis_) February 17, 2022
More Qualsys findings
Qualsys has found another set of vulnerabilities, this time in
snap-confine. The most important is CVE-2021-44731, a race condition that can cause elevation of privilege, which works in most default configurations.
snap-confine is another setuid binary, which can be run by unprivileged users, but automatically gets root privileges to run. The problem stems from the instant mounting of its own temporary directory on the system
/tmp location, but not properly checking symlinks.
By making a change to the
/tmp directory when mounted, arbitrary folder locations are accessible from the snap-in, but with modified access controls inherited from the snap-in. One impressive technique they demonstrated during the attack is to put
snap-confine in a debug mode and then in one step running the program. It’s definitely a way to guarantee your achievement wins the race.
Thunderbird, Strlen and Single Byte overflows
Mozilla Thunderbird has an unusual vulnerability, fixed in version 91.6.1. CVE-2022-0566 is tracked internally as bug 1753094 and so far has a maximum impact of a one-byte buffer overflow. Turning this into an achievement would be quite difficult, but we’ve seen stranger things. If anything, I would expect this to be chained with another bug to get something more interesting, but so far it seems no one has nailed this. As always, update ASAP!
The Red Cross targeted
The International Committee of the Red Cross released an announcement that one of their systems was hacked in November. The attackers used CVE-2021-40539, an authentication bypass in the Zoho Active Directory infrastructure. A database of over 500,000 contacts was exposed and likely exfiltrated. What is particularly interesting here is that it appears to be a highly targeted attack and no ransomware was deployed. What exactly prompted the attack is unclear at this stage, but the ICRC stresses that it was likely carried out by an APT.
While a pfSense RCE sounds like a nightmare scenario, it’s not quite time to hit the panic button. This vulnerability requires access to the web interface as an authenticated user. The flaw is the improper sanitization of user input, which is then executed through the
sed order. This can be turned into an exploit by writing arbitrary data to the filesystem and using it to add a webshell. The issue has been fixed in pfSense CE 2.6.0 and pfSense Plus 22.01.