Week 27, July 3-9, 2023
Week 27, July 3-9, 2023. Cybersecurity Weekly Updates.
This week in the world of cybersecurity:
It has come to light that around 330,000 FortiGate firewalls remain unpatched and vulnerable to CVE-2023-27997 RCE flaw, posing a significant security risk. On a related front, a novel and potent threat named RedEnergy, a Stealer-as-a-Ransomware, is actively targeting the Energy and Telecom sectors with a serious degree of success. The grave concern lies in its capability to not only extract information but also to hold systems at ransom. Furthermore, yet another critical vulnerability, an unauthenticated SQLi flaw, identified as CVE-2023-36934, has been discovered in the MOVEit Transfer Software. The gravity of these situations highlights the increasing importance and urgency of keeping up with patches and updates in cybersecurity systems, as the potential risks and impacts of these threats are monumental.
Common Vulnerabilities and Exposures (CVEs)
This section highlights some CVEs with CVSS score classified as critical.
CVE-2023-34240
Cloudexplorer-lite is an open source cloud software stack. Weak passwords can be easily guessed and are an easy target for brute force attacks. This can lead to an authentication system failure and compromise system security. Versions of cloudexplorer-lite prior to 1.2.0 did not enforce strong passwords. This vulnerability has been fixed in version 1.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-3249
The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.6.0. This is due to incorrect authentication checking in the ‘hidden_form_data’ function. This makes it possible for authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
CVE-2022-4059
The Cryptocurrency Widgets Pack WordPress plugin before 2.0 does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
CVE-2022-45141
Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).
Recent Tools and Techniques
These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.
Ghidralligator – A Multi-Architecture Pcode Emulator for Embedded Fuzzing
Ghidralligator is a C++ multi-architecture pcode emulator rooted in the Ghidra libsla framework, designed to facilitate fuzzing using AFL++. Specializing in emulating exotic architectures for fuzzing various code snippets, its extensibility offers support for virtually any architecture given the appropriate Sleigh specification file. Ghidralligator serves as a bridging solution between intricate emulators requiring substantial setup and ‘black-box’ emulators with limited extensibility. It’s primarily utilized for vulnerability research in closed-source binaries, notably within embedded-device applications and firmwares functioning on unusual architectures. Successor to afl_ghidra_emu, Ghidralligator significantly enhances execution speed and introduces features such as heap memory corruption detection (ASAN), capable of identifying a broad range of memory corruptions. The tool is built and tested with Ghidra 10.1.5 decompiler sources and may not be fully compatible with other versions.
Pyrrha – A Tool for Firmware Cartography and Visualization
Pyrrha is a filesystem cartography software dedicated to facilitating visualization and correlation, with a specific emphasis on mapping the relationships between executable files. This tool leverages the capabilities of the open-source code explorer, Sourcetrail, to ensure a user-friendly navigation and search experience for function paths. While its current functionality is centered around executable file relationships, Pyrrha is designed with the ultimate aim of enabling users to map and visualize any form of relationships, demonstrating a broad applicability across various data sets and use-cases. Its specialized focus on visualization underlines its value in comprehensive and understandable data representation, fostering an accessible and intuitive approach to data correlation and firmware cartography.
TakeMyRDP – A Keystroke Logger for RDP-related Processes
The tool employs a low-level keyboard input hook, which enables it to effectively record keystrokes within specific contexts, such as in ‘mstsc.exe’ and ‘CredentialUIBroker.exe’ processes. By focusing on these RDP-associated processes, TakeMyRDP provides a unique capability for tracking user interactions within a remote desktop environment, yielding valuable information for security analysis, user behavior studies, or other related applications.
That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.
To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.
