| title | date | draft | logo |
|---|---|---|---|
Feb 05, 2023 |
2023-02-05 00:00:00 +0545 |
false |
images/infosec/default.png |
{{< toc >}}
Two new supply chain security weaknesses have been discovered in AMI MegaRAC Baseboard Management Controller (BMC) software, over two months after three security faults in the same product were discovered. The flaws, dubbed BMC&C, might serve as a launching pad for cyber assaults, allowing threat actors to get remote code execution and illegal device access with superuser privileges. The two new faults at issue are as follows: CVE-2022-26872 (CVSS score: 8.3) - Password reset interception via API CVE-2022-40258 and (CVSS score: 5.3) - Weak password hashes for Redfish and API. MegaRAC, in particular, has been discovered to employ the MD5 hashing technique with a global salt for older devices, and SHA-512 with per user salts for later appliances, possibly allowing a threat actor to crack the passwords. CVE-2022-26872, on the other hand, uses a social engineering attack to trick a user into starting a password reset and setting a password of the adversary's choosing.CVE-2022-26872 and CVE-2022-40258 join three additional December vulnerabilities: CVE-2022-40259 (CVSS score: 9.8), CVE-2022-40242 (CVSS score: 9.8), and CVE-2022-2827 (CVSS score: 7.5).It's worth noting that the flaws can only be exploited if the BMCs are accessible to the internet or if the threat actor has already achieved initial access to a data center or administrative network via other means. The BMC&C blast radius is presently unknown, however Eclypsium stated that it is working with AMI and other stakeholders to assess the breadth of impacted goods and services. Updates have been published by Gigabyte, Hewlett Packard Enterprise, Intel, and Lenovo to fix security flaws in their devices. NVIDIA plans to provide a patch in May 2023.
AMI MegaRAC BMC Software
https://thehackernews.com/2023/02/additional-supply-chain-vulnerabilities.html
Update the app to the latest version for products listed as supply chain as soon as possible.
CVE-2022-26872 CVE-2022-40258
A high-severity vulnerability in F5 BIG-IP, tracked as CVE-2023-22374, can be exploited to cause a DoS condition and potentially lead to arbitrary code execution. A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. (CVE-2023-22374). At this time, there is no available patch to address this vulnerability, however, F5 announced that it is working on an engineering hotfix that is available for supported versions of the BIG-IP system. This vulnerability can be exploitable only by an authenticated user. The vulnerability has been rated with a CVSS score of 7.5 for standard mode deployments and 8.5 in appliance mode.
F5 BIG-IP 17.0.0 F5 BIG-IP 16.1.2.2 – 16.1.3 F5 BIG-IP 15.1.5.1 – 15.1.8 F5 BIG-IP 14.1.4.6 – 14.1.5 F5 BIG-IP 13.1.5
https://securityaffairs.com/141728/security/f5-big-ip-bug.html
Restrict access to the management port to only trusted individuals.
CVE-2023-22374
VMware ESXi hypervisors have become the focus of a new set of attacks aimed at deploying ransomware on systems that have been compromised. The Computer Emergency Response Team of France stated in a recent advisory that the attacks seem to exploit the CVE-2021-21974 vulnerability, which has had a patch available since February 23, 2021. VMware also issued an alert describing the issue as an OpenSLP heap-overflow vulnerability that could result in the execution of arbitrary code. If a malicious actor gains access to port 427 within the same network segment as ESXi, they may be able to trigger the heap-overflow issue in the OpenSLP service and execute code remotely, according to VMware. The cloud services provider OVHcloud reported that the attacks are being detected globally with a focus on Europe, and it is believed that the intrusions are linked to a new Rust-based ransomware strain called Nevada, which appeared in December 2022. Other ransomware families, such as BlackCat, Hive, Luna, Nokoyawa, RansomExx, and Agenda, have also recently adopted Rust. According to Resecurity, the group behind the Nevada Ransomware is inviting both Russian- and English-speaking affiliates to work with a large number of Initial Access Brokers in the dark web. Additionally, the group is also buying compromised access and has a dedicated team for post-exploitation and network intrusions into targeted systems.
Hypervisor, System, VMware
https://thehackernews.com/2023/02/new-wave-of-ransomware-attacks.html
Users are recommended to upgrade to the latest version of ESXi to mitigate potential threats as well as restrict access to the OpenSLP service to trusted IP addresses.
CVE-2021-21974
Tracked as CVE-2023-20076, the high-severity command injection vulnerability impacts all Cisco devices running IOS XE Software with the 10x feature enabled. The vulnerability is the result of Interface settings in DHCP Client ID not being correctly sanitized leading to command injection. The malicious package deployed by an attacker through deploy and activation of an application in the Cisco 10x application hosting environment will run until the device is factory reset or deleted. Furthermore, the vulnerability is capable of bypassing mitigations to prevent persistence across reboots and system resets. In addition to this high-severity vulnerability, the researchers identified a security check bypass during tar archive extraction which allows an attacker to write on the underlying host operating system as root.
CISCO
Customers are advised to update their CISCO products as soon as possible.
CVE-2023-20076
Researchers have warned about a rise in exploitation attempts using a now-patched vulnerability in Realtek Jungle SDK since August 2022. The ongoing campaign has recorded 134 million attempts, with 97% happening in the past 4 months, mostly originating from the US, followed by Vietnam, Russia, and other countries. The vulnerability, known as CVE-2021-35394, allows for buffer overflows and arbitrary command injection that can take over affected devices. The issue affects various devices from different companies and has resulted in the distribution of three types of payloads, including malware-downloading scripts, binary payload-executing commands, and denial-of-service causing commands. The exploitation has also delivered known botnets like Mirai and new ones like RedGoBot. Updating software in a timely manner is crucial to avoid potential threats. Supply chain vulnerabilities can be difficult for users to identify and resolve
Realtek Jungle SDK
https://thehackernews.com/2023/01/realtek-vulnerability-under-attack-134.html
Keep software up to date. Use strong passwords and secure authentication methods. Regularly monitor network activity and look for suspicious behavior. Keep anti-virus and anti-malware software up to date.
CVE-2022-42475