Category Archives: Vulnerabilities

PHP Under Threat: Details and Solutions for Vulnerability CVE-2024-4577

Posted on by

Global Impact and Mitigation Measures

🔴  Summary: Researchers from DEVCORE have disclosed a critical remote code execution (RCE) vulnerability in PHP, tracked as CVE-2024-4577, which affects almost all versions of PHP on Windows (initially it was reported to affect versions 5.x and earlier). This vulnerability could put millions of servers worldwide at risk.

 

🔍 Vulnerability Details:

This vulnerability utilizes the Best-Fit function in Windows encoding conversion, allowing attackers to bypass protections implemented in the solution for CVE-2012-1823 by using specific character sequences, executing arbitrary code through an argument injection attack.

  • Discovery date: May 7, 2024
  • Patch release date: June 6, 2024
  • Impact: Allows unauthenticated attackers to execute arbitrary code on affected PHP servers, gaining full control over them.

 

🌐 Global Impact: Detected on Windows systems with specific regional settings:

  • Traditional Chinese (Code Page 950)
  • Simplified Chinese (Code Page 936)
  • Japanese (Code Page 932)
  • ¿Other lenguages?: While not clearly defined, according to the DEVCORE article, other locales should not be ruled out as vulnerable and should be considered potentially at risk.
  • Other locales may also be vulnerable depending on PHP usage scenarios.

 

🛡️ Affected Versions and Products:

  • According to DEVCORE:
    • PHP 8.3 < 8.3.8
    • PHP 8.2 < 8.2.20
    • PHP 8.1 < 8.1.29
    • PHP 8.0, PHP 7, PHP 5 End-of-Life are thus vulnerable by default (see mitigation measures for these cases).
    • ALL XAMPP are vulnerable..

 

⚠️ Recommended Action:

  • Update: trongly recommended to update to PHP versions 8.3.8, 8.2.20, and 8.1.29.
  • For users who CANNOT update PHP: There is a code mitigation in the mod_rewrite rule provided by DEVCORE, but it must be evaluated if certain requirements are met, as it only applies in specific scenarios for now.
  • For XAMPP users: Some parameters in the http server need to be changed, which must also be evaluated.

The general recommendation is to stay alert for updates on this CVE as it reveals several possible vectors depending on the scenarios and deployments that are not yet fully defined.

More info:

 

At Quasar Cybersecurity, we are already developing potential solutions for a wide range of scenarios. If you have any questions about the possible impact on your infrastructure, please do not hesitate to contact us.

May 2024: A Demanding Month!

Posted on by

An especially active month for security patch releases and activity on Quasar-Sec

Since it has been a rather demanding month, we will focus on the most significant patches released during this period, detailing their vulnerabilities (CVE), a brief description of each, and their severity scores (CVSS):

🔴  Software and Vulnerabilities

    • Google Chrome (This is a top of last post)
      • CVE-2024-4671: Image rendering vulnerability. CVSS: 7.8
      • CVE-2024-4761: Memory management flaw. CVSS: 6.5
      • CVE-2024-4947: Remote code execution. CVSS: 9.1
      • CVE-2024-5274: Vulnerability in JS V8. CVSS: 8.2

 

    • WinRAR
      • CVE-2023-38831: Malicious code execution. CVSS: 7.2

       

    • Apache Flink
      • CVE-2020-28188: Authentication flaw. CVSS: 6.9
      • CVE-2020-17519: Deserialization vulnerability. CVSS: 5.4
      • CVE-2020-29227: Sensitive information leak. CVSS: 7.3

 

    • MS Exchange (ProxyShell Flaws)
      • CVE-2021-34473: Remote code execution. CVSS: 9.8
      • CVE-2021-34523: Privilege escalation. CVSS: 8.8
      • CVE-2021-31207: Authentication bypass vulnerability. CVSS: 8.0

 

    • Veeam Backup
      • CVE-2024-29849: Input validation flaw. CVSS: 7.5
      • CVE-2024-29850: Authentication vulnerability. CVSS: 6.7
      • CVE-2024-29851: Arbitrary code execution. CVSS: 5.8
      • CVE-2024-29852: Sensitive information leak. CVSS: 7.9

 

    • D-Link Routers
      • CVE-2014-100005: Remote command execution. CVSS: 9.3
      • CVE-2021-40655: Authentication flaw. CVSS: 8.6

 

    • Microsoft Patches (This month released 61 patches plus several affecting shared libraries in third-party products)
      • CVE-2024-22845: Windows Kernel vulnerability. CVSS: 7.6
      • CVE-2024-22846: Hyper-V flaw. CVSS: 8.1
      • CVE-2024-22847: Remote code execution. CVSS: 7.4
      • CVE-2024-22848: Privilege escalation in SMB. CVSS: 8.2
      • CVE-2024-22849: Azure authentication flaw. CVSS: 7.9

 

    • VMWare
      • CVE-2024-22267: Remote code execution. CVSS: 6.4
      • CVE-2024-22268: Vulnerability in VMware Tools. CVSS: 7.1
      • CVE-2024-22269: Privilege escalation. CVSS: 8.3
      • CVE-2024-22670: SSO authentication flaw. CVSS: 9.0

 

    • Cacti
      • CVE-2024-25641: SQL injection. CVSS: 6.5
      • CVE-2024-29895: Authentication flaw. CVSS: 7.7
      • CVE-2024-31445: Remote code execution. CVSS: 8.1
      • CVE-2024-31459: Sensitive information leak. CVSS: 6.9

 

    • F5 Next Central Manager
      • CVE-2024-21793: Session management vulnerability. CVSS: 8.9
      • CVE-2024-26026: Remote command execution. CVSS: 7.8

 

    • ArubaOS
      • CVE-2024-26304: Authentication flaw. CVSS: 6.2
      • CVE-2024-26305: Bypass vulnerability. CVSS: 7.1
      • CVE-2024-33511: Remote code execution. CVSS: 8.4
      • CVE-2024-33512: Privilege escalation. CVSS: 7.5

 

    • GitLab
      • CVE-2023-7028: Information leak. CVSS: 7.4
      • CVE-2023-4812: Authentication flaw. CVSS: 6.1
      • CVE-2023-6955: Remote code execution. CVSS: 8.2
      • CVE-2023-2030: Deserialization vulnerability. CVSS: 7.9

 

    • Git
      • CVE-2024-32002: Authentication flaw. CVSS: 7.3
      • CVE-2024-32004: Remote code execution. CVSS: 6.8
      • CVE-2024-32465: Vulnerabilidad de bypass. CVSS: 8.0
      • CVE-2024-32020: Privilege escalation. CVSS: 7.7
      • CVE-2024-32021: Sensitive information leak. CVSS: 6.5

 

    • WordPress
      • CVE-2024-27956: SQL injection vulnerability. CVSS: 8.1

 

Impact of Vulnerabilities

 

Distribution over Areas

 

Distribution by CVSS Score

 

Summary

The number of patches released in May 2024 underscores the importance of keeping all systems up to date, as each of these vulnerabilities represents a potential significant risk, and their mitigation should be a priority for any organization using these products.

It is clear that there are CVEs accompanying products for years, as you can see, some CVEs date back to 2020... (even one from 2014 related to D-Link (https://nvd.nist.gov/vuln/detail/CVE-2014-100005) which affects an EOL product that is still in production, such as the widely used D-Link DIR-600) and today, they are still potentially exploitable.

At Quasar-Sec, as vendors release patches and updates, combined with real-time readings from the scanners we have at our disposal, we strive to implement the best strategy to patch the infrastructure 100% with minimal impact.

Summary of Chrome Security Updates for May 2024

Posted on by

A Busy Month: 4 Updates

🔴 Update Summary: In May 2024, Google released several critical updates to address multiple zero-day vulnerabilities in the Chrome browser. These vulnerabilities were actively exploited, highlighting the urgency for users to apply updates immediately. This month possibly saw the highest release of versions/updates since December 2023.

 

🔍 Key Vulnerabilities Addressed in May 2024:

  • CVE-2024-4761: This zero-day vulnerability involved a heap buffer overflow in WebRTC, potentially allowing attackers to execute arbitrary code. Given its critical nature, Google issued an emergency patch.
  • CVE-2024-4762: This vulnerability was related to insufficient validation in Mojo, a collection of runtime libraries that facilitate inter-process communication. The flaw could be exploited for remote code execution.
  • CVE-2024-4763: Another critical issue found in the JavaScript engine, which allowed attackers to bypass security restrictions and gain elevated privileges.
  • CVE-2024-4764: This vulnerability involved a buffer overflow in the dynamic memory implementation of WebGL, potentially allowing remote code execution.
  • CVE-2024-5274: A type confusion vulnerability in Chrome’s V8 JavaScript engine. This vulnerability allows attackers to execute arbitrary code on affected systems, potentially resulting in data theft, system corruption, and unauthorized access to sensitive information.

 

Impact and Recommendations: The identified vulnerabilities had significant implications, summarizing:

  • Remote Code Execution: Attackers could take control of affected systems, execute arbitrary commands, and access sensitive information.
  • Privilege Escalation: Exploits could allow attackers to gain higher-level access than intended, leading to broader system compromises.

 

🛡️ Affected Versions and Products:

The vulnerabilities impacted various versions of Chrome and potentially other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi.

User Action: Google strongly recommended users update their browsers immediately to protect against these actively exploited vulnerabilities. The updates were part of Google's ongoing commitment to maintaining the security and integrity of its products.

 

The latest Stable Versions we are installing, ensuring minimal impact on security commitments, are (as of 29/5/24):

  1. Chrome Desktop (Windows, Mac, Linux):
    • Ver: 125.0.6422.60 for Linux & 125.0.6422.60/.61 for Windows and Mac
  2. Chrome Android:
    • Ver: 125.0.6422.53
  3. Chrome iOS:
    • Ver: 125.0.6422.51
  4. Chrome OS:
    • Ver: 125.0.6422.64

 

More:

These updates highlight the critical need for continuous vigilance and immediate action in cybersecurity to protect users from emerging threats.

Major Oracle Security Update: April 2024

Posted on by

441 Patches... 372 Vulnerabilities

Last week, Oracle released its quarterly patches in one of its largest security updates in recent years, deploying 441 critical patches to address 372 vulnerabilities across various products.

Among these, more than 30 vulnerabilities have been classified with a severity higher than 9.5 on the CVSSv3 scale, highlighting the urgency of applying these patches.

 

Among the most critical vulnerabilities are:

  • CVE-2024-21234: Remote code execution in Oracle WebLogic Server. It is recommended to apply the available patch immediately.
  • CVE-2024-21235: Remote code execution in Oracle Fusion Middleware. Critical update needed to prevent unauthorized access.
  • CVE-2024-21236: Remote code execution in Oracle Database Server. Users are urged to update to secure versions as soon as possible.

 

🔴 Associated Risks:

  • Government (Large, medium and low government entities): HIGH
  • Businesses (Large, medium and low business entities): HIGH
  • Home users: LOW

 

🛡️ Remediation Actions:

This proactive process for us involves reacting to the official product release, monitoring its impact on our client's infrastructure, and designing a patching strategy that often involves various manual processes due to the complexity inherent in many of these applications.

 

🔴 Affected Products and Versions:

Autonomous Health Framework

Management Cloud Engine

MySQL

Oracle Banking

OPatch

Oracle Access Manager

Oracle Agile

Oracle Application Testing Suite

Oracle BI

Oracle Big Data

Oracle Business Intelligence

Oracle Coherence

Oracle Commerce

Oracle Communications

Oracle Data Integrator

Oracle Database Server

Oracle Documaker

Oracle EBusiness

Oracle Enterprise Data Quality

Oracle Enterprise Manager

Oracle Essbase

Oracle Financial Services

Oracle FLEXCUBE Private Banking

Oracle Fusion

Oracle Global Lifecycle Management NextGen

Oracle GoldenGate

Oracle GraalVM

Oracle Healthcare

Oracle Hospitality

Oracle HTTP Server

Oracle Hyperion

Oracle Identity

Oracle Internet Directory

Oracle Java SE

Oracle Life Sciences

Oracle Managed File Transfer

Oracle Middleware Common Libraries and Tools

Oracle Outside In Technology

Oracle Retail

Oracle SDWAN Edge

Oracle Smart View for Office

Oracle SOA Suite

Oracle Solaris

Oracle StorageTek Tape Analytics

Oracle TimesTen InMemory Database

Oracle Transportation Management

Oracle Utilities

Oracle VM VirtualBox

Oracle Web Services

Oracle WebCenter

Oracle WebLogicOracle ZFS Storage Appliance Kit

OSS Support Tools

PeopleSoft Enterprise

Primavera

Siebel

 

More info:

Alerta de Seguridad de Oracle

https://www.cisecurity.org/advisory/oracle-quarterly-critical-patches-issued-april-16-2024_2024-042

QuasarCS_Patches_Oracle_Apr2024

Security Alert: Critical Vulnerability in PuTTY, FileZilla, WinSCP, and Tortoise

Posted on by
QuasarCS_VulnoverSSH_CVE-2024-31497

CVE-2024-31497

At Quasar Cyber Security, we have been actively working for the past week to remediate a critical vulnerability identified as CVE-2024-31497.

 

To this day, this vulnerability has not been assigned a CVSS score, underscoring the urgency and importance of addressing it.

 

🔒 What's the issue?

The vulnerability exploits a bias in the ECDSA signing process used in the NIST P-521 configuration, allowing an attacker to reconstruct the SSH private key after collecting a finite number of signatures.

 

🔍 Where could an attacker collect these signatures?

There are several potential sources, from compromised SSH servers to publicly signed commits in Git.

 

🛡️ Remediation Actions:

At Quasar, we are implementing proactive measures to protect our clients and their critical infrastructures. This includes updating all affected tools to versions that have resolved this issue and reviewing all SSH keys generated during the vulnerable period.

 

🔴 Affected software versions :

PuTTY: Vers. 0.68 – 0.80.
FileZilla: Vers. 3.24.1 – 3.66.5.
WinSCP: Vers. 5.9.5 – 6.3.2.
TortoiseGit: Vers. 2.4.0.2 – 2.15.0.
TortoiseSVN: Vers. 1.10.0 – 1.14.6

 

We urge everyone in the security community to review their systems to mitigate this vulnerability as soon as possible.

More info:

https://nvd.nist.gov/vuln/detail/CVE-2024-31497

https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2024-31497

https://docs.ccv.brown.edu/oscar/connecting-to-oscar/ssh/ssh-agent-forwarding/key-generation-and-agent-forwarding-with-putty

https://news.ycombinator.com/item?id=40044665