One of the most popular WordPress backup plugins, UpdraftPlus, has released a set of updates, x.22.3, that contain a potentially important fix for CVE-2022-23303. This vulnerability exposes existing backups to any logged-in WordPress user. This bug was found by the guys at Jetpack, who have a nice write-up on it. It’s a combination of instances of a common problem — endpoints that lacked proper authentication. The heartbeat function allows any user to access it, and it returns the latest backup nonce.
A cryptographic nonce is a value that’s not exactly a cryptographic secret, but is only used once. In some cases, this is to mitigate replay attacks, or is used as an initialization vector. In the case of UpdraftPlus, the nonce works as a unique identifiers for individual backups. The data leak can be combined with another weak validation in the maybe_download_backup_from_email()
function, to allow downloading of a backup. As WordPress backups will contain sensitive information, this is quite the problem. There are no known in-the-wild instances of this attack being used, but as always, update now to stay ahead of the game.
Termux
It wouldn’t be surprising to find that many of us use the Termux app on Android. It’s almost as good as installing a real Linux distro for the command line tools, and even running some graphical Linux apps. What you may not know is that the version on the Google Play Store is far out of date, because of a change to Android security policy in Android 10. That was simply annoying, but now it’s a real problem, as a series of vulnerabilities have been announced in the Termux app. The two most serious problems require the Termux:Tasker
and Termux:Widget
add-ons, respectively. Tasker didn’t have a defined permission for allowing execution via intents, so any other app could trigger a command. On top of this, there was a trivial directory traversal attack, so that command could reference any binary Termux could access.
The Widget problem is similar, but this app at least had an auth token that was checked on incoming intents. The problem there is that with a valid token, any command could be run. On top of that, the third vulnerability was a file permission issue, where any app could read Termux files, including the issued tokens. There’s one more issue to consider, when contemplating the severity of this bug, and that is rooted phones. If you’re running an su
binary, and you’ve given Termux root permissions, then the above vulnerabilities are suddenly much more serious.
Magento and Adobe Commerce
There’s a really nasty vulnerability in the Magento project, and by extension, Adobe Commerce. CVE-2022-24086 was announced February 13, as a RCE accessible without authentication. Worse, it appears to be pretty simple to exploit, though a precise PoC hasn’t been made public yet. Adobe patched the vulnerability, and within a few days, researchers had bypassed their fix, leading to CVE-2022-24087 being issued. Researchers at Sansec have seen attacks in the wild already. Patch now, and give any Magento install a very close look for potential malware.
A new patch have been published for Magento 2, to mitigate the pre-authenticated remote code execution. If you patched with the first patch, THIS IS NOT SUFFICIENT to be safe.
Please update again!https://t.co/vtYj9Ic6ds@ptswarm (as you had a PoC too!)#magento— Blaklis (@Blaklis_) February 17, 2022
More Qualsys Finds
Qualsys has found another round of vulnerabilities, this time in snap-confine
. The most important one is CVE-2021-44731, a race condition that can lead to privilege escalation, which happens to work in most default configurations. snap-confine
is another setuid binary, which can be executed by unprivileged users, but automatically gains root privileges in order to run. The problem stems from snap mounting its own temporary directory on the system’s /tmp
location, but not properly checking for symlinks.
By making a change to the /tmp
directory as it is being mounted, arbitrary folder locations can be accessed from within the snap, but with modified access controls inherited from the snap. One impressive technique they demonstrated in the attack is putting snap-confine
into a debug mode, and then single-stepping the program’s execution. That’s certainly one way to guarantee your exploit wins the race.
Thunderbird, Strlen, and Single Byte Overflows
Mozilla Thunderbird has an unusual vulnerability, fixed in the 91.6.1 release. CVE-2022-0566 is tracked internally as bug 1753094, and so far has a maximum impact of a one byte buffer overflow. Turning this into an exploit would be quite difficult, but we’ve seen stranger things. If anything, I would expect this to be chained with another bug to achieve something more interesting, but so far it seems that no-one has managed this. As always, update sooner than later!
Red Cross Targeted
The International Committee of the Red Cross has published an announcement, that one of their systems were breached back in November. Attackers used CVE-2021-40539, an authentication bypass in the Zoho Active Directory infrastructure. A database of over 500,000 contacts was exposed, and likely exfiltrated. What’s particularly interesting here is that it seemed to have been a very targeted attack, and there was no ransomware deployed. What exactly motivated the attack is unclear at this point, but the ICRC points out that this was likely carried out by an APT.
PfSense RCE
While a pfSense RCE sounds like a nightmare scenario, it’s not quite time to hit the panic button. This vulnerability requires access to the web interface as an authenticated user. The flaw is improperly sanitation of user input, which is then run through the sed
command. One way this can be turned into an exploit is through writing arbitrary data to the filesystem, and using this to add a webshell. The problem has been fixed in pfSense CE 2.6.0 and pfSense Plus 22.01.
“the ICRC points out that this was likely carried out by an APT.” Advanced Passenger Train? What does this stand for in this context?
Advanced Persistent Threat.
Advanced persistent threat?
https://en.wikipedia.org/wiki/Advanced_persistent_threat
Advanced Persistent Threat
“pre-authenticated remote code execution”
So that’s how you talk around un unauthenticated RCE. It’s not that you can do it when you’re not logged in, just that you can *before* you log in. I’m so sick of constant image management. Just call it what it is.
Never trust snapd packet manager, that ‘needs’ to run in the background.
Does this Termux vulnerability affect the new version that’s not in the Google app store?