This Week In Security: Updraft, Termux, And Magento

One of the most popular WordPress backup plugins, UpdraftPlus, has released a set of updates, x.22.3, that contain a potentially important fix for CVE-2022-23303. This vulnerability exposes existing backups to any logged-in WordPress user. This bug was found by the guys at Jetpack, who have a nice write-up on it. It’s a combination of instances of a common problem — endpoints that lacked proper authentication. The heartbeat function allows any user to access it, and it returns the latest backup nonce.

A cryptographic nonce is a value that’s not exactly a cryptographic secret, but is only used once. In some cases, this is to mitigate replay attacks, or is used as an initialization vector. In the case of UpdraftPlus, the nonce works as a unique identifiers for individual backups. The data leak can be combined with another weak validation in the maybe_download_backup_from_email() function, to allow downloading of a backup. As WordPress backups will contain sensitive information, this is quite the problem. There are no known in-the-wild instances of this attack being used, but as always, update now to stay ahead of the game.

Termux

It wouldn’t be surprising to find that many of us use the Termux app on Android. It’s almost as good as installing a real Linux distro for the command line tools, and even running some graphical Linux apps. What you may not know is that the version on the Google Play Store is far out of date, because of a change to Android security policy in Android 10. That was simply annoying, but now it’s a real problem, as a series of vulnerabilities have been announced in the Termux app. The two most serious problems require the Termux:Tasker and Termux:Widget add-ons, respectively. Tasker didn’t have a defined permission for allowing execution via intents, so any other app could trigger a command. On top of this, there was a trivial directory traversal attack, so that command could reference any binary Termux could access.

The Widget problem is similar, but this app at least had an auth token that was checked on incoming intents. The problem there is that with a valid token, any command could be run. On top of that, the third vulnerability was a file permission issue, where any app could read Termux files, including the issued tokens. There’s one more issue to consider, when contemplating the severity of this bug, and that is rooted phones. If you’re running an su binary, and you’ve given Termux root permissions, then the above vulnerabilities are suddenly much more serious.

Magento and Adobe Commerce

There’s a really nasty vulnerability in the Magento project, and by extension, Adobe Commerce. CVE-2022-24086 was announced February 13, as a RCE accessible without authentication. Worse, it appears to be pretty simple to exploit, though a precise PoC hasn’t been made public yet. Adobe patched the vulnerability, and within a few days, researchers had bypassed their fix, leading to CVE-2022-24087 being issued. Researchers at Sansec have seen attacks in the wild already. Patch now, and give any Magento install a very close look for potential malware.

More Qualsys Finds

Qualsys has found another round of vulnerabilities, this time in snap-confine. The most important one is CVE-2021-44731, a race condition that can lead to privilege escalation, which happens to work in most default configurations. snap-confine is another setuid binary, which can be executed by unprivileged users, but automatically gains root privileges in order to run. The problem stems from snap mounting its own temporary directory on the system’s /tmp location, but not properly checking for symlinks.

By making a change to the /tmp directory as it is being mounted, arbitrary folder locations can be accessed from within the snap, but with modified access controls inherited from the snap. One impressive technique they demonstrated in the attack is putting snap-confine into a debug mode, and then single-stepping the program’s execution. That’s certainly one way to guarantee your exploit wins the race.

Thunderbird, Strlen, and Single Byte Overflows

Mozilla Thunderbird has an unusual vulnerability, fixed in the 91.6.1 release. CVE-2022-0566 is tracked internally as bug 1753094, and so far has a maximum impact of a one byte buffer overflow. Turning this into an exploit would be quite difficult, but we’ve seen stranger things. If anything, I would expect this to be chained with another bug to achieve something more interesting, but so far it seems that no-one has managed this. As always, update sooner than later!

Red Cross Targeted

The International Committee of the Red Cross has published an announcement, that one of their systems were breached back in November. Attackers used CVE-2021-40539, an authentication bypass in the Zoho Active Directory infrastructure. A database of over 500,000 contacts was exposed, and likely exfiltrated. What’s particularly interesting here is that it seemed to have been a very targeted attack, and there was no ransomware deployed. What exactly motivated the attack is unclear at this point, but the ICRC points out that this was likely carried out by an APT.

PfSense RCE

While a pfSense RCE sounds like a nightmare scenario, it’s not quite time to hit the panic button. This vulnerability requires access to the web interface as an authenticated user. The flaw is improperly sanitation of user input, which is then run through the sed command. One way this can be turned into an exploit is through writing arbitrary data to the filesystem, and using this to add a webshell. The problem has been fixed in pfSense CE 2.6.0 and pfSense Plus 22.01.

7 thoughts on “This Week In Security: Updraft, Termux, And Magento

  1. “pre-authenticated remote code execution”

    So that’s how you talk around un unauthenticated RCE. It’s not that you can do it when you’re not logged in, just that you can *before* you log in. I’m so sick of constant image management. Just call it what it is.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.