The impending holidays don’t mean a break from cybersecurity threats. This week’s news includes open-source software vulnerabilities, endangered data, and continued attacks from state-sponsored Russian threat groups. Google’s Dataproc security issues could be exploited not just through the analytics engine but through Google Compute Engine, too. And WordPress sites are vulnerable to code injection through plugin Backup Migration. Before your IT and security teams log off for the holidays, make sure to check for any outstanding updates or patches.
December 11, 2023
Sonar Finds Three Vulnerabilities in Open-Source Firewall pfSense
Type of vulnerability: Cross-site scripting and command injection.
The problem: Code analysis software SonarCloud found three vulnerabilities in open-source firewall software pfSense — two cross-site scripting (XSS) issues and a command injection vulnerability. NIST has cataloged the three vulnerabilities as CVE-2023-42325, CVE-2023-42327, and CVE-2023-42326. Used in conjunction, these vulnerabilities allow a threat actor to remotely execute arbitrary code on a pfSense server.
pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below are susceptible to the vulnerabilities. While the vulnerabilities were discovered this summer, Sonar didn’t release its report until last week.
The fix: Sonar provides recommendations for patching the vulnerabilities, including patch commits from open-source networking vendor Netgate. Versions 2.7.1 and 23.09 of pfSense have also fixed this vulnerability.
December 12, 2023
Dataproc Vulnerabilities Endanger Data Processing Environments
Type of vulnerability: Unauthenticated access to Dataproc clusters.
The problem: Google’s data processing and analytics engine Dataproc has insufficient security controls on two open firewall ports. If a threat actor has the Dataproc IP address, they can access it without authenticating themselves. Orca Security’s research group released an article covering this vulnerability. When a threat actor gains access to an instance of Dataproc, they could view sensitive data being processed or stored.
The Orca team said that at the time of writing this article, Google hadn’t fixed the flaw, only identifying it as an Abuse Risk. Google offers information about the dangers of open firewall rules, but not the possibility that a threat actor could access Dataproc through Google Compute Engine, which Orca pointed out.
The fix: Orca Security scans Dataproc clusters and notifies Orca customers when an instance of Dataproc is misconfigured. Orca also offers remediation recommendations and code to fix the issue. This only applies to Orca customers; at this point, Google hasn’t offered an overall solution.
December 13, 2023
Russian Groups Continue to Exploit JetBrains TeamCity Servers
Type of attack: Authentication bypass resulting in server access.
The problem: The National Security Agency (NSA) released a press announcement last week concerning active exploits of a JetBrains TeamCity server exploit. According to the NSA, threat actor groups like APT29 and CozyBear, which make up the Russian Foreign Intelligence Service (SVR), have been exploiting the known vulnerability since September 2023. Among the victims so far are businesses in the medical and financial industries.
Threat actors use the vulnerability known as CVE-2023-42793 to access the TeamCity servers and take further action, including escalating their privileges. The goal for these threat actors is long-term access to the servers.
The National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other organizations developed a detailed bulletin, a Cybersecurity Advisory (CSA) designed to help teams respond.
The fix: The bulletin from the CSA provides multiple suggestions for mitigation. Navigate to the Mitigations section for specific recommendations, including patching per JetBrains’ already-released fix and enabling antivirus and endpoint monitoring products.
WordPress Plugin Backup Migration Sees Code Injection Vulnerability
Type of attack: PHP code injection and remote code execution.
The problem: Backup Migration, a WordPress plugin installed on tens of thousands of websites, has a vulnerability allowing remote code execution. The vulnerability, CVE-2023-6553, affects every version of Backup Migration until version 1.3.6. A threat actor can use the /includes/backup-heart.php file to inject PHP code and bypass user interaction to execute code remotely on the affected website.
The team for Wordfence, a WordPress security plugin, discovered this bug and reported it to BackupBliss, the developers.
The fix: After receiving the report from Wordfence, the developers of Backup Migration released a patch earlier in December for the vulnerability, included in version 1.3.8. Experts recommend that WordPress admins update Backup Migration to the latest version so their sites aren’t compromised. Multiple WordPress sites aren’t updated and are still vulnerable, though. Check your site’s version of Backup Migration if you have the plugin installed.
December 15, 2023
Apache Struts Vulnerability Requires Upgrades to New Software Versions
Type of vulnerability: Parameter manipulation allowing path traversal and potential remote code execution.
The problem: The Apache Software Foundation announced a software flaw in Apache Struts 2, an open-source framework for developing Java applications. The vulnerability allows threat actors to manipulate parameters and enable path traversal, according to NIST. This could allow them to upload malicious files and execute remote code. Versions affected include Struts 2.0.0 – Struts 2.3.37 (end of life), Struts 2.5.0 – Struts 2.5.32, and Struts 6.0.0 – Struts 6.3.0.
The fix: NIST suggests upgrading Apache Struts to versions 2.5.33 or 6.3.0.2 or greater to fix this issue.
Next, read about the stages of the vulnerability management lifecycle, which include assessing, prioritizing, and reassessing weaknesses in your IT environment.
