Breaches & Vulnerabilities in this week's Cyber News!

1. Vendor disputes seriousness of firewall plugin RCE flaw

IHTeam security researchers discovered a critical flaw in a plugin for the pfSense firewall system. The impacted pfBlockerNG plugin is not installed by default, and the issue was rectified in any event by a software upgrade released in June. According to IHTeam, the underlying issue created an unauthenticated remote code execution (RCE) as a root risk on impacted installations. pfSense is a FreeBSD-based firewall/router software distribution. The network firewall technology is open source and can be implemented on bare metal or as a virtual appliance. pfBlockerNG is a pfSense plugin component that allows for the allow- or deny-listing of whole IP ranges. According to researchers, it is frequently used to prevent entire countries from communicating with networks using pfSense. They highlight numerous elements that draw special attention to the problem. According to IHTeam, developers are continuing shipping and allowing consumers to install between the 2. x and 3. x branches (the -development one). "The misunderstanding could be easily remedied if they simply removed the 2. x branch from the list of accessible plugins," the researchers stated. During an independent security review of what turned out to be a vulnerable version of the software, IHTeam discovered the vulnerability in pfBlockerNG.(Source).

2. WordPress warning: 140k BackupBuddy installations on alert over file-read exploitation.

Updated WordPress websites that use BackupBuddy have been encouraged to upgrade the plugin in the wake of reports of active exploitation of a high severity arbitrary file download/read vulnerability. BackupBuddy is a WordPress backup tool that has approximately 140,000 active installs. Wordfence, a WordPress security business, has disclosed that its firewall has stopped over 4.9 million exploit attempts connected to the bug. Because of an insecure implementation of the technique used to download locally stored files, unauthenticated attackers could download any file kept on the server. According to a Wordfence blog, "more specifically, the plugin registers an admin init hook for the function intended to download local backup files, and the function itself did not have any capability checks or nonce validation." "This means that the function could be called by unauthenticated users via any administrative page, including those that can be accessed without authentication (admin-post.php)." Because the backup path is not checked, an arbitrary file could be supplied and then downloaded." WordPress as a whole has become a much more secure platform as a result of suppliers, users, and security researchers working together to make security easier for everyone, and iThemes is glad to be a part of it." (Source).

3. SEBI rejigs panel on cyber security, expands to six members team.

The Securities and Exchange Board of India (Sebi) has restructured its high-level panel on cyber security that suggests measures to safeguard the capital markets from such attacks. The committee, which has now six members, will be chaired by Navin Kumar Singh, DG of the National Critical Information Infrastructure Protection Centre (NCIIPC). The high-powered steering committee has been charged with overseeing and providing overall guidance on cyber security initiatives for Sebi as well as the entire capital market. It will also advise Sebi on developing and maintaining cyber security and cyber resilience requirements that are aligned with global best practices and industry standards in accordance with the needs of the Indian capital market structure. Furthermore, the panel will suggest strategies to strengthen cyber resilience, as well as related business continuity and disaster recovery processes, in the Indian securities industry. The committee will investigate key cyber-attack occurrences in domestic and worldwide financial markets, as well as identify weaknesses in the existing cyber security and cyber resilience framework. (Source).

4. Cisco won’t fix authentication bypass zero-day in EOL(End of Life) routers.

According to Cisco, a new authentication bypass problem impacting several small business VPN routers will not be fixed since the equipment has reached end-of-life (EOL). This zero-day vulnerability (CVE-2022-20923) is caused by a defective password validation technique, which attackers might use to connect to the VPN on susceptible devices using "crafted credentials" if the IPSec VPN Server functionality is enabled. Customers who are still using the RV110W, RV130, RV130W, and RV215W routers affected by this security flaw are encouraged to upgrade to newer models that are still receiving security updates. On the last day these RV Series routers were available for order, according to an end-of-sale notification on Cisco's website. "Cisco has not and will not provide software upgrades to address the vulnerability outlined in this advisory," the company said. For example, in August 2021, the firm stated that it will not offer security fixes for a major vulnerability (CVE-2021-34730) in these RV Series routers that allowed unauthenticated attackers to remotely execute arbitrary code as the root user, advising customers to upgrade to newer models. (Source).

5. Microsoft warns of Ransomware attacks by Phosporus hacker group.

Microsoft's threat intelligence branch determined that a subgroup of the Iranian threat actor known as Phosphorus is carrying out ransomware attacks for personal gain as a "kind of moonlighting." The tech behemoth, which is monitoring the activity cluster known as DEV-0270 (aka Nemesis Kitten), stated that it is run by a corporation known by the public aliases Secnerd and Lifeweb, noting infrastructure overlaps between the group and the two organizations. "DEV-0270 is known for early adoption of newly published vulnerabilities and uses exploits for high-severity vulnerabilities to get access to devices," Microsoft stated. DEV-0270 is known to scan the internet for servers and devices vulnerable to weaknesses in Microsoft Exchange Server, Fortinet FortiGate SSL-VPN, and Apache Log4j to gain initial access, which is then followed by network reconnaissance and credential theft. Persistence is established using a scheduled process to gain access to the hacked network. DEV-0270 then gains system-level privileges, allowing it to perform post-exploitation operations such as deactivating Microsoft Defender Antivirus to avoid detection, lateral movement, and file encryption. Users are recommended to prioritize patching of internet-facing Exchange servers to mitigate risk, restrict network appliances like Fortinet SSL-VPN devices from making arbitrary connections to the internet, enforce strong passwords, and maintain regular data backups. (Source).

6. HP fixes a severe bug in the pre-installed support assistant tool.

HP published a security advisory informing customers of a newly identified vulnerability in HP Support Assistant, a software application included with all HP laptops and desktop PCs. HP Support Assistant can be used to diagnose problems, run hardware diagnostic tests, dig deeper into technical specs, and even check for BIOS and driver upgrades on HP devices. The weakness, identified and reported to HP by Secure D researchers, is listed as CVE-2022-38395 and has a "high" severity level of 8.2 because it allows attackers to escalate their privileges on susceptible computers. As a result, attackers who have previously established their presence on a system using low-privileged malware or a RAT tool can exploit CVE-2022-38395. Despite this, it is suggested that all HP users upgrade Support Assistant as soon as possible owing to the vast number of devices that have HP Support Assistant installed and the minimal complexity of exploitation. Customers on version 9. x are advised to update to the current version of the Support Assistant via the Microsoft Store. This is not the first time HP's pre-installed self-help tools have posed security threats to customers, nor is it the first time Support Assistant, in particular, has done so. Given the foregoing, if you don't require or utilize your computer vendor's bloatware, uninstalling these tools will eliminate all associated hazards. (Source).

Visit us for any software related solutions at?TechBag Digital Pvt. Ltd.

All our Solutions and Services are delivered in SaaS Mode.

Free Expert Advices?are available for all the Solutions and before choosing to subscribe.

(TechBag is a digital distribution platform for software that enables better decision-making for users while navigating through different software, and enabling vendors to reach a wider audience.)