Memory Security Weekly Report No. 153

1.?Atlas VPN zero-day vulnerability leaks users real IP address (9.5)

An Atlas VPN zero-day vulnerability affecting the Linux client leaks a user's real IP address simply by visiting a website.?Atlas VPN is a VPN product that offers a cost-effective solution based on WireGuard?and supports all major operating systems.

Detailed Information

In a proof of concept exploit shared on Reddit, a researcher describes how the Linux client of Atlas VPN, specifically the latest version, 1.0.3, has an API endpoint that listens on localhost (127.0.0.1) over port 8076.?This API offers a command-line interface (CLI) for performing various actions, such as disconnecting a VPN session using the https://127.0.0.1:8076/connection/stop URL.?However, this API does not perform any authentication, allowing anyone to issue commands to the CLI, even a website you are visiting.

A Reddit user named 'Educational-Map-8145' published a?PoC exploit on Reddit?that abuses the Atlas VPN Linux API to reveal a user's real IP addresses.?This PoC creates a hidden form that is automatically submitted by JavaScript to connect?to the?https://127.0.0.1:8076/connection/stop?API endpoint URL.?When this API endpoint is accessed, it automatically terminates any active Atlas VPN sessions that hide a user's IP address.?Once the VPN connection is disconnected, the PoC will connect to the?api.ipify.org?URL to log the visitor's actual IP address.

This is a severe privacy breach for any VPN user as it exposes their approximate physical location and actual IP address, allowing them to be tracked and nullifying one of the core reasons for using a VPN provider.?The researcher?tested and confirmed the exploit, creating the?video below to demonstrate that it can be leveraged to reveal an IP address.?He further explained that the PoC bypasses existing CORS (Cross-Origin Resource Sharing) protections on web browsers because the requests are sent to the Atlas VPN API as form submissions.?Using a form submission to "bypass" CORS would not allow a website to see any response from the form submission.?Atlas VPN eventually responded to the issue four days after the disclosure, apologizing to the reporter and promising to release a fix for its Linux client as soon as possible.?

https://www.bleepingcomputer.com/news/security/atlas-vpn-zero-day-vulnerability-leaks-users-real-ip-address/

2. CISA warns o critical Apache RocketMQ bug exploited in attacks (9.7)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added to its catalog of known exploited vulnerabilities (KEV) a critical–severity issue tracked as CVE-2023-33246 that affects Apache’s RocketMQ distributed messaging and streaming platform.

Detailed Information

Multiple threat actors are possibly exploiting the vulnerability at the moment to install various payloads on impacted systems (RocketMQ versions 5.1.0 and below).?Exploiting the vulnerability is possible without authentication and has been leveraged in the wild since at least June by operators of the DreamBus botnet to deploy a Monero cryptocurrency miner.?CISA is warning federal agencies that they should patch the CVE-2023-33246 vulnerability for Apache RocketMQ installations on their systems by September 27. If updating the application to a safe version or mitigating the risk in some other way is not possible, CISA recommends discontinuing using the product.

The cybersecurity agency notes that an attacker can exploit the issue “by using the update configuration function to execute commands as the system users that RocketMQ is running.” The U.S. National Institute of Standards and Technology (NIST) adds that the result is the same if an attacker forges the RocketMQ protocol content. Leveraging the issue is possible because multiple RocketMQ components that include NameServer, Broker, and Controller, are exposed on the public internet, making them a target for hackers. Researchers note that most of the systems were concentrated in one country, which could mean that many of them are honeypots set up by researchers.

When scanning potentially vulnerable systems, the researcher also discovered “a variety of malicious payloads,” suggesting that multiple threat actors are exploiting the vulnerability.?Although they display suspicious behavior, some of the executables [1, 2, 3, 4] dropped after exploiting RocketMQ are currently not detected as malicious by antivirus engines on the Virus Total scanning platform. The samples’ dubious conduct on a system includes deleting themselves, running commands to modify permissions, enumerating processes, dumping credentials, reading the SSH private keys and the “known_hosts” file, encoding and encrypting data, and reading the bash history.

https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-apache-rocketmq-bug-exploited-in-attacks/