Facebook has disclosed a vulnerability in the FreeType font rendering library, affecting all versions up to 2.13.0. This can lead to arbitrary code execution and is seen exploited in the wild.

FreeType 2 is a widely used open-source library that enables text rendering and manipulation. It is integrated into millions of (embedded) systems and applications, including Linux, Android, game engines, Browsers. GUI frameworks, and online platforms.

Although a non vulnerable version (FreeType 2.13.0 and up) was released on 2023-02-09, it is expected that many vulnerable versions are still in use due to its widespread use of this library.

https://www.bleepingcomputer.com/news/security/facebook-discloses-freetype-2-flaw-exploited-in-attacks/

#Netflix Europe offices raided in tax fraud probe

• Netflix's offices in France and the Netherlands were raided due to a tax fraud laundering investigation, according to a French judicial source.
• The French PNF opened the investigation in November 2022, focusing on international companies.Authorities suspect Netflix of "covering up serious tax fraud and off-the-books work," as stated by the PNF.

https://www.bbc.com/news/articles/cwy1vze09wwo

Cool Read: We Spent $20 to Achieve RCE and Accidentally Became the Admins of .MOBI

In this article, researchers bought an expired domain for $20 that was once used by the .MOBI WHOIS server, gaining control over its infrastructure. By setting up their own WHOIS server on the domain, they intercepted millions of queries, including those from government, military, and cybersecurity organizations.

The researchers also discovered a significant vulnerability in the TLS/SSL certificate issuance process. Some Certificate Authorities (CAs) used WHOIS data to verify domain ownership by checking the administrative email addresses listed. Since the researchers controlled the .MOBI WHOIS server, they were able to provide their own email address as the "official" contact. This let them spoof domain ownership, allowing them to receive verification emails and potentially issue fraudulent certificates for major domains.

Critical Kibana Vulnerability - Arbitrary Code Execution via YAML Deserialization

Date: September 5, 2024

CVE: CVE-2024-37285

Vulnerability Type: Deserialization of Untrusted Data

CWE: [[CWE-502]]

Sources: Elastic Security Advisory

Synopsis

CVE-2024-37285 impacts Kibana versions 8.10.0 to 8.15.0, where a deserialization flaw allows remote code execution if an attacker injects malicious YAML payloads. This vulnerability requires that an attacker has elevated Elasticsearch and Kibana privileges.

Issue Summary

The vulnerability arises from improper YAML deserialization within Kibana. A malicious actor can craft a YAML payload and execute arbitrary code, provided they have specific Elasticsearch index and Kibana privileges. This issue affects Kibana from versions 8.10.0 through 8.15.0 and is critical due to its ease of exploitation and the potential for widespread impact.

Technical Key Findings

Attackers exploit this flaw by submitting a specially crafted YAML document that Kibana deserializes without proper validation. Once the malicious code is parsed, it can run on the server with elevated privileges, enabling arbitrary code execution.

The attacker must have the following Elasticsearch indices permissions;

• write access to system indices .kibana_ingest*
  
• The allow_restricted_indices flag needs to be set to true

The attacker must also have ANY of the following Kibana privileges;

• Under Fleet the All privilege is granted
• Under Integration the Read or All privilege is granted
• Access to the fleet-setup privilege is gained through the Fleet Server’s service account token## Vulnerable Products
• Kibana versions 8.10.0 to 8.15.0.

Impact Assessment

Successful exploitation could allow an attacker to execute arbitrary commands, leading to a complete system compromise. This could affect confidentiality, integrity, and availability, making it a high-risk issue for organizations relying on Kibana for data visualization and exploration.

Patches or Workaround

Upgrading to Kibana version 8.15.1 resolves this vulnerability. Additionally, limiting access to Elasticsearch indices and restricting Kibana privileges reduces exposure.

Tags

#CVE-2024-37285 #Kibana #ArbitraryCodeExecution #YAML #Deserialization #ElasticStack #CyberSecurity

GitLab Releases Critical Updates to Address XSS Vulnerability

Date: July 25, 2024
CVE: CVE-2024-5067
Vulnerability Type: Cross-Site Scripting (XSS)
CWE: [[CWE-79]], [[CWE-352]], [[CWE-264]]
Sources: GitLab Critical Patch Release, Security Online Info, CERT-EU

Synopsis

GitLab has released critical updates for its Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities, including a high-severity cross-site scripting (XSS) flaw.

Issue Summary

On May 24, GitLab released new versions of GitLab Community Edition (CE) and Enterprise Edition (EE) with crucial bug and security fixes. These updates address a significant vulnerability, CVE-2024-4835, with a CVSS score of 8.0, which allows attackers to take over accounts via an XSS flaw. Exploiting this through the VS code editor (Web IDE), an attacker can create a malicious page to steal sensitive user information. User interaction is required, This does increase the attack complexity. All versions of GitLab CE and EE up to 16.10.6, versions 16.11 up to 16.11.3, and versions 17.0 up to 17.0.1 are affected. Patches are released by GitLab: 17.2.1, 17.1.3, 17.0.5

Technical Key Findings

The XSS vulnerability (CVE-2024-5067) is exploited through the Maven Dependency Proxy, where attackers can inject malicious scripts that run in the user's session. This flaw has a CVSS score of 7.7, indicating high severity.

Vulnerable Products

• GitLab CE/EE versions from 16.6 up to 17.2.1
• Specific vulnerabilities affect versions 17.1 prior to 17.1.3 and 17.2 prior to 17.2.1

Impact Assessment

Exploitation of this vulnerability can lead to arbitrary code execution, potentially compromising user accounts and leaking sensitive information.

Patches or Workarounds

GitLab has released patches in versions 17.2.1, 17.1.3, and 17.0.5. It is strongly recommended that all installations be upgraded to these versions immediately to mitigate the risk.

Tags

#GitLab #CVE-2024-5067 #XSS #SecurityUpdate #Vulnerability #Patch #Cybersecurity

New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

Date: July 23, 2024

CVE: N/A

Vulnerability Type: Exploitation of Modbus TCP communication

CWE: [[CWE-668]], [[CWE-20]], [[CWE-74]]

Sources: The Hacker News, Yahoo News, Dragos

Synopsis

FrostyGoop is a newly identified malware designed to target Industrial Control Systems (ICS) by exploiting Modbus TCP communication protocols. This malware caused significant disruption to critical infrastructure in Lviv, Ukraine, earlier this year.

Issue Summary

In January 2024, FrostyGoop malware targeted an energy company in Lviv, resulting in a 48-hour loss of heating services to over 600 apartment buildings. This malware interacts directly with ICS devices using Modbus TCP over port 502, making it a serious threat to critical infrastructure.

Technical Key Findings

FrostyGoop, written in Golang, can read and write to ICS device registers and uses JSON-formatted configuration files to target specific IP addresses and Modbus commands. Initial access was likely gained through a vulnerability in Mikrotik routers.

Vulnerable Products

ENCO controllers with TCP port 502 exposed and ICS devices using Modbus TCP are particularly vulnerable to this malware.

Impact Assessment

The malware's ability to manipulate ICS devices can lead to significant operational disruptions, inaccurate system measurements, and potential safety hazards, affecting public safety and industrial operations.

Patches or Workarounds

Currently, there are no specific patches available for FrostyGoop.

#FrostyGoop #ICS #ModbusTCP #CriticalInfrastructure #CyberAttack #EnergySector #Ukraine #Dragos #IndustrialControlSystems #Golang #MikrotikVulnerability