HTG Threat Report

Threat Report 7/3/24

Written by Evan Kennedy | Jul 25, 2024 1:43:26 PM
A Vulnerability in OpenSSH
Could Allow for Remote Code Execution
 
 
      

A vulnerability has been discovered in OpenSSH, which could allow for remote code execution. OpenSSH is a suite of secure networking utilities based on the SSH protocol and is crucial for secure communication over unsecured networks. It is widely used in enterprise environments for remote server management, secure file transfers, and various DevOps practices. Successful exploitation of this vulnerability could allow for remote code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  


Affected Systems:

  • OpenSSH versions earlier than 4.4p1 (unless patched for CVE-2006-5051 and CVE-2008-4109)
  • OpenSSH versions 8.5p1 up to, but not including, 9.8p1

Risk

  • Large and medium business entities: High
  • Small business entities: Medium

 

Remediation Recommendations

  • Ensure all hosts using OpenSSH have the latest version(s) installed.
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 

References

 
Multiple Vulnerabilities in Google Chrome
Could Allow for
Arbitrary Code Execution
 
         

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

 

Affected Systems:

  • Chrome prior to 126.0.6478.126/127 for Windows and Mac 

  •  Chrome prior to 126.0.6478.126 for Linux  

Risk

  • Large and medium business entities: High
  • Small business entities: Medium

 

Remediation Recommendations

  • Ensure all devices using Google Chrome have the latest version(s) installed 
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 

References

 
Multiple Vulnerabilities in Progress MOVEit Products
Could Allow for Authentication Bypass
 
 

Multiple vulnerabilities have been discovered in MOVEit products, which could allow for authentication bypass. 

  • MOVEit Gateway acts as a proxy between inbound connections from the public network and your internal trusted network. 
  • MOVEit Transfer is a secure managed file transfer application. 

Successful exploitation of these vulnerabilities could allow for an attacker to bypass authentication. An attacker could then view, change, or delete data; or create new accounts with full user rights. 

 

Affected Systems:

  • MOVEit Gateway versions prior to 2024.0.1  

  •  MOVEit Transfer versions prior to 2024.0.2, 2023.1.6, and 2023.0.11 

Risk

  • Large and medium business entities: High
  • Small business entities: Medium

Remediation Recommendations

  • Ensure all devices utilizing the above software have the latest version installed 
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 

References


 
Microsoft Provides Updates on Midnight Blizzard Email HacK 

 

Microsoft is notifying additional customers whose email correspondence with Microsoft was accessed by the Russian threat actor Midnight Blizzard, Engadgetreports. Microsoft stated, "This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor. This is increased detail for customers who have already been notified and also includes new notifications."


 
CocoaPods Vulnerabilities Affected Millions
of iOS and macOS
Apps
 
 

Researchers at EVA Information Security discovereda set of vulnerabilities affecting the open-source dependency manager CocoaPods that could allow a threat actor "to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications." The vulnerabilities have since been patched. 

EVA explains, "A 2014 migration process left thousands of orphaned packages (where the original owner is unknown), many of which are still widely used in other libraries. Using a public API and an email address that was available in the CocoaPods source code, an attacker could claim ownership over any of these packages, which would then allow the attacker to replace the original source code with their own malicious code." Additionally, "An insecure email verification workflow could be exploited to run arbitrary code on the CocoaPods ‘Trunk’ server (manages the distribution and metadata of Podspecs), which would allow an attacker to manipulate or replace the packages being downloaded." Finally, "A separate vulnerability would allow an attacker to infiltrate the CocoaPods ‘Trunk’ server and perform a near-unlimited range of exploits."