This week’s vulnerability news include GitHub credential access, a new Chrome fix, and hidden malware from pirated applications hosted on Chinese websites. Citrix and Ivanti are seeing more problems, too, as more vulnerabilities have cropped up in Netscaler and Endpoint Manager Mobile.
Make sure your security teams are regularly checking vendors’ software and hardware updates for any patches, and keep a particular eye on networking equipment. If you have a GitHub instance, import all necessary new keys.
January 16, 2024
Open-Source UEFI Implementation Sees 9 Vulnerabilities
Type of vulnerability: Weaknesses in the network boot process of UEFI’s network implementation.
The problem: The Unified Extensible Firmware Interface (UEFI) specification has an open-source network implementation, EDK II, with nine discovered vulnerabilities. Together, the vulnerabilities are known as PixieFAIL, and unauthenticated attackers are able to target them while the network is booting. Typically this would occur on the local network, but it could also happen from a remote location, according to researchers at Quarkslab.
Such an attack could lead to remote code execution, denial-of-service attacks, and session hijacking. Quarkslab provides details about the Preboot Execution Environment (PXE) affected by PixieFAIL. Because PixieFAIL is often used on data-center-level servers, it’s largely a concern for cloud environments and data center infrastructures.
The fix: PixieFAIL doesn’t have many established mitigation practices published by researchers yet. Disabling PXE is one option, though if your network environment already has it enabled, consider any potential consequences of disabling it first.
GitHub Rotates Credentials to Solve Credential Access Issue
Type of vulnerability: Credential access vulnerability.
The problem: Last week, GitHub released a notice regarding a recent vulnerability discovered by a bug bounty program. The vulnerability had been discovered and fixed on December 26. If exploited, this vulnerability could have resulted in credential access in a production container. GitHub said that it didn’t see any evidence that the vulnerability had been found or exploited.
Affected keys included some encryption keys and the GitHub commit signing key. The vulnerability also exists on GitHub Enterprise Server, but it can only be exploited by an authenticated user with an organization owner role. The authenticated user must also be logged into an account on an instance of GHES.
GitHub has already rotated the credentials for these issues.
The fix: Users need to download the new public commit signing key from GitHub. To encrypt GitHub Actions, GitHub Codespaces, and Dependabot secrets, take the new public keys from the API. Users who hardcoded the old public keys will now receive an error message when they try to send a secret to GitHub.
More Citrix NetScaler Problems Emerge
Type of attack: Remote code execution and denial-of-service.
The problem: Citrix has announced two vulnerabilities on its Netscaler ADC and NetScaler Gateway appliances, which they’ve seen exploited in the wild. We’ve mentioned vulnerabilities in these two products before, in October, but the new CVEs are different. CVE-2023-6548 is a remote code execution vulnerability for an authenticated user, and CVE-2023-6549 is a denial-of-service vulnerability.
To exploit CVE-2023-6548, an attacker must have access to NSIP, CLIP, or SNIP and also have management interface access. To exploit CVE-2023-6549, an attacker must find an appliance that’s configured as a gateway, such as a VPN virtual server, or it must be configured as an AAA virtual server.
The fix: Citrix recommends users install one of the following updated versions of their products:
- NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP
Citrix also suggests that users don’t expose the Netscaler ADC management interface to the internet.
Google Fixes Chrome Vulnerability
Type of vulnerability: Out-of-bounds write, out-of-bounds memory access, and type confusion.
The problem: The Chrome Stable Channel for desktop has been updated to fix four vulnerabilities in Chrome, including out-of-bounds V8 write, V8 type confusion, and out-of-bounds V8 memory access. Google noted that it might restrict access to links about bugs until the majority of users could be updated on them. Google also thanked security researchers who collaborated with them to halt the bugs.
The fix: Chrome has pushed the following updates and recommends users upgrade to them:
- 120.0.6099.234 for Mac
- 120.0.6099.224 for Linux
- 120.0.6099.224/225 for Windows
January 18, 2024
Another Ivanti Vulnerability Rears Its Head
Type of attack: Authentication bypass.
The problem: Ivanti Endpoint Manager Mobile and MobileIron Core are susceptible to an authentication bypass vulnerability. There’s evidence that it’s been exploited in the wild. EPMM versions 11.10, 11.9 and 11.8 and MobileIron Core version 11.7 are affected.
Ivanti’s community noted this vulnerability in August 2023, but the Cybersecurity and Infrastructure Security Agency (CISA) just added it to its Known Exploited Vulnerabilities catalog.
Ivanti received a mention in last week’s recap, too, for its Connect Secure VPN and Policy Secure zero-days.
The fix: Ivanti recommends updating EPMM to the most recent version. MobileIron Core version 11.3 has resolved the vulnerability; any older versions won’t have it resolved because they’ve already been out of support.
Jamf Discovers Malware from Pirated Applications
Type of vulnerability: Malware from hidden executables in pirated applications.
The problem: Jamf Threat Labs discovered some pirated macOS apps that reside on Chinese sites. Jamf found an executable named .fseventsd. and noted that the file is hidden because it begins with a period. VirusTotal, a site that inspects domains, URLs, and files, hadn’t flagged it as problematic when Jamf checked, either. According to Jamf, if the malware is detonated, it’ll download onto the victim’s device and execute background payload processes.
Through researching the file in which the binary existed, Jamf found pirated applications that had been affected by that malware. The malware changes its command-line arguments so it can better blend in with the normal behavior of the host operating system.
Jamf also noted some similarities between this malware and the ZuRu strain of malware, which also affects macOS.
The fix: Jamf provides a list of indicators for the pirated applications. Users should avoid websites that host pirated applications and use security products that block such tools.
Read next:
- VulnRecap 1/16/2024 – Major Firewall Issues Persist
- Best Vulnerability Scanner Tools & Software
- Stages of the Vulnerability Management Lifecycle
