Sep 30, 2023THNEmail Security / Hacking News

Multiple security vulnerabilities have been disclosed in the Exim mail transfer agent that, if successfully exploited, could result in information disclosure and remote code execution.

The list of flaws, which were reported anonymously way back in June 2022, is as follows –

• CVE-2023-42114 (CVSS score: 3.7) – Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability
• CVE-2023-42115 (CVSS score: 9.8) – Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
• CVE-2023-42116 (CVSS score: 8.1) – Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
• CVE-2023-42117 (CVSS score: 8.1) – Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability
• CVE-2023-42118 (CVSS score: 7.5) – Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
• CVE-2023-42119 (CVSS score: 3.1) – Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability

The most severe of the vulnerabilities is CVE-2023-42115, which allows remote, unauthenticated attackers to execute arbitrary code on affected installations of Exim.

“The specific flaw exists within the SMTP service, which listens on TCP port 25 by default,” the Zero Day Initiative said in an alert published this week.

“The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.”

Exim maintainers, in a message shared on the Open Source Security mailing list oss-security, said fixes for CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116 are “available in a protected repository and are ready to be applied by the distribution maintainers.”

“The remaining issues are debatable or miss information we need to fix them,” adding it asked ZDI more specifics about the issues and that it “didn’t get answers we were able to work with” until May 2023. The Exim team further said they are awaiting detailed specifics on the other three shortcomings.

However, the ZDI pushed back against claims about “sloppy handling” and “neither team pinging the other for 10 months,” stating it reached out several times to the developers.

“After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, ‘you do what you do,'” it said.

“If these bugs have been appropriately addressed, we will update our advisories with a link to the security advisory, code check-in, or other public documentation closing the issue.”

In the absence of patches, the ZDI recommends restricting interaction with the application as the only “salient” mitigation strategy.

This is not the first time security flaws have been uncovered in the widely used mail transfer agent. In May 2021, Qualys disclosed a set of 21 vulnerabilities collectively tracked as 21Nails that enable unauthenticated attackers to achieve complete remote code execution and gain root privileges.

Previously in May 2020, the U.S. government reported that hackers affiliated with Sandworm, a state-sponsored group from Russia, had been exploiting a critical Exim vulnerability (CVE-2019-10149, CVSS score: 9.8) to penetrate sensitive networks.

The development also comes hot on the heels of a new study by researchers from the University of California San Diego that discovered a novel technique called forwarding-based spoofing which takes advantage of weaknesses in email forwarding to send messages impersonating legitimate entities, thereby compromising on integrity.

“The original protocol used to check the authenticity of an email implicitly assumes that each organization operates its own mailing infrastructure, with specific IP addresses not used by other domains,” the research found.

“But today, many organizations outsource their email infrastructure to Gmail and Outlook. As a result, thousands of domains have delegated the right to send email on their behalf to the same third party. While these third-party providers validate that their users only send email on behalf of domains that they operate, this protection can be bypassed by email forwarding.”

Sep 29, 2023THNServer Security / Vulnerability

Progress Software has released hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface.

Tracked as CVE-2023-40044, the flaw has a CVSS score of 10.0, indicating maximum severity. All versions of the software are impacted by the flaw.

“In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system,” the company said in an advisory.

Assetnote security researchers Shubham Shah and Sean Yeoh have been credited with discovering and reporting the vulnerability.

The list of remaining flaws, impacting WS_FTP Server versions prior to 8.8.2, is as follows –

• CVE-2023-42657 (CVSS score: 9.9) – A directory traversal vulnerability that could be exploited to perform file operations.
• CVE-2023-40045 (CVSS score: 8.3) – A reflected cross-site scripting (XSS) vulnerability in the WS_FTP Server’s Ad Hoc Transfer module that could be exploited to execute arbitrary JavaScript within the context of the victim’s browser.
• CVE-2023-40047 (CVSS score: 8.3) – A stored cross-site scripting (XSS) vulnerability exists in the WS_FTP Server’s Management module that could be exploited by an attacker with admin privileges to import an SSL certificate with malicious attributes containing XSS payloads that could then be triggered in victim’s browser.
• CVE-2023-40046 (CVSS score: 8.2) – An SQL injection vulnerability in the WS_FTP Server manager interface that could be exploited to infer information stored in the database and execute SQL statements that alter or delete its contents.
• CVE-2023-40048 (CVSS score: 6.8) – A cross-site request forgery (CSRF) vulnerability in the WS_FTP Server Manager interface.
• CVE-2022-27665 (CVSS score: 6.1) – A reflected cross-site scripting (XSS) vulnerability in Progress Ipswitch WS_FTP Server 8.6.0 that can lead to execution of malicious code and commands on the client.
• CVE-2023-40049 (CVSS score: 5.3) – An authentication bypass vulnerability that allows users to enumerate files under the ‘WebServiceHost’ directory listing.

With security flaws in Progress Software becoming an attractive target for ransomware groups like Cl0p, it’s essential that users move quickly to apply the latest patches to contain potential threats.

The company, in the meanwhile, is still grappling with the fallout from the mass hack targeting its MOVEit Transfer secure file transfer platform since May 2023. More than 2,100 organizations and over 62 million individuals are estimated to have been impacted, according to Emsisoft.

Sep 28, 2023THNZero Day / Vulnerability

Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser.

Tracked as CVE-2023-5217, the high-severity vulnerability has been described as a heap-based buffer overflow in the VP8 compression format in libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia).

Exploitation of such buffer overflow flaws can result in program crashes or execution of arbitrary code, impacting its availability and integrity.

Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 25, 2023, with fellow researcher Maddie Stone noting on X (formerly Twitter) that it has been abused by a commercial spyware vendor to target high-risk individuals.

No additional details have been disclosed by the tech giant other than to acknowledge that it’s “aware that an exploit for CVE-2023-5217 exists in the wild.”

The latest discovery brings to five the number of zero-day vulnerabilities to Google Chrome for which patches have been released this year –

The development comes as Google assigned a new CVE identifier, CVE-2023-5129, to the critical flaw in the libwebp image library – originally tracked as CVE-2023-4863 – that has come under active exploitation in the wild, considering its broad attack surface.

Users are recommended to upgrade to Chrome version 117.0.5938.132 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Sep 27, 2023THNZero Day / Vulnerability

Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild.

Tracked as CVE-2023-5129, the issue has been given the maximum severity score of 10.0 on the CVSS rating system. It has been described as an issue rooted in the Huffman coding algorithm –

With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.

The development comes after Apple, Google, and Mozilla released fixes to contain a bug – tracked separately as CVE-2023-41064 and CVE-2023-4863 – that could cause arbitrary code execution when processing a specially crafted image. Both flaws are suspected to address the same underlying problem in the library.

According to the Citizen Lab, CVE-2023-41064 is said to have been chained with 2023-41061 as part of a zero-click iMessage exploit chain named BLASTPASS to deploy a mercenary spyware known as Pegasus. Additional technical details are currently unknown.

But the decision to “wrongly scope” CVE-2023-4863 as a vulnerability in Google Chrome belied the fact that it also virtually affects every other application that relies on the libwebp library to process WebP images, indicating it had a broader impact than previously thought.

An analysis from Rezillion last week revealed a laundry list of widely used applications, code libraries, frameworks, and operating systems that are vulnerable to CVE-2023-4863.

“This package stands out for its efficiency, outperforming JPEG and PNG in terms of size and speed,” the company said. “Consequently, a multitude of software, applications, and packages have adopted this library, or even adopted packages that libwebp is their dependency.”

“The sheer prevalence of libwebp extends the attack surface significantly, raising serious concerns for both users and organizations.”

The disclosure arrives as Google expanded fixes for CVE-2023-4863 to include the Stable channel for ChromeOS and ChromeOS Flex with the release of version 15572.50.0 (browser version 117.0.5938.115).

It also follows new details published by Google Project Zero regarding the in-the-wild exploitation of CVE-2023-0266 and CVE-2023-26083 in December 2022 by commercial spyware vendors to target Android devices from Samsung in the U.A.E. and obtain kernel arbitrary read/write access.

The flaws are believed to have been put to use alongside three other flaws – CVE-2022-4262, CVE-2022-3038, CVE-2022-22706 – by a customer or partner of a Spanish spyware company known as Variston IT.

“It is also particularly noteworthy that this attacker created an exploit chain using multiple bugs from kernel GPU drivers,” security researcher Seth Jenkins said. “These third-party Android drivers have varying degrees of code quality and regularity of maintenance, and this represents a notable opportunity for attackers.”