Welcome to Security Sunday – Week 2. our weekly summary from the world of cybersecurity (08. 01. – 14. 01. 2024).

We’re collecting notable incident and vulnerability reports from the past week.

More than 150,000 WordPress websites at risk

Last month, Wordfence security researchers discovered two vulnerabilities in the POST SMTP Mailer plugin.

The first, tracked as CVE-2023-6875, is a critical authorization bypass vulnerability that arises in the REST API. The problem affects all versions of the plugin up to 2.8.7.

The second vulnerability is a cross-site scripting (XSS) issue identified as CVE-2023-7027. The vulnerability affects POST SMPT up to version 2.8.7 and allows attackers to insert arbitrary scripts into web pages.

Based on statistics from wordpress.org, there are roughly 150,000 sites using a vulnerable version of the plugin below 2.8.

Wordfence has contacted the manufacturer of Plugin 8. a 19. December 2023. The correction was issued on 1. January 2024 and administrators are advised to upgrade to version 2.8.8.

Juniper warns of critical RCE vulnerability in its firewalls and switches

Juniper Networks has released security updates that fix a critical remote code execution (RCE) vulnerability in SRX Series firewalls and EX Series switches.

This critical security vulnerability, which is found in the J-Web configuration interfaces and is tracked as CVE-2024-21591, can be exploited by unauthenticated attackers to gain root privileges or denial-of-service (DoS) attacks.

“This issue is caused by the use of an insecure feature that allows an attacker to overwrite arbitrary memory,” the company explained in a security alert published Wednesday.

According to Shadowserver, more than 8,000 Juniper devices have J-Web interfaces available from the Internet.

Administrators are advised to apply security updates immediately or upgrade JunOS to the latest version. If updating is not possible, it is recommended to at least disable the J-Web interface to remove the attack vector.

GitLab releases patch for critical vulnerabilities

GitLab has released security updates that address two critical vulnerabilities, including one that can be exploited to take over accounts without user interaction.

The bug, identified as CVE-2023-7028, was assigned a maximum severity level of 10.0 in the CVSS.

The DevSecOps platform said the vulnerability was the result of a flaw in the email authentication process that allowed users to reset their passwords via a secondary email address.

GitLab says it has fixed the issue in GitLab 16.5.6, 16.6.4, and 16.7.2, and has also pushed the fix back to 16.1.6, 16.2.9, 16.3.7, and 16.4.5.

Users who have two-factor authentication enabled are not susceptible to account takeover because their second authentication factor is required to log in. – said GitLab.

As part of the latest update, GitLab also fixed another critical bug (CVE-2023-5356, CVSS score: 9.6) that allows a user to exploit the Slack/Mattermost integration to run slash commands as another user.

Critical Microsoft SharePoint vulnerability is now being actively exploited

CISA warns that attackers are now exploiting a critical privilege escalation vulnerability in Microsoft SharePoint that can be combined with another critical vulnerability to remotely execute code.

The vulnerability, tracked as CVE-2023-29357, allows remote attackers to gain administrative privileges on unpatched servers by bypassing authentication using spoofed JWT authentication tokens.

“An attacker who successfully exploits this vulnerability can gain administrator privileges. The attacker does not need any privileges, nor does the user need to perform any action,” Microsoft explains.

Attackers can also execute arbitrary code on compromised SharePoint servers via command injection if they combine this vulnerability with RCE vulnerability CVE-2023-24955.

Cryptominers attack misconfigured Apache Hadoop

Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink applications to deploy cryptominers in target environments.

“What makes this attack particularly interesting is that the attacker uses packers and rootkits to hide the malware. The malware then deletes the contents of specific directories and modifies the system configuration to evade detection.” said security researchers.

The attack vector targeting the Hadoop system exploits a misconfiguration of the YARN ResourceManager, which is responsible for cluster resource monitoring and application scheduling. Specifically, this flaw can be exploited by an unauthenticated attacker to execute arbitrary code using an HTTP request.

Attacks targeting Apache Flink similarly target a misconfiguration that allows a remote attacker to achieve code execution without any authentication.

The payload running is a packaged binary that acts as a downloader to obtain two rootkits and a binary for mining the Monero cryptocurrency. To achieve persistence, a cron is created that runs the downloader.

As mitigation, organizations are advised to deploy agent-based security solutions that detect cryptominers and rootkits.

Bitwarden adds passkey support

Popular open-source password manager Bitwarden has announced that all users can now log into their web vaults using a passkey instead of the standard username/password pair.

Passkeys are a more secure alternative to the passwords most people set and are resistant to phishing. In the case of Bitwarden, they allow users to decrypt their vault without having to enter a master password, email address or two-factor authentication (2FA).

Interested in cyber security? Check out the next episodes of our weekly magazine Security Sunday.