Login
Get Access
Demo

blog

Security Vulnerability of the Week 27/06/22

Vuln Weekly 27_june Square

Security Vulnerability of the Week 27/06/22

Previous Issues of vulnerability Weekly

Weekly review of vulnerabilities: This week we deep dive into PiPy leaking AWS credentials, illumina healthcare vulnerability, Sharepoint RCE, QNAP PHP Vuln

Appsec

Several PyPi Libraries leaking AWS credentials

Several Libraries leaking AWS credentials

Recently one library was caught typosquatting and stealing credentials (you can read the full article here

This time researchers from Sonatype have discovered several libraries disclosing vulnerabilities.

The following libraries have been discovered stealing credentials: 

  • loglib-modules
  • pyg-modules
  • pygrata
  • pygrata-utils
  • hkg-sol-utils

Sonatype analysts J. Cardona and C. Fernandez figured that the packages ‘loglib-modules’ and ‘pygrata-utils’ were created for data exfiltration, snatching AWS credentials, network interface information, and environment variables.

Code snippet pertaining to the data-stealing functionality

Code snippet pertaining to the data-stealing functionality (Sonatype)

The stolen data is stored in TXT files and uploaded to a PyGrata[.]com domain. However, the endpoint isn’t properly secured, so the analysts could peek into what the threat actors had stolen.

Securing Python going forward

Since the PiPy packages are legitimate and not typosquatting was not taken down immediately. 

Is important as part of supply chain management to review libraries and code and apply a supply chain management gate or review of all the libraries. 

Even better would be to monitor for malicious behaviour in those libraries 

Also, some indicators of malicious behaviour would be a repository without information

Since these malicious packages aren’t using typosquatting tricks, they’re not randomly targeting developers who mistyped a character but users looking for specific tools for their projects.

Suspicious package with no descriptionSuspicious package with no project description (Sonatype)

ILLUMINA 

Illumina is a provider of healthcare and data processing data. After a recent assessment by pentest Ltd several vulnerabilities have been identified and already fixed. 

The vulnerabilities affect the desktop version of the software and due to the sensitivity of the data processed (healthcare data), the vulnerabilities have been deemed critical. 

For product update: https://support.illumina.com/sequencing/sequencing_software/local-run-manager.html 

  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Illumina
  • Equipment: Local Run Manager (LRM)
  • Vulnerabilities: Path Traversal, Unrestricted Upload of File with Dangerous Type, Improper Access Control, Cleartext Transmission of Sensitive Information

Product affected

​​The following devices and instruments using LRM software are affected:

Illumina In Vitro Diagnostic (IVD) devices:

  • NextSeq 550Dx: LRM Versions 1.3 to 3.1
  • MiSeq Dx: LRM Versions 1.3 to 3.1

Researcher Use Only (ROU) instruments:

  • NextSeq 500 Instrument: LRM Versions 1.3 to 3.1
  • NextSeq 550 Instrument: LRM Versions 1.3 to 3.1
  • MiSeq Instrument: LRM Versions 1.3 to 3.1
  • iSeq 100 Instrument: LRM Versions 1.3 to 3.1
  • MiniSeq Instrument: LRM Versions 1.3 to 3.1

Remediation available: The Illumina software team has developed a software patch to protect against remote exploitation of this vulnerability. In addition to this patch, we are working to provide a permanent software fix for current and future instruments and will notify customers directly when it is available

For the full disclosure: https://www.illumina.com/content/dam/illumina/gcs/assembled-assets/marketing-literature/lrm-securitynnouncement-m-gl-00810/lrm-securitynnouncement-m-gl-00810.pdf 

Several vulnerabilities have been found in this vendor

3.2 VULNERABILITY OVERVIEW

3.2.1    EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250

LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on the affected product. An attacker could also exploit this vulnerability to access APIs not intended for general use and interact through the network.

CVE-2022-1517 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.2    IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

LRM contains a directory traversal vulnerability that can allow a malicious actor to upload outside the intended directory structure.

CVE-2022-1518 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.3    UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

LRM does not restrict the types of files that can be uploaded to the affected product. A malicious actor can upload any file type, including executable code that allows for a remote code exploit.

CVE-2022-1519 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.4    IMPROPER ACCESS CONTROL CWE-284

LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data.

CVE-2022-1521 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.2.5    CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials.

CVE-2022-1524 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

INFRA/Network

Microsoft Sharepoint 

On 2022 may 03 security researchers discovered a vulnerability tracked as CVE-2022-30157  and disclosed on 14 June 2022. 

After a patch was disclosed on the 21st of June 25 the final version of the patch was released by Microsoft. CVSS severity is currently set at ​​8.8

CVSS SCORE8.8, (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft SharePoint Server. Authentication is required to exploit this vulnerability.

A specific flaw exists within the processing of charts. Tampering with client-side data can trigger the deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the SharePoint web server process.

For full details on this new zero-day: https://www.zerodayinitiative.com/advisories/ZDI-22-871/ 

There is no current exploit available in the wild for this vulnerability

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30157

Product Affected: & Security Update available:

QNAP

Take Immediate Actions to Secure QNAP NAS | QNAP

Credit QNAP

The Taiwanese maker of network-attached storage (NAS) devices QNAP, has released a statement on the 22 June 2022 about a new vulnerability affecting the PHP part of the NAS affected by Remote Code Execution

“A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config,” the hardware vendor said in an advisory. “If exploited, the vulnerability allows attackers to gain remote code execution.”

QNAP is still in the news with another vulnerability. Recently several vulnerabilities have been identified and weaponized (for full details read https://phoenix.security/security-vulnerability-of-the-week-02-04-22/ )

The vulnerability, tracked as CVE-2019-11043, is rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system. That said, it’s required that Nginx and php-fpm are running in appliances using the following QNAP operating system versions –

  • QTS 5.0.x and later
  • QTS 4.5.x and later
  • QuTS hero h5.0.x and later
  • QuTS hero h4.5.x and later
  • QuTScloud c5.0.x and later

The alert came swiftly as QNAP revealed that it’s “thoroughly investigating” yet another wave of ransomware attacks targeting QNAP NAS DeadBolt 

For full details: https://www.qnap.com/en/securitydvisory/qsa-22-20 

Previous Issues of vulnerability Weekly

Picture of Francesco Cipollone

Francesco Cipollone

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.
26th June 2022
Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

Join Slack community
Linkedin-in Youtube Facebook-f Twitter Instagram

From our Blog

palo alto CVE-2024-3400, exploit, aspm, injection
  • 14th April 2024

Critical Exploit CVE-2024-3400 Vulnerability Leveraging UVM, CTEM and ASPM to Remediate in this Palo Alto Exploit

Discover and fix CVE-2024-3094 vulnerability affecting Linux distributions liblzma, part of the xz package, Fedora, openSUSE, Debian, and Kali. Get the latest updates, fixes, and security recommendations to safeguard your system against unauthorized access through compromised XZ Utils. Protect and discover the affected system with ASPM, Application security Posture management
Francesco Cipollone
HTTP/2 vulnerability, Continuation Flood attack, Rapid Reset DDoS, cybersecurity threats, Apache HTTP Server CVE-2024-27316, Envoy CVE-2024-27919, Node.js security patch, AMPHP CVE-2024-2653, Apache Tomcat CVE-2024-24549, Golang CVE-2023-45288, Nghttp2 CVE-2024-28182, Tempesta FW CVE-2024-2758, vulnerability mitigation strategies, protocol security enhancements
  • 7th April 2024

The Rising Threat of HTTP/2 Vulnerabilities: From Rapid Reset to Continuation Flood CVE-2024-27316, CVE-2024-24549

Discover and fix CVE-2024-3094 vulnerability affecting Linux distributions liblzma, part of the xz package, Fedora, openSUSE, Debian, and Kali. Get the latest updates, fixes, and security recommendations to safeguard your system against unauthorized access through compromised XZ Utils. Protect and discover the affected system with ASPM, Application security Posture management
Francesco Cipollone
CVE-2024-3094, Linux Security, xz-utils, libzlma, Vulnerability, Cybersecurity Alert, Malicious Code Injection, Software Backdoor, OpenSSH Security, Tarball Compromise, Application Security Management (ASPM), Software Bill of Materials (SBOM), Vulnerability Management, Linux Distributions, Fedora Security, Debian Security, SUSE Security, Kali Linux Update, Cyber Threat Intelligence, Secure Coding Practices, Software Supply Chain Security, Cybersecurity Best Practices
  • 30th March 2024

Navigating the Waters of Vulnerability CVE-2024-3094 A Comprehensive Guide for Linux and Application Security

Discover and fix CVE-2024-3094 vulnerability affecting Linux distributions liblzma, part of the xz package, Fedora, openSUSE, Debian, and Kali. Get the latest updates, fixes, and security recommendations to safeguard your system against unauthorized access through compromised XZ Utils. Protect and discover the affected system with ASPM, Application security Posture management
Francesco Cipollone
Mitre EPSS CVSS CVE Vulnerability vulnerability management CTEM
  • 4th March 2024

Mitre and EPSS, can we cross the chasm in vulnerability management

Explore the interplay between the MITRE ATT&CK framework and EPSS for effective vulnerability management. Learn how these tools help predict and prioritize cyber threats, with deep dives into the most and least exploited techniques. Stay ahead in cybersecurity with Phoenix’s advanced analysis.
Francesco Cipollone

Derek Fisher

Linkedin

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Linkedin

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Linkedin

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Linkedin

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Linkedin

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Linkedin

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.