Appsec Phoenix

AppSec Phoenix Wide

Security Vulnerability of the Week 27/06/22


Date Posted: 26th June 2022

Security Vulnerability of the Week 27/06/22

Previous Issues of vulnerability Weekly



Weekly review of vulnerabilities: This week we deep dive into PiPy leaking AWS credentials, illumina healthcare vulnerability, Sharepoint RCE, QNAP PHP Vuln


Appsec

Several PyPi Libraries leaking AWS credentials

Several Libraries leaking AWS credentials

Recently one library was caught typosquatting and stealing credentials (you can read the full article here

This time researchers from Sonatype have discovered several libraries disclosing vulnerabilities.

The following libraries have been discovered stealing credentials: 

  • loglib-modules
  • pyg-modules
  • pygrata
  • pygrata-utils
  • hkg-sol-utils

Sonatype analysts J. Cardona and C. Fernandez figured that the packages ‘loglib-modules’ and ‘pygrata-utils’ were created for data exfiltration, snatching AWS credentials, network interface information, and environment variables.

Code snippet pertaining to the data-stealing functionality

Code snippet pertaining to the data-stealing functionality (Sonatype)

The stolen data is stored in TXT files and uploaded to a PyGrata[.]com domain. However, the endpoint isn’t properly secured, so the analysts could peek into what the threat actors had stolen.

Securing Python going forward

Since the PiPy packages are legitimate and not typosquatting was not taken down immediately. 

Is important as part of supply chain management to review libraries and code and apply a supply chain management gate or review of all the libraries. 

Even better would be to monitor for malicious behaviour in those libraries 

Also, some indicators of malicious behaviour would be a repository without information

Since these malicious packages aren’t using typosquatting tricks, they’re not randomly targeting developers who mistyped a character but users looking for specific tools for their projects.

Suspicious package with no descriptionSuspicious package with no project description (Sonatype)

ILLUMINA 

Illumina is a provider of healthcare and data processing data. After a recent assessment by pentest Ltd several vulnerabilities have been identified and already fixed. 

The vulnerabilities affect the desktop version of the software and due to the sensitivity of the data processed (healthcare data), the vulnerabilities have been deemed critical. 

For product update: https://support.illumina.com/sequencing/sequencing_software/local-run-manager.html 

  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Illumina
  • Equipment: Local Run Manager (LRM)
  • Vulnerabilities: Path Traversal, Unrestricted Upload of File with Dangerous Type, Improper Access Control, Cleartext Transmission of Sensitive Information

Product affected

​​The following devices and instruments using LRM software are affected:

Illumina In Vitro Diagnostic (IVD) devices:

  • NextSeq 550Dx: LRM Versions 1.3 to 3.1
  • MiSeq Dx: LRM Versions 1.3 to 3.1

Researcher Use Only (ROU) instruments:

  • NextSeq 500 Instrument: LRM Versions 1.3 to 3.1
  • NextSeq 550 Instrument: LRM Versions 1.3 to 3.1
  • MiSeq Instrument: LRM Versions 1.3 to 3.1
  • iSeq 100 Instrument: LRM Versions 1.3 to 3.1
  • MiniSeq Instrument: LRM Versions 1.3 to 3.1

Remediation available: The Illumina software team has developed a software patch to protect against remote exploitation of this vulnerability. In addition to this patch, we are working to provide a permanent software fix for current and future instruments and will notify customers directly when it is available

For the full disclosure: https://www.illumina.com/content/dam/illumina/gcs/assembled-assets/marketing-literature/lrm-security-announcement-m-gl-00810/lrm-security-announcement-m-gl-00810.pdf 

Several vulnerabilities have been found in this vendor

3.2 VULNERABILITY OVERVIEW

3.2.1    EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250

LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on the affected product. An attacker could also exploit this vulnerability to access APIs not intended for general use and interact through the network.

CVE-2022-1517 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.2    IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

LRM contains a directory traversal vulnerability that can allow a malicious actor to upload outside the intended directory structure.

CVE-2022-1518 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.3    UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

LRM does not restrict the types of files that can be uploaded to the affected product. A malicious actor can upload any file type, including executable code that allows for a remote code exploit.

CVE-2022-1519 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.4    IMPROPER ACCESS CONTROL CWE-284

LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data.

CVE-2022-1521 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.2.5    CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials.

CVE-2022-1524 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).


INFRA/Network

Microsoft Sharepoint 

On 2022 may 03 security researchers discovered a vulnerability tracked as CVE-2022-30157  and disclosed on 14 June 2022. 

After a patch was disclosed on the 21st of June 25 the final version of the patch was released by Microsoft. CVSS severity is currently set at ​​8.8

CVSS SCORE8.8, (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft SharePoint Server. Authentication is required to exploit this vulnerability.

A specific flaw exists within the processing of charts. Tampering with client-side data can trigger the deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the SharePoint web server process.

For full details on this new zero-day: https://www.zerodayinitiative.com/advisories/ZDI-22-871/ 

There is no current exploit available in the wild for this vulnerability

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30157

Product Affected: & Security Update available:

QNAP

Take Immediate Actions to Secure QNAP NAS | QNAP

Credit QNAP

The Taiwanese maker of network-attached storage (NAS) devices QNAP, has released a statement on the 22 June 2022 about a new vulnerability affecting the PHP part of the NAS affected by Remote Code Execution

“A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config,” the hardware vendor said in an advisory. “If exploited, the vulnerability allows attackers to gain remote code execution.”

QNAP is still in the news with another vulnerability. Recently several vulnerabilities have been identified and weaponized (for full details read https://appsecphoenix.com/security-vulnerability-of-the-week-02-04-22/ )

The vulnerability, tracked as CVE-2019-11043, is rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system. That said, it’s required that Nginx and php-fpm are running in appliances using the following QNAP operating system versions –

  • QTS 5.0.x and later
  • QTS 4.5.x and later
  • QuTS hero h5.0.x and later
  • QuTS hero h4.5.x and later
  • QuTScloud c5.0.x and later

The alert came swiftly as QNAP revealed that it’s “thoroughly investigating” yet another wave of ransomware attacks targeting QNAP NAS DeadBolt 

For full details: https://www.qnap.com/en/security-advisory/qsa-22-20 

Previous Issues of vulnerability Weekly


Share this article

[ssba]

Categories

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO