AUSCERT Week in Review for 19th July 2024

Greetings,

The winds picked up in the sunny state this week, bringing a noticeable drop in temperatures and allowing us to truly feel the winter chill. Perhaps we can also blame the winds for Queensland’s disappointing loss to New South Wales in the men's State of Origin. The Blues secured one of their greatest victories, defeating Queensland 14-4 at Suncorp Stadium, breaking a 19-year inability to win a decider there. Although it was a sad loss for the Maroons, we applaud the Blues for a good game and a great win. Until next time, Blues!

This week, our analyst team distributed critical MSINS to affected members, alerting them to the Exim Flaw vulnerability, which is tracked as CVSS 9.1. Successful exploitation of this security defect could allow attackers to deliver executable attachments to inboxes, potentially leading to code execution and system compromise if the user opens the attachment.

All organisations that had their Google Domains service migrated to Squarespace recently are advised to enable two-factor authentication on their Squarespace account, as it is not enabled by default. A number of cryptocurrency-related businesses appear to have been caught up in DNS hijacking attacks as a result of the way Squarespace migrated the service. Most of the noteworthy cases have been resolved; however, hundreds of domains are still alleged to be at risk of similar DNS hijacking, so it may not be over yet.

It is crucial for organisations to adopt multi-factor authentication (MFA) to protect their data and maintain trust with customers and partners. By effectively implementing MFA, organisations can better defend against cyber threats and ensure the security of sensitive information. While MFA does not offer complete protection against all threats, it remains an essential component in reducing cyber security risks and safeguarding sensitive data.

Atlassian Patches High-Severity Vulnerabilities in Bamboo, Confluence, Jira
Date: 2024-07-17
Author: Security Week

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4634/]
Software vendor Atlassian on Tuesday released security-themed updates to fix several high-severity vulnerabilities in its Bamboo, Confluence and Jira products.
The Australian firm called urgent attention to the Bamboo Data Center and Server updates that resolve two high-severity bugs, including one affecting the UriComponentsBuilder dependency that could allow an unauthenticated attacker to perform a server-side request forgery (SSRF) attack.

Critical Exim Flaw Allows Attackers to Deliver Malicious Executables to Mailboxes
Date: 2024-07-12
Author: Security Week

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
A critical vulnerability in over 1.5 million internet-accessible Exim mail transfer agent (MTA) installations potentially allows attackers to deliver malicious executables to user mailboxes, Censys warns.
The issue, tracked as CVE-2024-39929 (CVSS score of 9.1) and impacting RFC 2231 header parsing, results in filenames being incorrectly parsed, which could allow remote attackers to bypass the filename extension-blocking protection mechanisms.

Organizations Warned of Exploited GeoServer Vulnerability
Date: 2024-07-16
Author: Security Week

[AUSCERT contacted the potentially vulnerable members (where possible) on 04 July 2024]
The US cybersecurity agency CISA is urging federal agencies to patch a critical-severity vulnerability in GeoServer as soon as possible, warning of evidence of active exploitation.
The bug, tracked as CVE-2024-36401 (CVSS score of 9.8), is described as the unsafe evaluation of property names as XPath expressions, which could allow unauthenticated attackers to execute code remotely, through crafted input against a default GeoServer installation.

Critical Apache HTTP Server Vulnerabilities Expose Millions of Websites
Date: 2024-07-18
Author: Cyber Security News

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4720/]
The Apache Software Foundation has disclosed several critical vulnerabilities in the Apache HTTP Server, which could potentially expose millions of websites to cyber-attacks.
These vulnerabilities, identified by their Common Vulnerabilities and Exposures (CVE) numbers, affect various versions of the Apache HTTP Server and could lead to severe consequences such as source code disclosure, server-side request forgery (SSRF), and denial of service (DoS).

Infoseccers claim Squarespace migration linked to DNS hijackings at Web3 firms
Date: 2024-07-15
Author: The Register

Security researchers are claiming a spate of DNS hijackings at web3 businesses is linked to Squarespace's acquisition of Google Domains last year.
The theory is that cybercriminals may have picked up on a flaw in the method Squarespace used to migrate Google Domains customer data over to its servers, allowing them to guess the email addresses associated with admin accounts and register the account for themselves.

Hackers use PoC exploits in attacks 22 minutes after release
Date: 2024-07-13
Author: Bleeping Computer

Threat actors are quick to weaponize available proof-of-concept (PoC) exploits in actual attacks, sometimes as quickly as 22 minutes after exploits are made publicly available.
That is according to Cloudflare's Application Security report for 2024, which covers activity between May 2023 and March 2024 and highlights emerging threat trends.
Cloudflare, which currently processes an average of 57 million HTTP requests per second, continues to see heightened scanning activity for disclosed CVEs, followed by command injections and attempts to weaponize available PoCs.

ESB-2024.4635 – Google Chrome CVSS (Max): None

The latest Chrome 126 update addresses several critical issues, including an inappropriate implementation flaw and a type confusion in V8, as well as use-after-free vulnerabilities in Screen Capture, Media Stream, Audio, and Navigation. Additionally, it fixes a race condition in DevTools and an out-of-bounds memory access in V8.

ASB-2024.0134.2 – Oracle MySQL: CVSS (Max): 9.8

Oracle's latest quarterly Critical Patch Update addresses 386 security vulnerabilities, with 37 patches specifically for Oracle MySQL. Among these, 11 vulnerabilities can be exploited remotely without authentication. Notably, CVE-2023-37920 in MySQL Cluster is rated critical with a CVSS score of 9.8, potentially allowing remote attackers to exploit these vulnerabilities through simple network attacks.

ESB-2024.4645 – Cisco Smart Software Manager On-Prem (SSM On-Prem): CVSS (Max): 10.0

Cisco has issued patches for a critical security flaw affecting Smart Software Manager On-Prem (Cisco SSM On-Prem). This vulnerability, identified as CVE-2024-20419 and rated with a maximum CVSS score of 10.0, could allow a remote, unauthenticated attacker to alter the passwords of any users, including administrative accounts.

ESB-2024.4631 – Rockwell Automation Pavilion 8: CVSS (Max): 8.8

A vulnerability in Rockwell Automation Pavilion 8 permits a remote attacker to gain elevated privileges on the system. This security flaw arises from incorrect permission assignments on critical resources, enabling a remote user to access sensitive data and create new user accounts.

ESB-2024.4633 – Mozilla Thunderbird: CVSS (Max): 9.8

The Mozilla Foundation has issued patches for vulnerabilities in Thunderbird 128. While these flaws generally cannot be exploited through email within Thunderbird due to disabled scripting when reading mail, they pose potential risks in browser or browser-like environments.

Stay safe, stay patched and have a good weekend!

The AUSCERT team