//Week in review - 2 Sep 2022


It’s already September which seems to have arrived quicker than many of us expected. The AusCERT team has already commenced planning for next year’s conference which, as we’ve experienced, will be upon us in no time.

But let’s not get ahead of ourselves, this year’s conference is still fresh in the minds of many thanks to the fantastic array of speakers and activities.

If you missed a presentation due to a clash or would like to revisit a standout speaker, head over to our YouTube channel and peruse the AusCERT2022 playlist!

One aspect of this year’s conference that was of special importance, was the number of female presenters. Yesterday, September 1st, was International Women In Cyber Day. An initiative aimed at promoting and supporting the advancement and support of women in cybersecurity.

Whilst the day has passed, each opportunity to create a more diverse and inclusive workforce should be encouraged. If you’d like to learn more about how you can get involved, visit the Women In Cyber Day website.

If you’re new to the world of cyber or, you have a curious mind and would like to learn more about information security principles, the next round of AusCERT’s Intro to Cyber for IT Professionals training is taking place in late October.

Facilitated by our Principal Analyst and a guest industry trainer, our two half-day courses are aimed at engaging attendees with interactive content and a focus on delivering effective training outcomes. You can view the full list of our 2022 training schedule HERE.

Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers
Date: 2022-08-29
Author: The Register

A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories.
Atlassian has fixed the security holes, which are present in versions 7.0.0 to 8.3.0 of the software, inclusive. Luckily there are no known exploits in the wild.

WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites
Date: 2022-08-31
Author: Security Week

The WordPress team this week announced the release of version 6.0.2 of the content management system (CMS), with patches for three security bugs, including a high-severity SQL injection vulnerability.
Identified in the WordPress Link functionality, previously known as ‘Bookmarks’, the issue only impacts older installations, as the capability is disabled by default on new installations.
However, the functionality might still be enabled on millions of legacy WordPress sites even if they are running newer versions of the CMS, the Wordfence team at WordPress security company Defiant says.

Log4Shell legacy? Patching times plummet for most critical vulnerabilities – report
Date: 2022-08-30
Author: The Daily Swig

The rush to patch systems affected by the landmark Log4Shell vulnerability has coincided with a wider improvement in patching rates for the most critical flaws, a report has found.
The remote code execution (RCE) flaw in Apache Log4j (CVE-2021-44228), the near-ubiquitous open source Java logging utility, sent organizations across the ecosystem scrambling to fix applications or patch systems after it emerged in December 2021.

Okta Says Customer Data Compromised in Twilio Hack
Date: 2022-08-29
Author: Security Week

Identity and access management provider Okta said last week that customer mobile phone numbers and SMS messages containing one-time passwords (OTPs) were compromised during the recent Twilio cyberattack.
In early August, enterprise communications firm Twilio announced that it was hacked after an employee fell victim to a phishing attack and provided their login credentials to a sophisticated threat actor.
The incident resulted in attackers accessing information related to 163 Twilio customers, with secure communications firm Signal and Okta already confirming being impacted by the incident.

Apple backports fix for actively exploited iOS zero-day to older iPhones
Date: 2022-08-31
Author: Bleeping Computers

Apple has released new security updates to backport patches released earlier this month to older iPhones and iPads addressing a remotely exploitable WebKit zero-day that allows attackers to execute arbitrary code on unpatched devices.
This zero-day vulnerability is the same one Apple patched for macOS Monterey and iPhone/iPad devices on August 17, and for Safari on August 18.
The flaw is tracked as CVE-2022-3289 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps to access the web.

Details Disclosed for OPC UA Vulnerabilities Exploited at ICS Hacking Competition
Date: 2022-08-29
Author: Security Week

Software development and security solutions provider JFrog has disclosed the details of several vulnerabilities affecting the OPC UA protocol, including flaws exploited by its employees at a hacking competition earlier this year.
OPC UA (Open Platform Communications United Architecture) is a machine-to-machine communication protocol that is used by many industrial solutions providers to ensure interoperability between various types of industrial control systems (ICS).
JFrog’s researchers discovered several vulnerabilities in OPC UA and disclosed some of them at the Pwn2Own Miami 2022 competition in April, where participants earned a total of $400,000 for hacking ICS.

Google Fixes 24 Vulnerabilities With New Chrome Update
Date: 2022-09-01
Author: Dark Reading

Google’s first stable channel version of Chrome 105 for Windows, Mac, and Linux, released this week, contained fixes for 24 vulnerabilities in previous versions of the software, including one “critical” flaw and eight that the company rated as being of “high” severity.
A plurality — nine — of the security issues that Google addressed with Chrome 105 were so-called use-after-free vulnerabilities, or flaws that allow attackers to use previously freed memory spaces to execute malicious code, corrupt data, and take other malicious actions. Four of the patched vulnerabilities were heap buffer-overflows in various Chrome components, including WebUI and Screen Capture.

Ubuntu Linux 18.04 systemd security patch breaks DNS in Microsoft Azure
Date: 2022-08-30
Author: The Register

Microsoft Azure customers running Canonical’s Ubuntu 18.04 (aka Bionic Beaver) in the cloud have seen their applications fail after a flawed security update to systemd broke DNS queries.
The situation is as odd as it sounds: if you’re running Ubuntu 18.04 in an Azure virtual machine, and you installed the systemd 237-3ubuntu10.54 security update, you’ve probably found yourself unable to use DNS within the VM, which causes applications and other software relying on domain-name look-ups to stop working properly.

ESB-2022.4225 – Linux kernel (AWS): CVSS (Max): 9.8

Ubuntu reports the security issues detected in Linux kernel for Amazon Web Services (AWS)can be fixed by applying the latest updates.

ESB-2022.4243 – zlib: CVSS (Max): 9.8

A heap-based buffer overflow vulnerability in the inflate operation in zlib has been reported which, if exploited could result in denial of service or execution of arbitrary code.Debian recommends upgrading the zlib packages.

ESB-2022.4273 – Moodle: CVSS (Max): 8.8

Moodle reports that they have upgraded their Mustache template library to the latest version which includes a fix for a security issue.

ESB-2022.4294.2 – UPDATED ALERT GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 9.9

Gitlab has released its monthly security release for August for GitLab Community Edition (CE) and Enterprise Edition (EE) which contains important security fixes. Gitlab strongly recommends that all GitLab installations be upgraded to one of the recommended versions immediately.

ESB-2022.4288 – Hitachi Energy MSM Product: CVSS (Max): 9.8*

Hitachi Energy reports multiple open-source software related vulnerabilities in MSM version 2.2 and earlier and released mitigation information including security practices and firewall configurations to help protect process control networks from outside attacks.

Stay safe, stay patched and have a good weekend!

The AusCERT team