The data shows how most cyberattacks start, so basic steps can help organizations avoid becoming the latest statistic. Read More
Related Posts
PoC Exploit Released for macOS Root Access Vulnerability
PoC Exploit Released for macOS Root Access Vulnerability
A security vulnerability, identified as CVE-2024-27822, has been discovered in macOS. This vulnerability allows unauthorized root access and has raised serious concerns among cybersecurity experts and macOS users alike.
The release of a Proof-of-Concept (PoC) exploit code has intensified the urgency to address this critical issue.
CVE-2024-27822 is a newly identified security flaw in macOS that permits attackers to gain root access without proper authorization.
Root access grants the highest level of control over a system, allowing the execution of any command and access to all files. This level of access can lead to severe consequences, including data theft, system manipulation, and the installation of malicious software.
According to a detailed report by Khronokernel, the vulnerability stems from a flaw in the macOS kernel, which fails to validate certain user inputs properly.
Security researcher Mykola Grymalyuk has identified a critical vulnerability, CVE-2024-27822, which affects Apple’s Installer.app and the PackageKit.framework.
This vulnerability is rooted in how installation scripts embedded in PKGs (package files) are executed as root within the current user’s environment. Specifically, scripts with the #!/bin/zsh shebang load the user’s .zshenv file while running with root permissions.
The core issue lies in the potential to insert a malicious payload into the .zshenv file. When a user installs a ZSH-based PKG, the installation script runs with root privileges and loads the .zshenv file, thereby executing any embedded malicious code as root. This poses a significant security risk, particularly when users manually install PKGs.
The primary attack vector involves a logic bomb-based payload that can remain dormant within the .zshenv file. This payload activates when the user installs a ZSH-based PKG, executing with root privileges and granting the attacker root access. This vulnerability is especially dangerous in environments where users frequently install PKGs from various sources.
Mykola Grymalyuk has provided a proof of concept to demonstrate the exploitation of CVE-2024-27822. The process is straightforward and underscores the severity of the vulnerability:
Inject a malicious payload into the .zshenv file.
Install a PKG with the #!/bin/zsh shebang (e.g., Generic-ZSH.pkg).
Observe the execution of the payload with root privileges upon PKG installation.
This proof of concept highlights the ease with which this vulnerability can be exploited, emphasizing the need for immediate attention and remediation.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
This oversight can be exploited to escalate privileges from a standard user to the root level. The vulnerability affects multiple versions of macOS, making it a widespread concern.
PoC Exploit Code Released
The PoC exploit code for CVE-2024-27822. The PoC code demonstrates how the vulnerability can be exploited to gain root access to a macOS system.
The availability of this code in the public domain significantly increases the risk of exploitation, as it provides a blueprint for attackers to follow.
The PoC exploit code was developed by a security researcher who discovered the vulnerability. While releasing the PoC code aims to raise awareness and prompt a swift response from Apple, it also poses a risk by potentially enabling malicious actors to exploit the vulnerability before a patch is available.
The cybersecurity community has reacted swiftly to the news of the PoC exploit release. Experts are urging macOS users to take immediate precautions to mitigate the risk of exploitation. Recommended actions include:
Resolved versions:
macOS 14.5 Beta 2 (23F5059e) and newer
macOS 13.6.7 (22G720) and newer
macOS 12.7.5 (21H1222) and newer
Affected versions:
macOS 14.5 Beta 1 (23F5049f) and older
macOS 13.6.6 (22G630) and older
macOS 12.7.4 (21H1123) and older
Any version of macOS 11 or older
Update Software: Ensure that all software, including macOS, is up to date with the latest security patches. Apple is expected to release a patch soon to address CVE-2024-27822.
Limit User Privileges: Restrict user accounts to the minimum necessary privileges. Avoid using accounts with root or administrative access for daily tasks.
Monitor Systems: Implement robust monitoring solutions to detect any unusual activity that may indicate an attempted exploitation of the vulnerability.
Backup Data: Regularly back up important data to mitigate the impact of a potential security breach.
Apple’s Response
As of the time of writing, Apple has acknowledged the vulnerability and is actively working on a patch. In a statement, Apple emphasized its commitment to user security and assured that a fix would be released as soon as possible.
Users are advised to stay tuned for updates and apply the patch immediately once it becomes available.
The release of the PoC exploit code for CVE-2024-27822 has highlighted a critical security vulnerability in macOS, underscoring the importance of timely updates and vigilant security practices.
Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo
The post PoC Exploit Released for macOS Root Access Vulnerability appeared first on Cyber Security News.
iCloud keychain (noun)
iCloud keychain (noun)
A cloud based sensitive information management system that allows users access across multiple devices. Read More
The CyberWire
Urgent Security Alert! Upstream Supply Chain Attack Lead to SSH Compromise
Urgent Security Alert! Upstream Supply Chain Attack Lead to SSH Compromise
[[{“value”:”
A critical security breach has been identified in the xz compression utility’s liblzma library, leading to a significant compromise of SSH server security across various Linux distributions.
The xz format is ubiquitous across Linux distributions, serving as a general-purpose tool for compressing and decompressing large files.
The backdoor, which was first detected in Debian sid installations, has been traced back to the upstream xz repository, affecting versions 5.6.0 and 5.6.1 of the xz package.
Security expert Andres Freund initially observed unusual system behavior, such as excessive CPU usage during SSH logins and Valgrind errors, which led to the discovery of the backdoor.
The compromised code was found solely in the distributed tarballs, not in the upstream source, indicating a deliberate and targeted attack on the supply chain.
Red Hat has issued an urgent security alert for Fedora 41 and Fedora Rawhide users, advising immediate cessation of use until the xz version can be downgraded.
The affected versions, xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm, were present in Fedora Linux 40 beta, but the actual malware exploit has not been detected in the stable release.
Fedora Rawhide, the development distribution for future Fedora builds, is also impacted and will be reverted to the safe xz-5.4.x versions
Document
Download Free CISO’s Guide to Avoiding the Next Breach
Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.
Understand the importance of a zero trust strategy
Complete Network security Checklist
See why relying on a legacy VPN is no longer a viable security strategy
Get suggestions on how to present the move to a cloud-based network security solution
Explore the advantages of converged network security over legacy approaches
Discover the tools and technologies that maximize network security
Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.
The Red Hat community ecosystem, specifically Fedora 40 and Fedora Rawhide, are the only known affected distributions within their purview.
However, the injections have successfully built in xz 5.6.x versions for Debian unstable (Sid), and other distributions may also be at risk. Red Hat has assigned the issue CVE-2024-3094 and is actively working on patches to secure affected systems.
Alex Matrosov recently tweeted about the vulnerabilities in existing solutions that are missing transitive statically linked dependencies and cannot detect such attacks.
CVE-2024-3094 (10 Critical) <– Supply Chain backdoor
This particular case with lzma shows exactly the weak spots of the existing solutions, which are missing transitive statically linked dependencies and are completely blind to such attacks.
Lzma is a very common component… https://t.co/IJNoO2w6lM pic.twitter.com/uV75nQbuDA
— Alex Matrosov (@matrosov) March 29, 2024
The backdoor discovered in the upstream xz/liblzma library leads to SSH compromise by introducing malicious code that can be used by any software linked against the compromised liblzma library.
This includes OpenSSH, which uses the library for compression during SSH sessions. The backdoor was ingeniously inserted into the xz/liblzma library in a way that allowed it to escape detection during routine security audits, making it a particularly stealthy threat.
The vulnerability arises when the compromised version of xz/liblzma is used to compress or decompress files, which is a common operation in SSH communications.
The backdoor can be triggered during this process, providing attackers with a way to execute arbitrary code on the server.
This could potentially allow unauthorized access to the server, the execution of commands, or even the escalation of privileges to gain complete control over the system.
The backdoor was introduced in versions 5.6.0 and 5.6.1 of the xz tools and libraries, and it affects various Linux distributions. It was discovered by Microsoft developer Andres Freund, who noticed unusual symptoms such as excessive CPU usage during SSH logins and Valgrind errors on Debian sid installations.
Upon investigation, he found that the backdoor was not in the Debian package but in the upstream package itself.
Recently, a tweet from vx-underground stated that the xz backdoor was first discovered by a Microsoft software engineer who observed a suspicious 500ms lag.
The xz backdoor was initially caught by a software engineer at Microsoft. He noticed 500ms lag and thought something was suspicious.
This is the Silver Back Gorilla of nerds. The internet final boss. pic.twitter.com/6IyJQ2tpMm
— vx-underground (@vxunderground) March 30, 2024
The backdoor was only present in the distributed tarballs and not in the upstream source code repository, indicating a targeted attack on the supply chain.
The malicious code was hidden through a series of complex obfuscations, where the liblzma build process extracts a pre-built object file from a disguised test file in the source code.
This results in a modified liblzma library that, when used by software like OpenSSH, compromises the security and integrity of SSH servers
The backdoor’s functionality appears to be limited to glibc-based systems, and fortunately, the compromised xz versions have not been widely integrated by Linux distributions, mostly appearing in pre-release versions.
The injected code causes logins via SSH to become significantly slower, and during a pubkey login, the exploit code is invoked, redirecting RSA_public_decrypt to the backdoor code.
A detection script has been developed to detect the backdoor, and system administrators are encouraged to run it on their systems. The script checks for the presence of the backdoor by examining the liblzma library used by sshd.
If the backdoor code is found, the system is likely vulnerable and should be updated immediately
RedHat has reported an urgent security alert for users of Fedora Linux 40 and Fedora Rawhide.
The alert pertains to critical security vulnerabilities identified in these systems and requires immediate attention.
Immediate Mitigation Steps
Fedora Linux 40 builds have not been confirmed compromised; however, caution dictates that users should downgrade to the xz-5.4.x builds as a preventative measure.
An update facilitating this reversion has been published and is accessible through the standard update system.
Users can expedite the update process by following the instructions provided at the Fedora update portal: FEDORA-2024-d02c7bb266.
If you are operating a system within the affected distributions, it is imperative to halt usage immediately and downgrade your xz libraries to a secure version.
Users are encouraged to monitor official channels for the latest advisories.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Urgent Security Alert! Upstream Supply Chain Attack Lead to SSH Compromise appeared first on Cyber Security News.
“}]] Read More
Cyber Security News