Outlook is down again, with users facing a frustrating 503 error message when accessing their accounts.
The all in one place for non-profit security aid.
Outlook is down again, with users facing a frustrating 503 error message when accessing their accounts.
Heap-based Buffer Overflow Flaw in cURL Library Using SOCKS5 Proxy
Previously, the maintainers of the popular curl command line tool posted a pre-announcement regarding two vulnerabilities that affected both the curl tool and the libcurl library.
However, the details of these vulnerabilities were not disclosed and were mentioned to be disclosed on October 11, 2023.
As per the post, the high-severity vulnerability under the CVE-2023-38545 was publicly disclosed by Curl. This vulnerability affects libcurl library from version 7.69.0 to 8.3.0.
Nevertheless, to exploit this vulnerability, an application must be configured to use SOCKS5 proxy modes and should attempt to resolve a hostname with inapplicable length.
Document
FREE Demo
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
This heap-based buffer overflow vulnerability exists when an application using a vulnerable version of curl or libcurl makes HTTP requests where a threat actor has enough privileges to set the “http_proxy” environment variable. The severity of this vulnerability is being analyzed.
There are prerequisites for an attacker before executing this attack. This includes
The application must request socks5h.
The application’s negotiation buffer is approximately smaller than 65k.
The SOCKS server’s “hello” reply has a delay.
Proof-of-concept of exploitation (Source: Grey Noise)
libcurl accepts hostnames up to 65535 bytes. However, if the machine’s hostname is longer than the target buffer, the memcpy() function overwrites the buffer into the heap.
The URL parser has to accept the hostname, which limits the set of available byte sequences that can be copied.
“An overflow is only possible in applications that do not set CURLOPT_BUFFERSIZE or set it smaller than 65541.
Since the curl tool sets CURLOPT_BUFFERSIZE to 100kB by default, it is not vulnerable unless rate limiting was set by the user to a rate smaller than 65541 bytes/second.” reads the advisory by curl.
This particular vulnerability was reported to curl by a security researcher from Hackerone.
According to curl, libcurl 7.69.0 to and including 8.3.0 are affected by this vulnerability. libcurl earlier than 7.69.0 has been confirmed to be not affected by this vulnerability.
Curl has instructed users not to use CURLPROXY_SOCKS5_HOSTNAME proxies with curl and not to set a proxy environment variable to socks5h://.
A complete report about this vulnerability has been published by Curl, which provides detailed information about the exploitation, parameters involved, and other information.
Users of curl and libcurl are recommended to upgrade to the latest version, 8.4.0, to fix this vulnerability from getting exploited by threat actors.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.
The post Heap-based Buffer Overflow Flaw in cURL Library Using SOCKS5 Proxy appeared first on Cyber Security News.
Cyber Security News
Insights into your unpatched vulnerabilities
But with little guidance beyond “critical” classifications—and with the potential for non-critical vulnerabilities to still be exploited for devastating malware attacks—resource-constrained IT organizations need help. How can IT teams prioritize amongst potentially thousands of vulnerabilities if they don’t know which to fix first?
Malwarebytes analyzed the vulnerabilities identified by its ThreatDown Vulnerability Assessment module, now included at no additional cost in all ThreaDown bundles, to reveal the most common “critical” and “important” unpatched vulnerabilities on known endpoints.
The vulnerabilities compiled show up across four major software products:
Adobe Flash Player
Adobe Acrobat Reader
VideoLan VLC Media Player
Zoom
In the 100 most prevalent unpatched vulnerabilities, the majority (93 out of the 100) are found in software by Adobe, Zoom, and Mozilla. [MOU3]
No vulnerability listed as critical made it into the top 100 most prevalent vulnerabilities. But one critical vulnerability was close: CVE-2020-9633 in Adobe Flash Player. The vulnerable version of Flash is still in use because Adobe silently introduced a time bomb in later Flash Player versions that would prevent Flash Player from working and playing any Flash content after January 12, 2021. So organizations that have certain Flash content they need to play often to go back to that vulnerable version.
Relatedly, the most prevalent vulnerabilities labeled “Critical” come from a more diverse group of software vendors, with four distinct top contributors:
30 % UltraVNC (Server and Viewer)
20 % Python (versions 3.6 to 3.10)
18% Microsoft (Edge and Visual Studio)
14 % Adobe (Flash Player, Acrobat, and Reader)
Read on to see details of the top 5 unpatched critical vulnerabilities and the top 5 unpatched important vulnerabilities, as uncovered by ThreatDown, powered by Malwarebytes.
Adobe Flash Player
CVE-2020-9633: Adobe Flash Player Desktop Runtime 32.0.0.371 and earlier, Adobe Flash Player for Google Chrome 32.0.0.371 and earlier, and Adobe Flash Player for Microsoft Edge and Internet Explorer 32.0.0.330 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution. Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS.
Zoom:
CVE-2022-22785: The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.
CVE-2022-22786: The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.
Adobe Acrobat Reader
CVE-2016-1038: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.
CVE-2016-1044: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.
Zoom:
CVE-2023-39211: Improper privilege management in Zoom Desktop Client for Windows and Zoom Rooms for Windows may allow an authenticated user to enable an information disclosure via local access. Upgrading to 5.15.5 or later eliminates this vulnerability.
CVE-2023-34116: Improper input validation in the Zoom Desktop Client for Windows may allow an unauthorized user to enable an escalation of privilege via network access. Upgrading to version 5.15.0 or later eliminates this vulnerability.
CVE-2023-39213: Improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client may allow an unauthenticated user to enable an escalation of privilege via network access. Upgrading to version 5.15.2 or later eliminates this vulnerability.
Adobe:
CVE-2023-29320: Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Violation of Secure Design Principles vulnerability that could result in arbitrary code execution in the context of the current user by bypassing the API blacklisting feature. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Updating to the latest version eliminates the vulnerability.
VLC media player
CVE-2020-26664: A vulnerability in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a specially crafted file. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. A buffer overflow may result in arbitrary code execution. Installing the 3.0.20 release of VLC eliminates the vulnerability.
You Can’t Fix What You Can’t See
While only on very rare occasions do vulnerabilities make mainstream news headlines, but when they do, the impact can be enormous. The exploitation of the MOVEit vulnerability by Cl0p ransomware operators impacted over 60 million individual victims (between May and September of 2023. And remember that not every “critical” vulnerability is synonymous with an exploited vulnerability. With an additional 1,000 entries added to CISA’s known, exploited vulnerabilities catalog in just the past two years, few organizations have the IT staff to keep track of everything.
Many organizations only have limited visibility into which vulnerabilities might impact them, and nearly every organization relies on the Common Vulnerabilities and Exposures (CVE) database, which lists publicly disclosed computer security flaws. But this isn’t a perfect resource.
In 2023, CVE-2023-4863 was discovered, originally described as a heap buffer overflow in WebP within Google Chrome. The average person, upon learning about this vulnerability, may have thought that the problem was limited to Chrome, or maybe even realize that other Chromium based browsers could be affected. Yet the reality was quite different. It turned out that the bug was deeply rooted in the libwebp library, which is not only used by Chrome but by virtually every application that handles WebP images. So anyone that patched their Chrome browser might think they thwarted that vulnerability, when in reality they might still be vulnerable, just in different software.
This type of library oversight happens quite often. Most people, including thoroughly trained and experienced IT staff, have no idea about all the building blocks that were used to create the environment and software that they use.
This is where dedicated software to alert staff about existing vulnerabilities in their environment integrated with patch management capabilities can help save the day.
Free Vulnerability Assessment
Today Malwarebytes announced its offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture. The full featured comprehensive vulnerability scanning is now included in every ThreatDown Bundle at no additional cost via its integrated console.
Learn more about how ThreatDown bundles can help you to improve your security by quickly finding and fixing vulnerabilities here.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.
Malwarebytes
Nagoya port recovers from LockBit 3.0. Charming Kitten sighting. Spyware in Play store apps. Solar panel vulnerabilities.
LockBit 3.0 claims responsibility for Nagoya ransomware attack. Charming Kitten sighting. Spyware infested apps found in Google Play. Solar panels and cyberattacks. Hacktivist auxiliaries remain active in Russia’s hybrid war. Read More
The CyberWire