A vulnerability disclosed 18 years ago, dubbed “0.0.0.0 Day”, allows malicious websites to bypass security in Google Chrome, Mozilla Firefox, and Apple Safari and interact with services on a local network. […] Read More
The all in one place for non-profit security aid.
A vulnerability disclosed 18 years ago, dubbed “0.0.0.0 Day”, allows malicious websites to bypass security in Google Chrome, Mozilla Firefox, and Apple Safari and interact with services on a local network. […] Read More
Apache Cloudstack Vulnerability Exposes API & Secret Keys to Admin Accounts
The Apache CloudStack project has announced the release of long-term support (LTS) security updates, versions 4.18.2.3 and 4.19.1.1, which address two critical vulnerabilities, CVE-2024-42062 and CVE-2024-42222.
These vulnerabilities pose significant risks to the integrity, confidentiality, and availability of CloudStack-managed infrastructure.
CVE-2024-42062 is a critical vulnerability that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0. In these versions, domain admin accounts can query all registered account users’ API and secret keys, including those of root admins.
This flaw arises from an access permission validation issue, allowing domain admins to exploit this vulnerability to gain unauthorized privileges.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) – Free Guide
An attacker with domain admin access can perform malicious operations, potentially compromising resources, causing data loss, and leading to denial of service.
Affected Version
Version RangeStatus4.10.0 – 4.18.2.2Affected4.19.0.0 – 4.19.1.0Affected
CVE-2024-42222 is another critical vulnerability found in Apache CloudStack version 4.19.1.0. This issue stems from a regression in the network listing API, allowing unauthorized access to network details for domain admin and normal user accounts.
This vulnerability undermines tenant isolation and can lead to unauthorized access to network configurations and data.
Affected Version
Version RangeStatus4.19.1.0Affected
The Apache CloudStack project strongly recommends users upgrade to versions 4.18.2.3, 4.19.1.1, or later to mitigate these vulnerabilities.
Users older than 4.19.1.0 should skip version 4.19.1.0 and upgrade directly to 4.19.1.1. Additionally, users are advised to regenerate all existing user keys to maintain the security of their environments.
The vulnerabilities were reported by:
CVE-2024-42062: Fabricio Duarte
CVE-2024-42222: Christian Gross of Netcloud AG and Midhun Jose
These critical vulnerabilities highlight the importance of maintaining up-to-date software and promptly addressing security issues.
The Apache CloudStack project’s swift release of these updates underscores the community’s commitment to security and reliability. Users are urged to upgrade immediately to ensure the continued protection of their CloudStack environments.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
The post Apache Cloudstack Vulnerability Exposes API & Secret Keys to Admin Accounts appeared first on Cyber Security News.
GitHub Wants All Users to Enable 2FA Before the End of 2023
GitHub, the omnipresent nexus for developers and their code, has embarked on a decisive initiative aimed at fortifying the security of the software supply chain.
In a groundbreaking announcement, the platform has set forth a mandate for two-factor authentication (2FA), a pivotal step slated to encompass all users contributing code to its repository by the culmination of 2023.
This proactive measure strategically targets the foundational elements of the software ecosystem – the developers themselves – recognizing their pivotal role in fortifying the entire chain.
The impetus behind this mandate stems from the inherent vulnerability of developers’ accounts.
Given their access to sensitive code and credentials, these accounts stand as prime targets for social engineering and account takeover endeavors.
The compromise of such accounts can initiate dire downstream consequences, potentially resulting in the pilferage of private code or the insertion of malicious alterations.
The impact radiates outward, imperiling not only the individual developers but also users reliant on the affected code and the integrity of the entire software supply chain.
GitHub astutely acknowledges the limitations of password-only authentication, which is evident in prior measures such as the deprecation of basic authentication for Git operations and APIs.
However, the tepid adoption rates of 2FA across the industry (16.5% for GitHub users and 6.44% for npm users) necessitated a resolute response.
The 2FA mandate emerges as a robust second line of defense, introducing a critical layer of security against unauthorized access.
GitHub has meticulously outlined a phased approach, recognizing the necessity for a seamless transition.
The journey commenced with the compulsory enrollment of the top 100 npm package maintainers in 2FA, followed by the extension of enhanced login verification to all npm accounts.
Subsequent stages involve the enrollment of maintainers overseeing progressively higher-impact packages, culminating in including all active GitHub contributors by the year’s conclusion.
This phased strategy facilitates learning and adaptation, ensuring a seamless transition for users while optimizing the efficacy of the security measure.
GitHub’s commitment to developer security transcends the 2FA mandate.
The platform actively explores novel authentication methods, including passwordless solutions, invests in npm account security, and continuously refines account recovery options.
This holistic approach tackles the broader challenges associated with account compromise, establishing a robust security posture for the entire software ecosystem.
GitHub’s audacious maneuver sets a precedent for the entire software industry.
By prioritizing developer security and mandating 2FA for contributors, they not only shield their platform and users but also broadcast a resounding message to the broader community.
This initiative serves as a clarion call for collective action, urging other platforms and developers to adopt similar measures and prioritize security at the individual level, thereby safeguarding the integrity of the entire software supply chain.
In the coming months, further details and timelines regarding the specific implementation of the 2FA mandate will unfold.
The post GitHub Wants All Users to Enable 2FA Before the End of 2023 appeared first on Cyber Security News.
Cyber Security News