5379 GitLab servers vulnerable to zero-click account takeover attacks
GitLab servers are at risk of zero-click account takeover attacks due to a critical vulnerability, CVE-2023-7028, recently addressed by security updates from GitLab for both the Community and Enterprise Editions. The flaw, with a CVSS score of 10, allows account takeover via Password Reset, enabling hijacking without user interaction. The affected versions range from 16.1 to 16.7. GitLab is unaware of active exploits, but self-managed customers are advised to review logs for potential exploit attempts. Over 5,300 internet-exposed GitLab instances, mostly in the United States, Germany, and Russia, are vulnerable to this flaw, as reported by ShadowServer researchers.
Analysis from our SOC team
Security patches have been released, so we strongly advise you to update your systems to the latest versions:
– 16.7.2, 16.6.4 and 16.5.6
As well as back-ported patches for older version:
– 16.1.6, 16.2.9 and 16.3.7
GitLab is unaware if there is an active exploit but you can do the check manually here:
– Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
– Check gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.
Our SOC is also available to assist in case there are any doubts or suspicions about potential compromise.
Apple has issued critical security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day flaw (CVE-2024-23222) in the WebKit browser engine.
This vulnerability, a type confusion bug, was actively exploited in the wild, allowing threat actors to execute arbitrary code when processing malicious web content. The company acknowledged awareness of the exploitation but provided limited details about the attacks. This marks Apple’s first patched zero-day vulnerability in 2024, following the resolution of 20 such issues in the previous year.
Additionally, Apple has backported fixes for CVE-2023-42916 and CVE-2023-42917 to older devices. The disclosure coincides with reports of Chinese authorities exploiting known vulnerabilities in Apple’s AirDrop for law enforcement purposes.
Analysis from our SOC team
Acknowledging the active exploitation also underscores the urgency of immediate updates.
Apple has released updates for various devices and operating systems, including iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3, tvOS 17.3, and Safari 17.3 to mitigate the risk of potential attacks leveraging this vulnerability.
If you require assistance with your vulnerability management, do not hesitate to contact our SOC.
Cisco has addressed a critical security flaw, tracked as CVE-2024-20253 (CVSS score: 9.9), affecting Unified Communications and Contact Center Solutions products. This flaw allows an unauthenticated, remote attacker to execute arbitrary code on an affected device by exploiting improper processing of user-provided data.
The attacker could send a specially crafted message to a listening port of a vulnerable appliance, potentially leading to the execution of arbitrary commands on the underlying operating system.
Products impacted include Unified Communications Manager, Unified Communications Manager IM & Presence Service, Unified Communications Manager Session Management Edition, Unified Contact Center Express, Unity Connection, and Virtualized Voice Browser.
This disclosure follows recent fixes from Cisco for another critical security flaw (CVE-2024-20272, CVSS score: 7.3) impacting Unity Connection, highlighting the ongoing efforts to address vulnerabilities in Cisco products.
Analysis from our SOC team
Cisco has not reported any active exploitation, but it is still recommended to apply the provided patches to address the vulnerability, and in cases where immediate patching is not possible, users are advised to establish access control lists (ACLs) on intermediary devices to limit access.
Reach out to us if you need assistance with patching, threat hunting for signs of compromise or incident response related to this CVE.
A critical vulnerability in Fortra GoAnywhere MFT software, tracked as CVE-2024-0204, has a proof-of-concept exploit published, increasing the risk of potential attacks. Although Fortra patched the authentication bypass flaw, details were publicly revealed only recently. The bug, with a CVSS score of 9.8, allows unauthorized users to create an admin account through the product’s administration portal, granting complete remote control and network access. The infamous Clop ransomware group targeted GoAnywhere MFT last year, compromising data from about 100 organizations through another vulnerability (CVE-2023-0669). With exploit code now circulating, threat actors are likely to target unpatched installations.
Analysis from our SOC team
The vulnerability is being exploited by a very active threat actor and could continue to be exploited if not patched.
Organizations are urged to prioritize the released patch (December 4, 2024) and monitor the admin user group for any suspicious activity.
Fortra customers can check for compromise indicators:
– Any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section. If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise,” Horizon3 said.
– Additionally, logs for the database are stored at \GoAnywhere\userdata\database\goanywhere\log\*.log. These files contain transactional history of the database, for which adding users will create entries.
A critical injection vulnerability (CVE-2023-6933) has been identified in the Better Search Replace plugin for WordPress, up to and including version 1.4.4. The flaw, with a CVSS score of 9.8, exposes the plugin to PHP Object Injection, allowing unauthenticated attackers to perform malicious activities such as retrieving sensitive data and deleting arbitrary files. No privileges or user interaction are required for exploitation.
The Centre for Cybersecurity Belgium emphasizes the importance of promptly applying updates after thorough testing to ensure the security of vulnerable devices. In case of an intrusion, incidents can be reported via the provided link. It’s crucial to note that while updating software enhances future security, it does not address historical compromises.
Analysis from our SOC team
Recommended Actions:
– Patch: Install the latest update for the Better Search Replace plugin, version 1.4.5 or later, with the highest priority.
– Monitor/Detect: Organizations are advised to enhance monitoring and detection capabilities to identify any suspicious activity related to this vulnerability.
If you don’t have the resources to do the monitoring and triage, Approach Cyber SOC can help lift the weight and do the monitoring for you.
Contact us if you’d like to know more about the SOC services that we provide to help you gain or keep your cyber serenity.
