CyberSecurity news

FlagThis - #CommandInjection

Zeljka Zorz@Help Net Security //
Zyxel has announced that it will not be releasing patches for two actively exploited zero-day vulnerabilities, identified as CVE-2024-40890 and CVE-2024-40891. These vulnerabilities affect multiple legacy DSL CPE products, including models VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. The vulnerabilities enable attackers to execute arbitrary commands on the affected devices. One of the vulnerabilities, CVE-2024-40891, is being actively exploited in the wild by a Mirai botnet variant.

GreyNoise warned that over 1,500 devices are affected by the command injection bug. CVE-2024-40890 is a post-authentication command injection vulnerability in the CGI program which allows an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. CVE-2024-40891 is a post-authentication command injection vulnerability in the management commands which could allow an authenticated attacker to execute OS commands on an affected device via Telnet. Zyxel advises users to replace the end-of-life products with newer-generation devices for optimal protection.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
  • The Hacker News: Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability
  • Help Net Security: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
  • gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
  • thedefendopsdiaries.com: Exploiting the Unpatched: A Deep Dive into Zyxel CPE Vulnerability | The DefendOps Diaries
  • www.helpnetsecurity.com: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
  • ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
  • BleepingComputer: Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that is currently tracked as CVE-2024-40891 and remains unpatched since last July.
  • securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
  • securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
  • ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
  • www.bleepingcomputer.com: Hackers exploit critical unpatched flaw in Zyxel CPE devices
  • : Zyxel's security advisory confirms the existence of , , and affecting end-of-life DSL CPE products.
  • Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • SecurityWeek: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
  • www.securityweek.com: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
  • vulnerability.circl.lu: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • The GreyNoise Blog: Active exploitation of zero-day Zyxel CPE vulnerability (CVE-2024-40891)
  • www.zyxel.com: Zyxel security advisory confirms the existence of command injection and insecure default credentials vulnerabilities affecting end-of-life DSL CPE products.
  • Dataconomy: If you own these Zyxel devices uninstall them now: No fix is coming
Classification:
@cyberscoop.com //
A critical vulnerability, designated CVE-2024-12856, has been discovered in Four-Faith routers, specifically models F3x24 and F3x36, enabling remote code execution. The flaw resides in the `/apply.cgi` endpoint, where manipulation of the `adj_time_year` parameter allows attackers to inject malicious commands and gain unauthorized access. This post-authentication vulnerability bypasses security measures using default credentials, allowing attackers to open reverse shells back to their systems. Over 15,000 devices are estimated to be at high risk due to default credential use and internet exposure.

The exploitation of this vulnerability poses a serious threat, potentially leading to the installation of malware, data theft, and significant network disruptions. Observed attack attempts have been linked to a Mirai malware variant, suggesting a targeted campaign. Users of affected Four-Faith routers are urged to take immediate action by updating to the latest firmware and enforcing strong password policies. A Suricata rule has also been published by VulnCheck which helps to identify devices already affected.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • ciso2ciso.com: Threat actors attempt to exploit a flaw in Four-Faith routers – Source: securityaffairs.com
  • Cyber Security News: Four-Faith Routers Hacked: Remote Access Vulnerability Exploited
  • gbhackers.com: GBHackers article on Four-Faith industrial routers vulnerability exploited in the wild to gain remote access.
  • www.bleepingcomputer.com: Threat actors are exploiting a post-authentication remote command injection vulnerability in Four-Faith routers tracked as CVE-2024-12856 to open reverse shells back to the attackers.
  • BleepingComputer: Threat actors are exploiting a post-authentication remote command injection vulnerability in Four-Faith routers tracked as CVE-2024-12856 to open reverse shells back to the attackers.
  • Pyrzout :vm:: Critical Flaw Exposes Four-Faith Routers to Remote Exploitation – Source:hackread.com
  • ciso2ciso.com: Critical Flaw Exposes Four-Faith Routers to Remote Exploitation – Source:hackread.com
  • cyberscoop.com: Thousands of industrial routers vulnerable to command injection flaw
  • cyberpress.org: Four-Faith Routers Hacked: Remote Access Vulnerability Exploited
  • ciso2ciso.com: Critical Flaw Exposes Four-Faith Routers to Remote Exploitation – Source:hackread.com
  • Threats | CyberScoop: Thousands of industrial routers vulnerable to command injection flaw
Classification:
  • HashTags: #RouterVulnerability #RemoteCodeExecution #IoTsecurity
  • Company: Four-Faith
  • Target: Four-Faith Routers
  • Attacker: none
  • Product: Four-Faith Routers
  • Feature: remote code execution
  • Malware: CVE-2024-12856
  • Type: Vulnerability
  • Severity: Major
@ciso2ciso.com //
A critical vulnerability has been discovered in Kubernetes that allows remote attackers to execute commands with SYSTEM privileges on Windows nodes within a cluster. Tracked as CVE-2024-9042, this flaw stems from a command-injection bug in the 'Log Query' beta feature. This vulnerability affects Kubernetes versions prior to 1.32.1 when this beta feature is enabled. Exploitation is possible through a specifically crafted command injected via a parameter in a query to a node.

According to Akamai researcher Tomer Peled, who discovered the flaw, the 'Log Query' mechanism does not properly validate and sanitize the parameter, allowing attackers to execute arbitrary code. The vulnerability only impacts clusters using Windows nodes with the beta logging feature turned on. The Kubernetes project has issued a security advisory with instructions on how to update, advising administrators to check cluster audit logs for suspicious inputs. While the number of deployments with this specific configuration is thought to be low, it highlights the importance of rigorous security testing for new features.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • ciso2ciso.com: Information on a vulnerability in Kubernetes that allows a remote attacker to execute commands on all Windows endpoints.
  • The Register: News about a Kubernetes vulnerability allowing remote code execution on Windows nodes.
  • Pyrzout :vm:: Don’t want your Kubernetes Windows nodes hijacked? Patch this hole now – Source: go.theregister.com
  • go.theregister.com: Report on a Kubernetes command injection flaw that grants system-level privileges on Windows nodes.
  • The Register - Software: Don't want your Kubernetes Windows nodes hijacked? Patch this hole now
  • : Akamai : Akamai discloses vulnerability details for , which they says allows for remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster. To exploit this vulnerability, the cluster must be configured to run the new logging mechanism "Log Query." The vulnerability can be triggered with a simple GET request to the remote node. Successful exploitation of this vulnerability can lead to full takeover on all Windows nodes in a cluster. Akamai provides a proof-of-concept curl command and discuss possible mitigations.
Classification:
  • HashTags: #Kubernetes #RCE #WindowsNodes
  • Company: Kubernetes
  • Target: Kubernetes Windows Nodes
  • Product: Kubernetes
  • Feature: Remote Code Execution
  • Type: Vulnerability
  • Severity: Major