Cybersafe Solutions Security Advisory Bulletin June 28, 2024

In this week's Security Advisory:

• Polyfill Supply Chain Attack
• Security Advisory Update: SolarWinds Issues Patch for Serv-U's Directory Traversal Vulnerability
• Security Advisory Update: Multiple Vulnerabilities Patched in Zyxel NAS Products
• Atlassian Releases Security Updates to Address Multiple Vulnerabilities in its Products
• Multiple WordPress Plugins Compromised from Supply Chain Attack
• Security Updates Released for Google Chrome Desktop Browser

Polyfill is an open-source library that provides functionality to aid with backwards compatibility in older browsers and is deployed by many websites. This domain transferred ownership in February of 2024 and since the change, the domain has been observed injecting malicious code into mobile websites that integrate scripts which depend on its code. All websites using polyfill[dot]io are impacted and should promptly remove their code to mitigate risks.

More Reading/Information

• https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/
• https://www.theregister.com/2024/06/25/polyfillio_china_crisis/
• https://www.scmagazine.com/brief/over-100k-sites-hit-by-polyfill-io-supply-chain-attack
• https://www.securityweek.com/polyfill-supply-chain-attack-hits-over-100k-websites/
• https://cybersecuritynews.com/polyfill-js-library-malware-attack/

Security Advisory Update: SolarWinds Issues Patch for Serv-U's Directory Traversal Vulnerability

As an update to our Advisory on June 12th, Cybersafe is now aware that threat actors are actively exploiting SolarWinds Serv-U servers vulnerable to CVE-2024-28995. Customers are strongly advised to apply the latest patch immediately.

Original Security Advisory - June 12th, 2024:

SolarWinds has released a security patch to address a vulnerability discovered within Serv-U. Serv-U is a managed file transfer solution that can store and share files across a network. Tracked as CVE-2024-28995 with a CVSS score of 8.6 out of 10, this flaw enables unauthenticated attackers to access sensitive files by traversing outside the root directory. Successful exploitation can allow threat actors to read and modify information that can impact data integrity.

More Reading/Information

• https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-2-Hotfix-2-Release-Notes
• https://www.securityweek.com/solarwinds-patches-high-severity-vulnerability-reported-by-nato-pentester/
• https://www.helpnetsecurity.com/2024/06/07/cve-2024-28995/

Security Advisory Update: Multiple Vulnerabilities Patched in Zyxel NAS Products

As an update to our Advisory on June 5th, Cybersafe is aware that there is a publicly available proof-of-concept (PoC) for the exploit affecting Zyxel NAS devices (CVE-2024-29973). Customers are strongly advised to apply the latest patch immediately.

Original Security Advisory - June 5th, 2024:

Zyxel Networks has released multiple patches to address three (3) out of five (5) vulnerabilities affecting its end-of-life NAS products. The flaws are being tracked as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974 and only affect Zyxel NAS devices NAS326/NAS542.

CVE-2024-29972 and CVE-2024-29973 are command injection flaws that allow an unauthenticated attacker to execute OS commands by sending custom crafted POST requests. CVE-2024-29974 is a critical flaw in the CGI program that allows a threat actor to upload specially crafted configuration files for remote code execution.

Of note, the vulnerabilities CVE-2024-29975 and CVE-2024-29976 are improper privilege management flaws and will not receive remediation from Zyxel Networks due to the devices reaching end-of-support status.

Affected Versions

• NASS326 - V5.21(AAZF.16)C0 and earlier
• NAS542 - V5.21(ABAG.13)C0 and earlier

More Reading/Information

• https://www.bleepingcomputer.com/news/security/zyxel-issues-emergency-rce-patch-for-end-of-life-nas-devices/#google_vignette
• https://securityaffairs.com/164150/security/zyxel-rce-eof-nas-devices.html
• https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024

Atlassian Releases Security Updates to Address Multiple Vulnerabilities in its Products

Atlassian has issued a security update to resolve nine (9) vulnerabilities affecting Confluence, Crucible, and Jira. The most severe is an improper authorization flaw tracked as CVE-2024-22257, which carries a CVSS score of 8.2 out of 10. Exploitation of this vulnerability could allow an attacker to have unauthorized access to sensitive assets within a client's system. Customers should update their software to the latest patched versions or, if immediate updating is not feasible, apply one of the fixed versions as soon as possible.

More Reading/Information

• https://confluence.atlassian.com/security/security-bulletin-june-18-2024-1409286211.html
• https://www.securityweek.com/atlassian-patches-high-severity-vulnerabilities-in-confluence-crucible-jira/

Multiple WordPress Plugins Compromised from Supply Chain Attack

WordPress has identified five (5) plugins compromised with malicious scripts due to a supply chain attack. This vulnerability allows an attacker to create new administrator accounts, granting them elevated privileges within a client's environment. Furthermore, the malicious script can inject search engine optimization (SEO) spam across the website, affecting unsuspecting users.

Of note, WordPress advises users with affected plugins to promptly update to the latest patch and conduct a thorough check for any unexpected rogue administrator accounts.

Affected Plugins & Versions:

• Social Warfare 
  • 4.4.6.4 to 4.4.7.1 
• Blaze Widget
  • 2.2.5 to 2.5.2 
• Wrapper Link Element 
  • 1.0.2 to 1.0.3 
• Contact Form 7 Multi-Step Addon 
  • 1.0.4 to 1.0.5 
• Simply Show Hooks 
  • 1.2.1 to 1.2.2

More Reading/Information

• https://www.wordfence.com/blog/2024/06/supply-chain-attack-on-wordpress-org-plugins-leads-to-5-maliciously-compromised-wordpress-plugins/
• https://www.bleepingcomputer.com/news/security/plugins-on-wordpressorg-backdoored-in-supply-chain-attack/
• https://www.securityweek.com/several-plugins-compromised-in-wordpress-supply-chain-attack/
• https://www.darkreading.com/cloud-security/wordpress-supply-chain-attack-multiple-plug-ins
• https://www.techtimes.com/articles/306010/20240625/wordpress-plugins-hit-cyberattack-potentially-allowing-hackers-access-36-000.htm

Security Updates Released for Google Chrome Desktop Browser

Google Chrome has issued a security update addressing five (5) vulnerabilities that impact Windows, Mac, and Linux operating systems.

More Reading/Information

• https://chromereleases.googleblog.com/
• https://www.securityweek.com/chrome-126-update-patches-memory-safety-bugs/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.