Critical GitHub Enterprise Server Flaw Allows Authentication Bypass

Date: May 21, 2024

CVE: [[CVE-2024-4985]]

Vulnerability Type: Improper Authentication

CWE: [[CWE-287]]

Sources: Cyber Security News, SecurityWeek, The Hacker News

Issue Summary

A critical vulnerability in GitHub Enterprise Server, identified as CVE-2024-4985, was discovered that allows attackers to bypass authentication. This flaw, found in versions 3.9.14, 3.10.11, 3.11.9, and 3.12.3, permits unauthorized access to repositories and sensitive data by exploiting a weakness in the SAML SSO authentication process.

Technical Key Findings

The vulnerability arises from a logic error in the SAML SSO authentication process, where the server fails to verify the validity of digital signatures on SAML responses properly. Attackers can craft SAML assertions with any certificate, which the server incorrectly accepts, allowing the spoofing of user identities, including admin accounts.

Vulnerable Products

• GitHub Enterprise Server versions 3.9.14
• GitHub Enterprise Server versions 3.10.11
• GitHub Enterprise Server versions 3.11.9
• GitHub Enterprise Server versions 3.12.3

Impact Assessment

Exploitation of this vulnerability could lead to unauthorized access to private repositories, sensitive data, and administrative controls. This can result in data breaches, code tampering, and potential intellectual property theft.

Patches or Workaround

GitHub has released patched versions (3.9.15, 3.10.12, 3.11.10, and 3.12.4) to address this issue. As an interim measure, enabling SAML certificate pinning can mitigate the risk. Additionally, auditing access logs for suspicious activity and rotating credentials is advised.

Tags

VMware SD-WAN Multiple Security Vulnerabilities Addressed

Date: 2024-04-02
CVE: CVE-2024-22246, CVE-2024-22247, CVE-2024-22248
Vulnerability Type: [[Command Injection]], [[CWE-306|Missing Authentication]], [[CWE-601|Open Redirect]]
CWE: [[CWE-77]], [[CWE-306]], [[CWE-601]]
Sources: VMware Security Advisories

Issue Summary

VMware has issued an advisory for multiple vulnerabilities affecting its SD-WAN Edge and Orchestrator products. The issues were reported privately and concern unauthenticated command injection, missing authentication, and open redirect vulnerabilities, with patches now available.

Technical Key findings

The command injection vulnerability (CVE-2024-22246) allows for remote code execution without authentication, particularly dangerous during the router's activation. CVSSv3 base score of 7.4.

CVE-2024-22247 involves missing authentication mechanisms, potentially enabling unauthorized BIOS configuration access.  CVSSv3 base score of 4.8.

CVE-2024-22248 is an open redirect vulnerability in the SD-WAN Orchestrator, leading to possible sensitive information disclosure. CVSSv3 base score of 7.1.

Vulnerable products

• VMware SD-WAN Edge versions prior to 5.0.1 and 4.5.1
• VMware SD-WAN Orchestrator version prior to 5.0.1

Response Matrix

| | | | | | | | | |
|---|---|---|---|---|---|---|---|---|
|Product|Version|Running On|CVE Identifier|CVSSv3|Severity|Fixed Version|Workarounds|Additional Documentation|
|VMware SD-WAN (Edge)|5.x|Any|CVE-2024-22246|7.4|Important|5.0.1+|N/A|N/A|
|VMware SD-WAN (Edge)|4.5.x|Any|CVE-2024-22246|7.4|Important|4.5.1+|N/A|N/A|
|VMware SD-WAN (Edge)|4.5.x/5.x|Any|CVE-2024-22247|4.8|Moderate|KB97391|N/A|N/A|
|VMware SD-WAN (Edge)|Any|Any|CVE-2024-22248|N/A|N/A|Unaffected|N/A|N/A|
|VMware SD-WAN (Orchestrator)|Any|Any|CVE-2024-22246, CVE-2024-22247|N/A|N/A|Unaffected|N/A|N/A|
|VMware SD-WAN (Orchestrator)|5.x|Any|CVE-2024-22248|7.1|Important|5.0.1+|N/A|N/A|

Impact assessment

Exploitation of these vulnerabilities can lead to unauthorized command execution, BIOS configuration access without authentication, and redirection of users to attacker-controlled domains, potentially resulting in significant security breaches.

Patches or workaround

VMware has released patches for the affected versions. No workarounds available.

Tags

#VMware #SD-WAN #SecurityVulnerability #CVE-2024-22246 #CVE-2024-22247 #CVE-2024-22248 #PatchUpdate

20240321 - Atlassian Confluence Security Bulletin Analysis March 2024 Vulnerability with a focus on CVE-2024-1597

Date: March 19, 2024
CVE: CVE-2024-1597
Sources: Atlassian Documentation, SecurityWeek, CISA

Issue Summary

A recent security bulletin released by Atlassian on March 19, 2024, addresses a significant vulnerability in Confluence, a widely used collaboration tool. This issue poses a potential risk for unauthorized access and control by attackers, leading to data breaches and system compromise.

Most notable is CVE-2024-1597, a critical vulnerability in a non-Atlassian Bamboo dependency. Here the PostgreSQL JDBC Driver, also known as PgJDBC, faces a critical SQL Injection vulnerability, particularly when configured in PreferQueryMode=SIMPLE. This configuration is not the default setting, but if used, it opens up potential for SQL injection attacks. This vulnerability exists due to the manipulation of numeric and string placeholders in SQL queries, allowing attackers to modify the SQL execution logic and inject malicious SQL code.

|Product & Release Notes|Affected Versions|Fixed Versions|Vulnerability Summary|CVE ID|CVSS Severity|
|---|---|---|---|---|---|
|Bamboo Data Center and Server|- 9.5.0 to 9.5.1
- 9.4.0 to 9.4.3
- 9.3.0 to 9.3.6
- 9.2.0 to 9.2.11 (LTS)
- 9.1.0 to 9.1.3

- 9.0.0 to 9.0.4

- 8.2.0 to 8.2.9

- Any earlier versions|- 9.6.0 (LTS) or 9.5.2 recommended Data Center Only
- 9.4.4
- 9.2.12 (LTS)|SQLi (SQL Injection) org.postgresql:postgresql Dependency in Bamboo Data Center and Server


NOTE: CVE-2024-1597 is a critical vulnerability in a non-Atlassian Bamboo dependency. However, Atlassian’s application of the dependency presents a lower assessed risk, which is why we are disclosing this vulnerability in our monthly Security Bulletin instead of a Critical Security Advisory.|CVE-2024-1597|10.0 Critical|

Technical Key findings

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

Vulnerable products

All versions of PgJDBC before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are vulnerable to this SQL injection attack. For Bamboo Data Center and Server this dependicy is used in;

• 9.5.0 to 9.5.1
• 9.4.0 to 9.4.3
• 9.3.0 to 9.3.6
• 9.2.0 to 9.2.11 (LTS)
• 9.1.0 to 9.1.3
• 9.0.0 to 9.0.4
• 8.2.0 to 8.2.9
• Any earlier versions

However, Bamboo & Other Atlassian Data Center products are unaffected by this vulnerability as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings.

Impact assessment

The impact of exploiting CVE-2024-1597 is severe and includes:

• Unauthorized data exposure, including sensitive customer information and business secrets.
• Data manipulation, potentially leading to disrupted operations and diminished trust.
• In extreme cases, attackers could gain complete control over the affected database.

Patches or workaround

Atlassian has released updates for Confluence Server and Data Center that address this vulnerability. Users are advised to update their installations to the fixed version (9.6.0 (LTS) or 9.5.2 recommended Data Center Only 9.4.4 9.2.12 (LTS)) as soon as possible.

Tags

#Atlassian #Confluence #Cybersecurity #Vulnerability #PatchUpdate #CVE-2024-1597 #pgjdbc #SQLInjection #PostgreSQL #SecurityVulnerability

" Ubuntu 6164-2: Addressing c-ares Vulnerabilities "
Ubuntu has released fixes for several security issues related to c-ares. Ensure that your systems are updated to stay protected!

Date: September 12, 2023

CVE IDs: CVE-2023-32067, CVE-2023-31130

CVSS Score: 7.5

The Ubuntu Security Team has issued a security bulletin (USN-6164-2) to address vulnerabilities in the c-ares library. c-ares is a C library for asynchronous DNS requests, including name resolutions. These vulnerabilities could potentially lead to denial of service (DoS) attacks or the execution of arbitrary code by malicious actors.

Details:
The security bulletin (USN-6164-2) reports that several security issues in c-ares have been fixed, affecting the following Ubuntu versions:

• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM

The identified vulnerabilities are as follows:

1. CVE-2023-31130: Hannes Moesl discovered that c-ares mishandled certain IPv6 addresses. Exploiting this issue could result in c-ares crashing, leading to a denial of service (DoS) condition, or potentially allowing attackers to execute arbitrary code.

2. CVE-2023-32067: Xiang Li discovered that c-ares mishandled specific UDP packets. A remote attacker could potentially exploit this issue to crash c-ares, causing a denial of service (DoS) condition.

Resolution:
To mitigate these vulnerabilities, Ubuntu users are advised to update their systems to the following package versions:

• For Ubuntu 18.04: libc-ares2 version 1.14.0-1ubuntu0.2+esm1 (available with Ubuntu Pro)
• For Ubuntu 16.04: libc-ares2 version 1.10.0-3ubuntu0.2+esm2 (available with Ubuntu Pro)

Users are encouraged to perform a standard system update to ensure that these security fixes are applied.

Additional Information:

• Original Security Bulletin

Recommendation:
Organizations and individuals using Ubuntu 18.04 and 16.04 should promptly apply the recommended updates to mitigate the identified vulnerabilities in the c-ares library and enhance the security of their systems.

Tags: #Ubuntu #cAres #Vulnerabilities #PatchUpdate