Cyber Security Weekly Recap (13-19.Feb.)

Cyber Security Weekly Review 13 19 Feb 1024x637

New Zero-Day Vulnerability Found in Apple’s iOS, iPadOS, macOS, and Safari

On Monday, Apple released updates for iOS, iPadOS, macOS, and Safari to fix a zero-day vulnerability that the company said was being actively exploited by malicious actors.

This issue, identified as CVE-2023-23529, is a type confusion flaw in the WebKit browser engine that could lead to arbitrary code execution if triggered by processing specially crafted web content.

The iPhone maker claimed it fixed the bug with additional checks and is “aware of a report that this issue may have been actively exploited.” The vulnerability was discovered and reported by an unnamed researcher.

It has not been revealed exactly how the vulnerability is being exploited in real-world attacks, but this is the second actively abused type confusion flaw in WebKit to be patched by Apple after CVE-2022-42856, which was closed in December 2022.

In 2022, Apple had patched ten separate zero-day vulnerabilities across its software. Four of those flaws were discovered in WebKit and nine of them were known to be being actively exploited by malicious actors.

GoDaddy Admits to Security Breach That Allows Malware to Be Installed and Source Code to Be Stolen

On Friday, GoDaddy, a web hosting service, announced that hackers had gained access to its systems, allowing malware to be installed and source code for some of its services to be stolen.

The firm claimed that a “sophisticated and organized group targeting hosting services” was responsible for the campaign.

GoDaddy said it received a number of customer complaints in December 2022 about their websites being randomly redirected to malicious sites. The company later discovered this was the result of an unauthorized third party gaining access to servers hosted in its cPanel environment.

The company explained that the malware the attacker “installed” caused “intermittent redirection of customer websites”. As per what has been revealed, the ultimate goal of the intrusions is to infect websites and servers with malware for phishing campaigns and malware distribution.

Critical RCE Vulnerability Discovered in ClamAV Open Source Antivirus Software

Cisco has released updates to patch an exploitable flaw in the ClamAV open-source antivirus engine to prevent remote code execution attacks.

The flaw has been identified as a remote code execution vulnerability in the HFS+ file parser component, and it has been assigned the CVE identifier CVE-2023-20032 (CVSS score: 9.8).

The detected vulnerability affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. According to Cisco Talos’ advisory, on vulnerable devices ClamAV could be exploited if a specially crafted HFS+ partition file is submitted for scanning.

More details reveal that a successful exploitation of the weakness could enable an attacker to run arbitrary code with the same privileges as that of the ClamAV scanning process, or crash it and cause a denial-of-service attack.

Aside from CVE-2023-20032, Cisco has also addressed another vulnerability in the ClamAV DMG file parser (tracked as CVE-2023-20052 with a CVSS score: 5.3) that could have been exploited by an unauthenticated, remote attacker to leak sensitive information. ClamAV versions 0.103.8, 0.105.2, and 1.0.1 have fixes for the two flaws.

FortiWeb, FortiOS, FortiNAC, and FortiProxy are all affected by 40 vulnerabilities, for which Fortinet has released patches.

Security updates that address 40 vulnerabilities in Fortinet’s software lineup, including FortiWeb, FortiOS, FortiNAC, and FortiProxy, have been released by the company. Out of the total of 40 flaws, two are considered “critical”, 15 are considered “high”, 22 are considered “medium” and one is considered “low” in terms of CVSS score.

In the top spot is a critical flaw in the FortiNAC network access control solution that could allow for arbitrary code execution (CVE-2022-39952, CVSS score: 9.8).

The second flaw,  tracked as CVE-2021-42756 with a CVSS score of 9.3 is a Stack-based buffer overflow in the FortiWeb proxy daemon that could allow an unauthenticated remote attacker to execute arbitrary code via specially crafted HTTP requests.

FortiNAC versions 7.2.0, 9.1.8, 9.1.8, and 9.1.8 all have fixes available and users are advised to update to them as soon as possible.

Multimillion-Copied NPM Package Has Been Hijacked By Researchers

A npm package with more than 3.5 million npm downloaded per week, has been detected to allow an attacker to take over users’ accounts.

According to a report by Illustria, a software supply chain security firm, the package can be taken over after reclaiming an inactive domain name belonging to one of the package’s maintainers and changing the password.

The Israeli company claimed it was able to reset the GitHub password with the recovered domain, despite the fact that npm’s security features only allow users to have one active email address per account.

In short, the attack allows an adversary to take control of the package’s associated GitHub account, which in turn allows them to distribute malicious packages through the npm registry.

Although the module’s name was not revealed, Illustria did say that it had contacted the module’s maintainer, who had taken precautions to protect the account.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment