Critical vulnerability in Atlassian Bitbucket Server and Data Center
Atlassian has recently warned its users about a new critical vulnerability affecting the Bitbucket Server and Data Center software, which shall be patched inmediately.
The flaw, CVE-2022-36804, has a CVSS v3 of 9.9 according to Atlassian, and it allows command injection through especially crafted http requests, which open the way for remote code execution.
The exploitation of the vulnerability is not complex and does not requiere high privileges. The attacker would only need reading rights in public or private repositories and would never need to interact with the user. The versions of Bitbucket Server and Data Centers affected by the flaw are all from 6.10.17 to 8.3.0, and patches have already been published for versions 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2, and 8.3.1. 6.X versions will not be patched.
For all users who cannot patch this issue at the moment, Atlassian recommends to close public respositories temporarily. Meanwhile, Max Garret, the researcher who found this vulnerability and reported it to Atlassian, has promised to deliver a PoC in 30 days, and has claimed that Atlassian’s patch should not be very difficult to circumvent.
* * *
Intellexa offers a 0-day exploit for iOS and Android
A document property of Israeli-based company Intellexa has recently been leaked, uploaded on Twitter by VX-underground’s profile, it shows a commercial offer of a spyware for a price of 8 million euros.
The spyware works on iOS version 15.4.1 and Android version 12 and, since it is a 0-day, it is unlikely to be patched and not work on either of the new versions of these operating systems. This exploit allow remote access to the data of the impacted devices.
The infection attack vector, according to the document, would be a link that needs to be clicked in order to inject the payload into the device. Also, the offer includes a one-year warranty, a platform to analyze the extracted data, as well as ten types of concurrent infections and a catalogue of a hundred other successful infections as examples.
* * *
Use of Log4j vulnerabilities against targets in Israel
Microsoft has published details of a recent investigation carried out in their Threat Intelligence Center (MSTIC), which informs on a wave of attacks by the MuddyWater (dubbed as Mercury by Microsoft) threat actor against targets in Israel.
According to the researchers, this actor has been using the popular Log4shell vulnerability to compromise unpatch software. This time, attacks were mainly aimed at SysAid, an IT management program, instead of attacking WMware software as has been traditionally used in these attacks.
MuddyWater exploited the vulnerabilities as initial point of entry into the victim’s system, in which they would then run web shells to execute different malicious commands, create users with admin privileges, steal credentials via Mimikatz, and move laterally via tools such as RemCom or Windows Management Instrumentation. To avoid these attacks, Microsoft recommends applying the patches for this set of vulnerabilities, already available since January 2022.
* * *
More than 1,000 iOS apps found exposing encrypted AWS credentials
Researchers from Symantec’s Threat Hunting team have detected nearly 2,000 mobile apps containing encrypted AWS (Amazon Web Services) credentials.
Most of the apps (1,856) correspond to the iOS system, while only 37 belong to Android. 77% of the apps have been confirmed to include valid AWS access tokens that could be used to directly access private cloud services.
In addition, those valid AWS tokens could be used by an attacker to access cloud instances where active service databases containing millions of records, including user account details, internal communications and other sensitive data, are located, depending on the type of application.
Symantec’s research is intended to warn mobile app developers of the dangers of overreliance or insecure practices that expose AWS credentials, which could make the mobile app supply chain vulnerable, as well as open the door for malicious actors to private databases, leading to potential data breaches and exposure of end users’ personal data.
* * *
Google patches 24 vulnerabilities in Chrome
Google’s latest security bulletin has fixed 24 vulnerabilities, including a critical flaw (CVE-2022-3038), and has added the sanitizer system in order to protect users from XSS injection attacks.
Most of the patched vulnerabilities were due to memory management issues, with use-after-free and buffer overflow flaws that impacted complements such as WebUI and Screen Capture.
Google has also corrected several security policies and incorrect implementation vulnerabilities. It is worth noting that while there may not be evidences that these vulnerabilities are being actively exploited, there is a serious unpatched vulnerability affecting the operative system clipboard through Chromium-based browsers, and that it can be exploited with no authorization or interaction from the user.
Google also recommends installing the browser’s latest version to fix these flaws