CYBERSECURITY NEWS V. October – vulnerabilities in FortiOS and FortiProxy, 0-day vulnerability in iOS 16.1, Microsoft has a giant leak
Apple fixes zero-day vulnerability in iOS 16.1
The zero-day vulnerability was identified as CVE-2022-42827, and the company was notified about it by an anonymous researcher. The error is caused by the software writing data outside the current memory buffer. Typically, these vulnerabilities lead to memory corruption, application crashes, or arbitrary code execution.
If successfully exploited, this vulnerability could be used to execute arbitrary code with kernel privileges.
The vulnerability affects iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. The issue has already been fixed in iOS 16.1 and iPadOS 16.
Although Apple says that the company is aware of active attacks on this vulnerability, the company has not yet shared any information about these attacks. Apparently, by not disclosing the data, Apple is trying to give users more time to install patches before other hackers learn the details about the bug, create their own exploits and start using them in attacks.
RCE Vulnerability Found in Apache Commons Text Library
A critical vulnerability has been discovered in the Apache Commons Text library, which experts are already comparing with the infamous Log4Shell.
The problem was assigned the identifier CVE-2022-42889, and the Apache Commons developers have already prepared a corresponding patch - with the release of version 1.10.0.
Since Apache Commons Text is used by many developers and organizations, the new vulnerability hastened to be dubbed another Log4Shell level hole. Therefore, CVE-2022-42889 was named Text4Shell (another name is Act4Shell).
The vulnerability is a script evaluation problem caused by the interpolation system. An attacker could use the vulnerability to cause code execution when processing malicious input in the library's default configuration.
The StringSubstitutor string substitute, when used with default interpolators, will search for strings, which can lead to arbitrary code execution. Apache Commons Text relies on an interpolation system to manage strings. Applications that use default interpolation may be vulnerable to remote code execution or inadvertent contact with remote servers if untrusted configuration values are used.
The vulnerability affects versions from 1.5 to 1.9. The issue has been fixed with the release of Apache Commons Text 1.10.0, which disables problematic interpolators by default.
Microsoft has a giant leak
On October 19, Microsoft notified its customers that some of their data may have been exposed. At the same time, the company did not provide more detailed information, including the number of affected customers. The leak became possible due to an incorrectly configured server with user information, due to which anyone could get access to it via the Internet.
SOCRadar presented its own report on this incident, whose specialists identified a problem with the Microsoft server on September 24th. According to experts, the leak affected about 65,000 Microsoft corporate clients from 111 countries. The hacked archive included 335,000 emails and 133,000 projects. Among other things, this data contained product orders and offers, project details, sales strategies, and data and documents that could compromise intellectual property.
Hackers attacked Microsoft, stealing 2.4 terabytes of sensitive data, 335+ thousand emails, 133 thousand projects and 548 thousand users.
BidenCash hacker platform gives away data of 1.2 million credit cards for free
BidenCash, a specialized hacking site, has released a massive dump of 1,221,551 credit card data to promote its cybercriminal store. In fact, any user can now download them for free to commit financial fraud.
BidenCash is a dark web marketplace for stolen cards launched in June 2022. Previously, its operators have already released several thousand stolen bank card data to the public, but now they have decided to promote the site with a much larger dump.
Cybercriminals have announced a credit card dump on new URLs launched by BidenCash late last month in response to DDoS attacks, so this could be a way to promote new store domains. To ensure the widest possible reach, hackers distribute their collection through the clearnet domain and other hacking and carding forums. The freely redistributable file contains a mix of "fresh" cards valid between 2023 and 2026 from around the world. But most of the credit cards belong to American citizens. A data dump of 1.2 million credit cards includes the following personal information associated with them:
- Card number;
- CVV number;
- Owner's name;
- Name of the bank;
- card type, status and class;
- owner's address, state (region) and zip code;
- E-mail address;
- phone number.
This credit card data mostly comes from web skimmers, which are malicious scripts injected into the checkout pages of hacked e-commerce sites that steal submitted bank card and customer information.
Critical vulnerabilities in FortiOS and FortiProxy
Fortinet has alerted its customers to a critical vulnerability affecting FortiGate firewalls and FortiProxy Web Proxy that could potentially allow an attacker to perform unauthorized actions on vulnerable devices.
Critical RCE authentication bypass vulnerability CVE-2022-40684 (CVSS score: 9.6) could allow an unauthorized attacker to perform arbitrary operations on the administrative interface using a specially crafted HTTP(S) request.
This issue affects the following versions:
- FortiOS - from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1;
- FortiProxy - from 7.0.0 to 7.0.6 and 7.2.0.
The bug has been fixed in FortiOS 7.0.7 and 7.2.2 and in FortiProxy 7.0.7 and 7.2.1 released last week. Fortinet has urged all customers with affected versions to upgrade immediately.
As a temporary security measure, the company recommends that users disable HTTPS administration (HTTPS Administration) until updates are installed. Alternatively, you can restrict access to the FortiGate admin interface using the Local-In firewall policy instead.