Apple Security Advisory 09-26-2023-2 - macOS Sonoma 14 addresses buffer overflow, bypass, code execution, out of bounds read, resource exhaustion, spoofing, and use-after-free vulnerabilities.

Apple Security Advisory 09-26-2023-2

DOS vulnerability that could allow an attacker to register a new VNF (Virtual Network Function) value. This action could trigger the args_assets() function defined in the arg-log.php file, which would then execute the args-abort.c file, causing the service to crash.

Affected Resources

Open5GS, version 2.4.10 and prior.

Description

INCIBE has coordinated the publication of 4 vulnerabilities affecting Open5GS, an implementation for 5G Core and 4G, which have been discovered by Pablo Valle Alvear, from Titanium Industrial Security team.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector string and the CWE vulnerability type of each vulnerability:

*   **CVE-2023-4882**: CVSS v3.1: 7,5 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CWE-404.
*   **CVE-2023-4883**: CVSS v3.1: 7,5 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CWE-763.
*   **CVE-2023-4884**: CVSS v3.1: 6,5 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L | CWE-306.
*   **CVE-2023-4885**: CVSS v3.1: 6,5 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | CWE-300.

Solution

Open5GS is working on a fix for the reported vulnerabilities.

Detail

*   **CVE-2023-4882:** DOS vulnerability that could allow an attacker to register a new VNF (Virtual Network Function) value. This action could trigger the args\_assets() function defined in the arg-log.php file, which would then execute the args-abort.c file, causing the service to crash.
*   **CVE-2023-4883:** invalid pointer release vulnerability. Exploitation of this vulnerability could allow an attacker to interrupt the correct operation of the service by sending a specially crafted json string to the VNF (Virtual Network Function), and triggering the ogs\_sbi\_message\_free function, which could cause a service outage.
*   **CVE-2023-4884:** lack of authentication vulnerability. An attacker could send an HTTP request to an Open5GS endpoint and retrieve the information stored on the device due to the lack of Authentication.
*   **CVE-2023-4885:** Man in the Middle vulnerability, which could allow an attacker to intercept VNF (Virtual Network Function) communications resulting in the exposure of sensitive information.

CVE-2023-4882: Multiple Vulnerabilities Open5gs | INCIBE-CERT

Nearly three dozen counterfeit packages have been discovered in the npm package repository that are designed to exfiltrate sensitive data from developer systems, according to findings from Fortinet FortiGuard Labs.
One set of packages – named @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable – harbored an obfuscated

Software Security / Hacking

Nearly three dozen counterfeit packages have been discovered in the npm package repository that are designed to exfiltrate sensitive data from developer systems, according to findings from Fortinet FortiGuard Labs.

One set of packages – named @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable – harbored an obfuscated JavaScript file that's capable of gathering valuable secrets.

This includes Kubernetes configurations, SSH keys, and system metadata such as username, IP address, and hostname.

The cybersecurity firm said it also discovered another collection of four modules, i.e., binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, which results in the unauthorized extraction of source code and configuration files.

"The targeted files and directories may contain highly valuable intellectual property and sensitive information, such as various application and service credentials," security researchers Jin Lee and Jenna Wang said. "It then archives these files and directories and uploads the resulting archives to an FTP server."

Some of the packages observed have also been found leveraging a Discord webhook to exfiltrate sensitive data, while a few others are engineered to automatically download and execute a potentially malicious executable file from a URL.

In what's a novel twist, a rogue package named @cima/prism-utils relied on an install script to disable TLS certificate validation (NODE\_TLS\_REJECT\_UNAUTHORIZED=0), potentially rendering connections vulnerable to adversary-in-the-middle (AitM) attacks.

The cybersecurity company said it categorized the identified modules into nine different groups based on code similarities and functions, with a majority of them employing install scripts that run pre or post-install to carry out the data harvesting.

"End users should watch for packages that employ suspicious install scripts and exercise caution," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 3 Dozen Data-Stealing Malicious npm Packages Found Targeting Developers

Authorization bypass vulnerability in UPV PEIX, affecting the component "pdf_curri_new.php". Through a POST request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users.

Affected Resources

UPV PEIX

Description

INCIBE has coordinated the publication of a vulnerability in UPV PEIX, an internship management system at the School of Computer Engineering of the Universitat Politècnica de València (UPV), which has been discovered by Pablo Alcarria Lozano and Germán Planells García.

The following code has been assigned to this vulnerability:

*   **CVE-2023-2544**:
    *   CVSS v3.1 base score: 5,3.
    *   CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
    *   Vulnerability type: CWE-639: authorization bypass through user-controlled key.

Solution

This vulnerability has been fixed in August 2022.

Detail

*   **CVE-2023-2544**: authorization _bypass_ vulnerability in UPV PEIX, affecting the component "pdf\_curri\_new.php". Through a _POST_ request, an authenticated user could change the ID parameter to retrieve all the stored information of other registered users.

CVE-2023-2544: Authorization Bypass Upv Peix | INCIBE-CERT

Cross-Site Request Forgery (CSRF) vulnerability in Sami Ahmed Siddiqui HTTP Auth plugin <= 0.3.2 versions.

**Solution**

 Fixed

Update the WordPress HTTP Auth plugin to the latest available version (at least 1.0.0).

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress HTTP Auth Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 1.0.0.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-27435: WordPress HTTP Auth plugin <= 0.3.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in eMarket Design YouTube Video Gallery by YouTube Showcase plugin <= 3.3.5 versions.

**Solution**

 Fixed

Update the WordPress Video Gallery & Management plugin to the latest available version (at least 3.3.6).

Found this useful? Thank thiennv for reporting this vulnerability. Buy a coffee ☕

thiennv discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Video Gallery & Management Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 3.3.6.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-40558: WordPress Video Gallery & Management plugin <= 3.3.5  - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Buildfail Localize Remote Images plugin <= 1.0.9 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Lokesh Dachepalli discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Localize Remote Images Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-41244: WordPress Localize Remote Images plugin <= 1.0.9 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Information exposure vulnerability in IBERMATICA RPS 2019, which exploitation could allow an unauthenticated user to retrieve sensitive information, such as usernames, IP addresses or SQL queries sent to the application. By accessing the URL /RPS2019Service/status.html, the application enables the logging mechanism by generating the log file, which can be downloaded.

**Multiple vulnerabilities in Ibermática RPS 2019**

Affected Resources

Ibermática RPS 2019

Description

INCIBE has coordinated the publication of 2 vulnerabilities in RPS 2019, an enterprise resouce planning _software_ (ERP), which has been discovered by Francisco Javier Medina Munuera.

These vulnerabilities have been assigned the following codes:

*   **CVE-2023-3349:**
    *   CVSS v3.1 base score: 8,2.
    *   CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N.
    *   Vulnerability type: CWE-200: information exposure.
*   **CVE-2023-3350:**
    *   CVSS v3.1 base score: 8,2.
    *   CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N.
    *   Vulnerability type: CWE-310: cryptographic issues.

Solution

There is no identified solution. However, there is a new version of RPS (link in 'References').

Detail

*   **CVE-2023-3349:** information exposure vulnerability that could allow an unauthenticated user to retrieve sensitive information, such as usernames, IP addresses or SQL queries sent to the application. By accessing the URL /RPS2019Service/status.html, the application enables the logging mechanism by generating the _log_ file, which can be downloaded.
*   **CVE-2023-3350:** there is a cryptographic vulnerability that could be exploited by an attacker by downloading the _log_ file, retrieving the SQL query sent to the application in plain text. This _log_ file contains the password _hashes_ encrypted with the AES-CBC-129 bit algorithm, which can be decrypted with a .NET function, obtaining the user's password in plain text.

CVE-2023-3349: Multiple Vulnerabilities Ibermatica Rps 2019 | INCIBE-CERT

Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Banner Management For WooCommerce plugin <= 2.4.2 versions.

**Solution**

 Fixed

Update the WordPress Woocommerce Category Banner Management plugin to the latest available version (at least 2.4.3).

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Woocommerce Category Banner Management Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.4.3.

**Other vulnerabilities in this plugin**

 0 present

 5 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-39158: WordPress Banner Management For WooCommerce plugin <= 2.4.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in POEditor plugin <= 0.9.4 versions.

**Solution**

 Fixed

Update the WordPress POEditor plugin to the latest available version (at least 0.9.5).

Found this useful? Thank Elliot for reporting this vulnerability. Buy a coffee ☕

Elliot discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress POEditor Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 0.9.5.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#auth