Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.

CVE-2023-24425: Jenkins Security Advisory 2023-01-24

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

CVE-2023-24456: Jenkins Security Advisory 2023-01-24

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-24433: Jenkins Security Advisory 2023-01-24

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-38775: Security issues

By Waqas
Cybercriminals are leveraging two exploit chains (ProxyNotShell/OWASSRF) to target Microsoft Exchange servers, as warned by Bitdefender Labs.
This is a post from HackRead.com Read the original post: New Wave of Cyberattacks Targeting MS Exchange Servers

Most of the attacks occurred in the U.S. in November 2022, but some organizations in Austria, Poland, and Turkey were also targeted.

Bitdefender Labs has shared its findings on a new wave of untargeted cyberattacks in which attackers are abusing two exploit chains to target on-premises **MS Exchange servers**.

**Findings Review**

Bitdefender noted that, at the end of November 2022, there was an increase in attacks leveraging two exploit chains identified as **ProxyNotShell** and OWASSRF to target MS Exchange servers. The researchers found that cybercriminals prefer to exploit on-premises Exchange servers 2013, 2016, and 2019.

**Vulnerabilities explained**

Attackers use two tactics in their new attacks against the MS Exchange servers. The first is the ProxyNotShell vulnerability, a combination of two already-disclosed vulnerabilities tracked as **CVE-2022-41082** and **CVE-2022-41080**. It requires threat actors to authenticate to the vulnerable server; this vulnerability was patched in November 2022.

OWASSRF is the other vulnerability exploited in this attack chain. This exploit uses the same two vulnerabilities but in a different way. It is capable of bypassing the ProxyNotShell mitigation solutions; it was used in the Rackspace attack in December 2022.

**Attack Details**

Technically, the attack is called **server-side request forgeries/SSRF**. It allows threat actors to send a specially crafted request from a vulnerable server to another server to access resources and fulfil their malicious objectives on the vulnerable server.

Using the two vulnerabilities will allow the attacker to carry out **remote code execution** if they have the login credentials. They don’t necessarily have to be an administrator to perform desired actions, as any account can be used.

Microsoft **patched** these vulnerabilities on September 30th and November 8th, 2022. This means only those companies that haven’t yet fixed their systems are at risk. Most of the attacks, according to Bitdefender’s **blog post**, occurred in the U.S. in November 2022, but some organizations in Austria, Poland, and Turkey were also targeted.

The attackers target companies from various sectors, including law and brokerage firms, real estate, consultancy firms, and wholesalers. So far, over 100,000 organizations worldwide have been targeted by SSRF attacks.

**What is SSRF Attack?**

SSRF attacks are increasingly popular among cybercriminals because, if a web app is vulnerable to SSRF, the attacker can send a request from the vulnerable server to any local network resource which isn’t otherwise accessible to the attacker. Otherwise, the attacker would send a request to an external server, e.g., a cloud platform, to carry out specific actions on behalf of the vulnerable server.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New Wave of Cyberattacks Targeting MS Exchange Servers

In certain Lexmark products through 2023-01-12, SSRF can occur because of a lack of input validation.

%PDF-1.7 %���� 528 0 obj <> endobj 542 0 obj <>/Filter/FlateDecode/ID\[<39DCC2A24C0DE24D9B6C18325A97C7E1><78F235B8D01948A0B7B9A1427E9CE91B>\]/Index\[528 37\]/Info 527 0 R/Length 77/Prev 94092/Root 529 0 R/Size 565/Type/XRef/W\[1 2 1\]>>stream h�bbd\`\`b\`�$����@��H0� � �>�5H��R�AJ&�Xˀ�u&F��@#����/�0#l 0 endstream endobj startxref 0 %%EOF 564 0 obj <>stream h�b\`\`\`�J!Aʰ!��oI�~wE60506@�H����ژ��1~c�˴�i�'�ă�\`���.1@���A�����1�H;�0��N endstream endobj 529 0 obj <>/Metadata 11 0 R/Pages 526 0 R/StructTreeRoot 15 0 R/Type/Catalog/ViewerPreferences 543 0 R>> endobj 530 0 obj <>/MediaBox\[0 0 612 792\]/Parent 526 0 R/Resources<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\]>>/Rotate 0/StructParents 0/Tabs/S/Type/Page>> endobj 531 0 obj <>stream h�ėݎ�:�\_ŗ��\_�$R��.�E�n��s�R��\\6RHP����w��!��Т������{>��I�<"TPB�4 %T>��(�A�C� PS�p��S ¥M% W � (�C��&^���IXH�f�A��\`�Ҍ��� p")%��\`v)���:N�M�l��b�֙!u����qsG�r�dt�����~7����EB�����5�1�&�I�}\_=����x~Ho��{���j⋀�M�6��I��\*��N����)�����#�1�#b�y�� �i� n�ly7�ow�2F�u���Q��m1��$�4\_���\]���"\`j:���0��΁��.J�yg�Pl8�����R�ھG�4����\_�h~q\\�§��i#X�y��L\[{�c�J�M\*�����|Q����4�Uڶ'iYշOI�ܵ?7K=#�C�S�S� ��o\_j<�9�f�=yj�R��û!�@�x"�.D�DJ\[���00 Ft ��kSݛ�:�?��$y'I�D�$�9��%$)�ǂN+؏2��Q�\_R��\*���!IX���<�X�@��v2���8s=!�8'r�A�ҭq���N�����ݹ���{���?6<��X���~X�?�j��\]È���V��Q�8j���^�t�\_���:'��ZڀNGY?�ط���F\`k��u\]T�+��J^��<���d�l2�2<�Lt^Fj��Ѥ�C��\]Ru�����m��vӿ�l�v��Y2\]�(��,���},�ڐ�b�m���S�b�wt���c�4%��j���z��>�UZ����hY|1�a��&3k�����=I3���v��2���K��� �ǜG�s\]��c)#�߱�ѕ�;V2� �:�.H۱D��m�v(1�V|&��Nǳm^��\_���~�����t|�l�#�� �\\��mh2�Ƣ:Xt�\_L��?�@:cZC�2(A���W�P{G�e���\[?W�\_���!JzvLk�p�S���( endstream endobj 532 0 obj <>stream H���KO�@����hW�/��B��PH���Pz��, ;I��w֤ao�9��Y�73;�\]�:�����ޗ}�;;��߃�0���\_.$p0x������\`{a�u(@dpq'q�Xi��;�pԷ0��c0n޲��Q��N��XEw��o�/�$�����>��Xe��h'\*\*��ʍ}���q �k��i����\_��V1-^{�������%�o��s&��\`5��t�� ����L��?����e\]Ɖ��'odmh&X������\_�'xƸ�9JF�z E0�G�8i��7�������'�8��)�~�\\�0w�UΠ��h�:S6LYdJ7EPQR����Q����"�)��\*�ըN>��e5v'"Vn��|��| Er��@R\*��)�P&c�m��ܶbvu\[��W^��m1�MTn���Uؕd��"\*Y\*m���B-X��\`#�M�Ln8~� �ď�Wr�U���Q�YnZE�2&t�ޟݹ-?�\\�.�k�.W���9l)$Gr,��\]���s��NUvj�g��b:���El��i��@'3�:fH�륎�#2�皩 �����x�g3w�\]�a���7����������?ġ���I�Nx��^��q"06S7��x�+�S����ǲ�:#j('TP���8��c@�������#�O&�CN <�=�� ќ������8�M�k2�H3��22�a6\_-�-y�h�Y�s����#�b����q��ZS��XY�2��a��g���!�ǐ�Mk�=���A��� �R�^z��^��\[���n��+�9��v@T!��8Tg�\_�:C�&V� C{)�:�0�\\XN endstream endobj 533 0 obj <>stream H����N�@��-��Ү�ރ�BH%@ժH-���"��D8���wƦ\*Y���D�8�����$'�\`1J�&�d�P��0�% $>�JHm��B&�G��9-oG�i:�r�~9Ⱦ���(9�\[|%7����x3 W44�(d)ic�l�R�2F�R\\�B���)��i.����:.���F�B������\`�#��l���c�����6�ȶA؞��6�\_W��f���X�#m}����5���{���E�l���p:F ���L�F �-F͊S��b(�՗\[�rsZ勗�s$'��\[l�+�h�E �A��4%L�O��,ilW�^:KZ|��=F��b6�y��2o@Y�3�WNH������\]1^X�T|넉a�i}��C��0. �k� �ڄRX���p\*��{å\*�?�u-�4�L@�@sWe>m���F�(���K�\]�\]�/6��5� �s��v�����I����u��a��t�̻�=�Y����n��\[g�q�\_aDb�^/�,G\[�hЬ��r�)hɘ��Pcc\\M)20������h�˚v.�^p�Q� L4W�U�ֿʓJE@4���3x���y���+6+�n��j��%W���'l�k�r{�T�&,/���4�F��4\]P@T憭���S�N�Pe6��>m��\\��ƆR��c�W\`rU��ͱ����}��ӵ���M����oٺфN��p\]ݑtE9%3�ty�'AX���w�+�.S��A��֙��S�WW6i0'���ifu�q��\\Lӫ�z&�gV M7Ev�U\*�rO%I��֔�%�-\`�kk��e�"�a.��B뗎/Ɂ�"<'< �y�E#��4��n��f�e�@l�PV�Oq�X� endstream endobj 534 0 obj <>stream x�\]��n�0E�� /�E�yF�R!�Ģ���=�H�X�Y��534�b ���\_fT��ֽ���e�w�V��f%�\\{��^���-�ְ���yr0ԺY����'gg�yV��X�f�^\_��\\5���1�0�v\\��� :\_�5��<@ٶV>޻y�5��!�dF� &�J���˅\_�O~�z���d�N~��c�.D$ �Q��DG��(^)AJB�QB�'ʈ\*�=R,�Dtz\*���\*��x��8���4Bm�:��I��Bu�?�$OK�v$/)�\\�D"�Vk��Tf���ot��r �Ó7k������Q���ɌfQ-�Q�� endstream endobj 535 0 obj <>stream H����n�8�� ��RZ��H�D�(���m4���^4{!ۊ#�be%�i߾3tz�ZTRc��)��7��?����ǣ��x�n<��73��-<{���z2~�N\_���(!�� �?S��)ƣO�f<:�%�?����x$qRtQ���a~�k��>��>{3���>����i�S����k\_{���h�������ko�̚�2'&�&��|��k .�NE��c�\]��'�D"tƊ����FI("�� �LIt&~tJ����e��c��|Ě3=Nl���R|o/΃�\_�R{S"�w�5ŉ����f�sI�'ӗL�F���� �Z<4b�p��2">d�����Ij���K�E�D1��\\�.I2���\[�\]L�rWL�) {�{�7���rd��Ez�>�rS�%��.\_�UI������eR���k?E ��ys׌#��f���m��G�f�a�B�,�{��\_ҩ��v��تE�s��R�r�%�H�˾�XA�aK5�bKm�vȶ�Qf\[�|�� ����˭���Y��͒B\]�M�-�+�M��Y;zشe�-�L�q\*"�2QrQ=@���N��»꺛�ϼi@�:�����eC/�מFI(�qYQ7���Zˡ�ڵ�uu�r�qҖ��3�K������Hh���Q2�#e�-W\_':��}���ߔ��a�Չ3��n���87�0 �N�HG�T'�B��:����25�A) �to�H��$ Ev����tK���I���r\[A�-�\]?�\]pޑH՗�\]���ݶ���J�ݢ�Y|3P���m�2�oUA=�K+�j�7@���f�w^�K�l �uY�f�W�dxQ���9׵�- ��P|)�V�v��͢��4h.W����&{.���Gl�?��+��q������<� ?��V���)�݌$C��8\`j� endstream endobj 536 0 obj <>stream H��W�k�H~��G����{�\`���gȁ��>�Xn��vNv���+�v��I@������fv曌×A��� �;��\\&o����fQ����0�}���ٟ��\_\\�x��B���Kh�A��X�1.^h�y�� ���!4�H�0\[�=v\[�U�Y�����׻-!�Ş��)�O'�+�����HU�0>��k-���8�W���Gس ,�|״��� @�<| >\_��^���#\[�r��=kTP�3+SP���V߂�mS��R��݆�)0�>e���2)���P� ��IiO�l�B�Ѧ9.��� \`2�\`��M<o�6G�N��q>Vui�l\]\*���x3.\\�� >�Ļ�-���EI�d2gK"򕬘Lƹ&�Y)���w<^��Ky@��K�ez�I�$���;^Y�O$��S���3�yr�T<�{e�ť}�j�����q�&,2&l�K7���sO��ӊ�sl��2�Bh�oVT��J&���=UkA1!�Na���yhm�M�sl���^NU>���O�.�THְ\*B2�\`�(<\*�J1�����O�

CVE-2023-23560

OpenText Extended ECM versions 16.2.2 through 22.3 suffer from arbitrary file deletion, information disclosure, local file inclusion, and privilege escalation vulnerabilities.

OpenText Extended ECM 22.3 File Deletion / LFI / Privilege Escsalation

A vulnerability in Cisco TelePresence CE and RoomOS Software could allow an authenticated, local attacker to bypass access controls and conduct an SSRF attack through an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a user of the web application. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected system.

*   When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Fixed Releases**
    
    Cisco has addressed these vulnerabilities in Cisco RoomOS Software, which is cloud based. No user action is required. Customers can determine the current remediation status or software version by using the Help function in the service GUI. Customers who need additional information are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance provider.
    
    At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
    
    The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerabilities that are described in this advisory and which release included the fix for these vulnerabilities.
    
    **CVE-2023-20002  
    **
    
    Cisco TelePresence CE Software Release
    
    First Fixed Release
    
    9
    
    Migrate to a fixed release.
    
    10
    
    10.19.4
    
    **CVE-2023-20008**
    
    Cisco TelePresence CE Software Release
    
    First Fixed Release
    
    9
    
    Migrate to a fixed release.
    
    10
    
    10.19.3.0
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

CVE-2023-20002: Cisco Security Advisory: Cisco TelePresence Collaboration Endpoint and RoomOS Software Vulnerabilities

IBM Spectrum Virtualize 8.5, 8.4, 8.3, 8.2, and 7.8, under certain configurations, could disclose sensitive information to an attacker using man-in-the-middle techniques. IBM X-Force ID: 235408.

  

**Summary**

A vulnerability in the IP Quorum feature on IBM Spectum Virtualize may lead to loss of confidentiality in private communications between the management GUI and clients. It is recommended that administrators upgrade to a fixed code level, request a new system certificate and redeploy the IP Quorum app if this feature has been enabled.

**Vulnerability Details**

**CVEID:**   CVE-2022-39167  
**DESCRIPTION:**   IBM Spectrum Virtualize, under certain configurations, could disclose sensitive information to an attacker using man-in-the-middle techniques.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235408 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Spectrum Virtualize

7.8

IBM Spectrum Virtualize

8.2

IBM Spectrum Virtualize

8.3

IBM Spectrum Virtualize

8.4

IBM Spectrum Virtualize

8.5

**Remediation/Fixes**

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, IBM Storwize V5000 and V5100, IBM Storwize V5000E, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud, IBM FlashSystem V9000, IBM FlashSystem 9500, IBM FlashSystem 9100 Family, IBM FlashSystem 9200, IBM FlashSystem 7300, IBM FlashSystem 7200, IBM FlashSystem 5200 and IBM FlashSystem 5000 to the following code levels or higher:

8.5.2.0

8.5.0.6

8.4.0.9

8.3.1.9

8.2.1.16

7.8.1.16

Latest IBM SAN Volume Controller Code  
Latest IBM Storwize V7000 Code  
Latest IBM Storwize V5000 and V5100 Code  
Latest IBM Storwize V5000E Code  
Latest IBM FlashSystem V9000 Code  
Latest IBM FlashSystem 9500 Code  
Latest IBM FlashSystem 9100 Family Code  
Latest IBM FlashSystem 9200 Code  
Latest IBM FlashSystem 7300 Code  
Latest IBM FlashSystem 7200 Code  
Latest IBM FlashSystem 5000 and 5200 Code  
Latest IBM Spectrum Virtualize Software  
Latest IBM Spectrum Virtualize for Public Cloud

After upgrading to a fixed code level, the following steps should be taken if you have enabled the IP Quorum feature:

*   Request a new system certificate
*   Redeploy the IP Quorum app

The recommendation to replace the system certificate applies regardless of whether the current certificate is self-signed or signed by a certificate authority.

**Workarounds and Mitigations**

If you are unable to immediately upgrade, the following options are available to mitigate this issue if you have enabled the IP Quorum feature:

Option 1: Stop using IP Quorum until you are able to upgrade to a fixed code level

*   Disable IP quorum
*   Request a new system certificate

Note that this can have detrimental affects on a number of features including HyperSwap.

Option 2: Continue using IP Quorum but redeploy the app and strictly control access to the JAR file

*   Request a new system certificate
*   Generate and download a new IP Quorum app JAR file
*   Immediately delete the JAR file from the system once it has been downloaded (navigate to Settings > Support Package in the management GUI and click "Delete Logs", then search for **ip\_quorum.jar**).
*   Restrict permissions on the JAR file so that it can only be read or executed by a trusted administrator.
*   Impose strict access controls on the server the IP Quorum app is running on
*   Copy the JAR file to the servers that are designated for running the IP Quorum app and deploy the new version

Note that the IP Quorum JAR file is the root cause of this security exposure, so must be carefully protected at all time.

**References**

Off

**Acknowledgement**

**Change History**

20 Sep 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU054","label":"Systems w\\/TPS"},"Product":{"code":"STHGUJ","label":"IBM Storwize V5000 and V5100"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":""},{"Business Unit":{"code":"BU054","label":"Systems w\\/TPS"},"Product":{"code":"STSLR9","label":"IBM FlashSystem 9100"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"ST3FS7","label":"IBM FlashSystem 9200"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU054","label":"Systems w\\/TPS"},"Product":{"code":"STKMQV","label":"IBM FlashSystem V9000"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU054","label":"Systems w\\/TPS"},"Product":{"code":"ST3FR9","label":"IBM FlashSystem 5000"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU010","label":"Systems - Storage"},"Product":{"code":"SSVMX8","label":"IBM Spectrum Virtualize for Public Cloud"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":""},{"Business Unit":{"code":"BU054","label":"Systems w\\/TPS"},"Product":{"code":"STHGUL","label":"IBM Storwize V5000E"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":""},{"Business Unit":{"code":"BU054","label":"Systems w\\/TPS"},"Product":{"code":"ST3FR3","label":"IBM FlashSystem 7200"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"STPVGU","label":"SAN Volume Controller"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU054","label":"Systems w\\/TPS"},"Product":{"code":"ST3FR7","label":"IBM Storwize V7000 (2076)"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":""},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSV1DQD","label":"IBM FlashSystem 7300"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSRFRYE","label":"IBM FlashSystem 9500"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU010","label":"Systems - Storage"},"Product":{"code":"STVLF4","label":"IBM Spectrum Virtualize as Software Only"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"8.5, 8.4, 8.3, 8.2, 7.8","Edition":""}\]

CVE-2022-39167: Security Bulletin: Vulnerability in IP Quorum affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Six payouts issued for bugs uncovered in Theia, Vertex AI, Compute Engine, and Cloud Workstations

Six payouts issued for bugs uncovered in Theia, Vertex AI, Compute Engine, and Cloud Workstations

Vulnerabilities in four Google Cloud Platform (GCP) projects have earned a pair of security researchers more than $22,000 in bug bounties.

The most lucrative project for hacker duo Sreeram KL and Sivanesh Ashok was machine learning training and deployment platform Vertex AI, which netted them a pair of $5,000 payouts for a server-side request forgery (SSRF) bug and subsequent patch bypass.

Documented in a blog post by Sreeram, the flaw resided in Vertex AI’s workbench feature, which enables the creation of Jupyter notebook-based development environments on the cloud.

By abusing the SSRF vulnerability and duping victims into clicking a malicious URL, attackers could potentially seize control of an authorization token and thereafter all of the victim’s GCP projects, as demonstrated in the video below.

  
**SSRF bug**

When the researchers found a URL that seemed to offer scope for SSRF, “requesting the original URL resulted in a response that looked like the output of an authenticated request sent to compute.googleapis.com,” said Sreeram. “From previous experience, I know these endpoints use the authorization header for credentials.”

Fuzzing surfaced a URL – https://{INSTANCE-ID}-dot-us-central1.notebooks.googleusercontent.com/aipn/v2/proxy/{attacker.com}/compute.googleapis.com/ – that bypassed this check, said Sreeram. “Furthermore, the vulnerable endpoint was a request with no CSRF protection (pretty common),” said Sreeram.

YOU MIGHT ALSO LIKE US government announces third Hack The Pentagon challenge

As for finding attack targets, a victim’s subdomain is readily ascertained because subdomains are leaked to several third-party domains, such as github.com, “via referer in the general application flow”.

Google addressed the issue by adding cross-site request forgery (CSRF) protection to the endpoints and improving verification of the domain.

**Patch bypass**

After the fix was rolled out, however, Sreeram and Ashok noticed that changing compute.googleapis.com to something.google.com failed to trigger an error as it had previously.

Circumventing the fix therefore needed an open redirection in \*.google.com, they surmised.

With JavaScript-based redirections not an option – since the server didn’t parse the language – they turned to Google web feed management service FeedBurner. The researchers found that when the user deactivates the proxy, the service will redirect URLs to their domain rather than proxying their RSS feed.

The exploit concluded with a CSRF bypass that leveraged a technique developed in 2020 by ‘@s1r1us’ targeting Jupyter Lab.

The second fix involved ending support for \*.google.com as a proxy URL.

“While finding this issue, we gained insight into the workings of managed GCP products, which helped us find other bugs in GCP,” Sreeram told The Daily Swig.

  
**Theia, Compute Engine, Workstations bugs**

This included exploiting the workbench feature again in Theia, the integrated development environment (IDE) Google uses in Cloud Shell, as disclosed in a separate blog post published by Sreeram.

Because user-managed instances used the project’s default compute engine service account, the research duo were able to compromise the entire project by exploiting a known XSS vulnerability (CVE-2021-41038) to fetch the service account token from the metadata server. This earned the pair a further $3133.70 bounty.

Catch up with the latest bug bounty news

The first security flaw they found in GCP, as documented by Ashok, was an SSH key injection issue in Google Cloud’s Compute Engine.

Generating a $5,000 windfall with a $1,000 bounty bonus, the vulnerability resided in the SSH-in-browser function and could lead to remote code execution (RCE) in a victim’s Compute Engine instance (as demonstrated in the proof-of-concept video above).

The researchers also earned a further $3,133.70 for an authorization bypass in Cloud Workstations, which provides fully managed development environments for security-sensitive enterprises. Ashok outlined this find in a fourth blog post.

The pair earned a total of $22,267 from six separate bug bounty payouts.

The Daily Swig has invited Google to comment on these vulnerabilities but no response yet. We’ll update the article should that change.

DON’T FORGET TO READ Squaring the CircleCI: DevOps platform publishes post-mortem on recent breach

Tag

#ssrf