Bugs in VMware vRealize Operations platform make RCE and admin’s credentials theft possible

Welcome to the next episode of the Xopero Security Center. Stealing admin credentials or gaining access to the platform capable of managing IT operations in various cloud deployments, allowing admins to monitor the health and capacity of virtual environments is a serious security breach. And these black scenarios become more than possible thanks to two newly discovered [and patched] vulnerabilities in VMware vRealize Operations platform. How severe is this new threat? To uncover this true check the whole post below.

VMware with two severe vulnerabilities in vRealize Operations platform – they could lead to RCE and stealing admin’s credential

VMware has published security updates to address high severity vulnerabilities which impact vRealize Operations, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Unpatched, they could allow attackers to steal admin credentials after exploiting vulnerable servers.

The first vulnerability – tracked as CVE-2021-21975 – was found in the vRealize Operations Manager API. This is a server-side request forgery (SSRF) bug with a CVSS score of 8.6 out of 10. It permits threat actors with network access to perform SSRF attacks and steal administrator credentials.

The second bug, tracked as CVE-2021-21983 and scored 7.2 CVSS – was also discovered in the vRealize Operations Manager API. This bug does require an attacker to be authenticated and have network access to exploit (and first vulnerability could allow just that). But when these conditions are met the bug permits attackers to write files to arbitrary locations on the underlying photon operating system.

What is at stake?

– Pre-auth remote code execution and thief of admin credentials. Attackers can exploit the vulnerability remotely without requiring authentications or user interaction in low complexity attacks to steal administrative credentials. Patches are already available but VMware has also published workaround instructions for admins who don’t want to or can’t immediately patch vulnerable servers – there is a possibility that there is no patch for their version. Detailed information on how to do that is available on the vendor’s Knowledge Base.


PHP’s Git server hacked to add backdoors to source code and obtain RCE

The official PHP Git server has been compromised in a potential attempt to implant malware in the PHP project’s code base. Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server.

These commits were signed off as if they were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov and masked as simple typographical errors that needed to be resolved.

However, in the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP.

Popov said the development team is not sure exactly how the attack took place. The clues indicate that the official git.php.net server was likely compromised, rather than individual Git accounts.

Additionally, the malicious commit was made in the name of PHP creator, Rasmus Lerdorf. That is hardly surprising as with source code version control systems like Git, it is possible to sign-off a commit as coming from anybody else locally and then upload the spoofed commit to the remote Git server, where it gives off the impression as if it had indeed been signed-off by the person named on it.

Luckily, the commits were detected and reverted before they made it downstream or impacted users. However, the incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet.

An investigation into the security incident is now underway. The development team has also decided to move permanently to GitHub.

Sources: 12

Two new Linux vulnerabilities could let attackers extract sensitive information from kernel memory

Two new vulnerabilities – tracked as CVE-2020-27170 and CVE-2020-27171 –  impact all Linux kernels prior to 5.11.8. If successfully exploited, could let attackers circumvent mitigations for speculative attacks such as Spectre and obtain sensitive information from kernel memory.

While CVE-2020-27170 can be abused to reveal content from any location within the kernel memory, CVE-2020-27171 can be used to retrieve data from a 4GB range of kernel memory.

The new vulnerabilities uncovered by Piotr Krysiuk of Symantec’s Threat Hunter team aim to get around these Spectre/Meltdown mitigations in Linux by taking advantage of the kernel’s support for extended Berkeley Packet Filters (eBPF) to extract the contents of the kernel memory. Specifically, the kernel (“kernel/bpf/verifier.c”) was found to perform undesirable out-of-bounds speculation on pointer arithmetic, thus defeating fixes for Spectre and opening the door for side-channel attacks.

Unprivileged users could leverage these weaknesses to gain access to secrets from other users sharing the same vulnerable machine. If attackers gain access to an exploitable machine such as downloading malware onto the machine to achieve remote access this could also allow them to gain access to all user profiles on the machine.

Official patches are available from March 20th. Ubuntu, Debian, and Red Hat deployed fixes in their respective Linux distributions as well.


Docker Hub images downloaded 20M times spread cryptominers

At least 30 malicious publicly available images in Docker Hub, with a collective 20 million downloads, have been used to spread cryptomining malware. It is estimated that this trick brought authors around $200,000. 

Docker Hub is the largest library of container applications, allowing companies to share images internally or with their customers, or the developer community to distribute open-source projects.

Aviv Sasson, the researcher with Palo Alto Networks’ Unit 42  found that they came from 10 different accounts. Some of them have names that clearly indicate their purpose, while others have misleading names like “proxy” or “ggcloud” or “docker.” Some of them are still available on Docker Hub at the moment of writing. 

In 90,3% of cases, the attackers’ operation mined for Monero cryptocurrency, XMRig being the favorite tool for the purpose. However, some operations sought Grin (GRIN) or ARO (Aronium) cryptocurrency.

Sasson found that the adversaries behind the malicious images have applied tags to them, which are a way to reference different versions of the same image. He theorized that the tags are used to match up the appropriate version of the malware depending on the various processor architectures or operating systems on which are downloaded. A common element for all the tags in an image is the wallet address or the mining pool credentials…

It’s very possible that those images are merely the tip of the iceberg, given that the cloud presents big opportunities for cryptojacking attacks.

Sources: 1 | 2

Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Hades Ransomware Linked to Hafnium and Exchange Attacks (InfoSecurity)
2. Ubiquiti cyberattack may be far worse than originally disclosed (Bleeping Computer)
3. Exchange Server attacks: Run this Microsoft malware scanner now, CISA tells government agencies (ZDNet)
4. Hackers Using a Windows OS Feature to Evade Firewall and Gain Persistence (The Hacker News)
5. Malware hidden in game cheats and mods used to target gamers (Bleeping Computer)
6. Fake jQuery files infect WordPress sites with malware (Bleeping Computer)
7. Ziggy Ransomware Gang Offers Refunds to Victims (Threat Post)
8. Hacker claims stealing 8.2TB of MobiKwik data; leaks some online (Hack Read)
9. GitHub Arctic Vault captures leaked patient medical data for 1,000 years (ZDNet)
10. Android “System Update” malware steals photos, videos, GPS location (Malwarebytes LABS)