Fortinet FortiGate VPN credentials leak / The newest 0-days: Office 365, and Ghostscript

Welcome to Security Center – our weekly update on the most devastating cyberattacks, high-severity vulnerabilities, and biggest data leaks – precisely selected by our editors.

Don’t miss it out! Sign up now and have it delivered to your inbox each Monday to start a week safe and sound. Additionally, you will receive a portion of the hottest company news and access to selected technical articles written by our experts with advice and tricks for more effective protection of your IT infrastructure.

In the meantime, let’s check what happened in the cyber-world last week.

87k Fortinet FortiGate VPN account password leaked on a hacker forum

Leaked credentials (login names and passwords) were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the hacker’s scan. The flaw relates to a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext. Although the bug was rectified in May 2019 it has been repeatedly exploited by multiple adversaries over the years. The CVE-2018-13379 even emerged as one of the top-most exploited flaws in 2020.

In light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above followed by initiating an organization-wide password reset. The vendor is also warning that some organizations may remain vulnerable post-upgrade if users’ credentials were previously compromised, while the passwords were not reset.

Read more

Microsoft shares temporary fix for ongoing Office 365 0-day attacks

Microsoft shared mitigation for a remote code execution vulnerability in Windows that is being exploited in targeted attacks against Office 365 and Office 2019 on Windows 10. Identified as CVE-2021-40444 the flaw is in MSHTML, the browser rendering engine that is also used by Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. However, the attack is thwarted if Microsoft Office runs with the default configuration, where documents from the web are opened in Protected View mode or Application Guard for Office 365.

As there is no security update available at this time, Microsoft has provided the workaround. Company issues users to disable the installation of all ActiveX controls in Internet Explorer. Users should use the provided .reg extension and execute it to apply it to the Policy hive. After a system reboot, the new configuration should be applied.

Read more

New Ghostscript zero-day could completely compromise your server (PoC exploit)

Ghostscript is a suite of software based on an interpreter for Adobe Systems’ PostScript and Portable Document Format (PDF) page description languages. Its main purposes are the rasterization or rendering of such page description language files, for the display or printing of document pages, and the conversion between PostScript and PDF files. The library is widely used by many servers that leverage it for image conversion and is used as part of the file upload processing application, such as ImageMagick.

The vulnerability is a remote code execution (RCE) issue that could allow an attacker to completely compromise a server. It could be exploited by an attacker by uploading a malformed SVG file that runs malicious code on the underlying operating system.

Read more

More IT security must-reads

  1. Netgear Smart Switches Open to Complete Takeover (Threat Post)
  2. A server of the Jenkins project hacked by exploiting a Confluence flaw (Security Affairs
  3. Yandex is battling the largest DDoS in Russian Internet history (Bleeping Computer)
  4. GitHub tackles severe vulnerabilities in Node.js packages (ZDNet)
  5. Zoho warns of zero-day authentication bypass flaw actively exploited (Security Affairs)
  6. Microsoft Warns of Cross-Account Takeover Bug in Azure Container Instances (The Hacker News)