Weekly in Security 202229

Introduction

Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-07-18 to 2022-07-25.

Vulnerabilities

CVE-2022-26138 - Hardcoded account in Questions For Confluence app

Atlassian released security advisory 2022-07-20. The Confluence app Questions for Confluence creates a the user disabledsystemuser with a hardcoded password. The presumably disabled user is added to the confluence-users group. As such, the account is able to login and access non-restricted pages by default. And the story get’s more exiting. The account contact address is dontdeletethisuser(at)email.com. The tld is used by the freemailer mail.com. The first one to notice this was 4chr4f2, who also registered the respective mail account. He subsequently received all the relevant mails for the hardcoded account. The affected app is developed by Atlassian themselves.

• Questions For Confluence Security Advisory 2022-07-20 | Confluence Data Center and Server 7.18 | Atlassian Documentation
• Atlassian Marketplace
• 4chr4f on Twitter: “@fluepke @Atlassian fuuuun https://t.co/dKv06cGdKG” / Twitter

Technical Reads

Gitlab Project Import RCE Analysis (CVE-2022-2185)

The article by STAR labs provides an details analysis of the post-auth RCE bug with CVSS 9.9. This is a good guide from the initial advisory to a working PoC.

• Gitlab Project Import RCE Analysis (CVE-2022-2185) | STAR Labs

CVE-2022-34918 - A crack in the Linux firewall

During his internship at RandoriSec Arthur Mongodin investigated the kernel component netfilter. discovered a weird comparison that does not fully protect a copy within a buffer. It led to a heap buffer overflow that was exploited to obtain root privileges on Ubuntu 22 and kernel Linux ubuntu 5.15.0-39-generic. The source code of the exploit is available on our GitHub.

• [CVE-2022-34918] A crack in the Linux firewall
• randorisec/CVE-2022-34918-LPE-PoC

Candiru exploiting CVE-2022-2294

Avast Threat Labs provides some context to the recently patched CVE-2022-2294 in Google Chrome. The vulnerability was a memory corruption in WebRTC and was patched on 2022-07-04. The team observed exploitation attempts in the Middle East. Based on the TTPs the campaign is associated with Candiru. The threat actor was investigated by Citizen Lab and Microsoft in July 2021. After the disclosure they lay low and updated their toolset.

• The Return of Candiru: Zero-days in the Middle East - Avast Threat Labs
• Chrome Releases: Stable Channel Update for Desktop
• Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus - The Citizen Lab
• Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware - Microsoft Security Blog

Golang malware update

Avast Threat Labs provides an overview of recently observed Golang based malware. Multiplatform support and relative ease of development Golang promote the use of Golang also for malicious purposes. This is also supported by an ever increasing number of open source tools on Github that are sometimes resued by different threat actors.

• Go malware on the rise - Avast Threat Labs

Tools

Affinis

Affinis is a Recurrent Neural Network SubDomain Discovery Tool. Affinis aims to find undiscovered or forgotten subdomains through the use of Natural Language Processing and the Keras LSTM RNN API.

• JetP1ane/Affinis

Cervantes

Cervantes is an opensource collaborative platform for pentesters or red teams who want to save time to manage their projects, clients, vulnerabilities and reports in one place.

• CervantesSec/cervantes