Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Juniper Releases Advisory for Multiple Vulnerabilities in Junos OS

Networking device manufacturer Juniper has released an advisory dealing with multiple vulnerabilities in Junos OS on SRX Series and EX Series. The vulnerabilities are:

• CVE-2023-36844: A PHP external variable modification vulnerability allows an unauthenticated network attacker to control some important environment variables (CVSS 3.x score: 5.3)
• CVE-2023-36845: A PHP external variable modification vulnerability allows an unauthenticated network attacker to control some important environment variables (CVSS 3.x score: 5.3)
• CVE-2023-36846: A function level access control vulnerability allows an unauthenticated network attacker to compromise filesystem integrity and upload arbitrary files (CVSS 3.x score: 5.3)
• CVE-2023-36847: A function level access control vulnerability allows an unauthenticated network attacker to compromise filesystem integrity and upload arbitrary files (CVSS 3.x score: 5.3)
  

Individually, these vulnerabilities aren't too bad, but when chained, they escalate to allow unauthenticated remote code execution.

The vulnerabilities affect all versions of Junos OS on SRX Series prior to 20.4R3-S8 and Junos OS on EX Series prior to version 20.4R3-S8. Admins of affected systems should either patch immediately or disable J-Web.

Juniper Networks Inc., 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution, support article, 17 August 2023. Available online at https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US.

ESET Spots Zimbra Phishing Campaign

Security researchers at ESET have reported a mass phishing campaign intended to capture user account credentials for the Zimbra freemium collaboration platform. The campaign seems to be targeting SME and government users in Poland, followed by Ecuador and Italy; the threat actor behind the campaign remains unidentified.

Campaign targets receive emails which purport to be from a mail server administrator, advising of an upcoming change to the client login page. Attached is an HTML 'preview' of the new login page - customized with the name and logo of the target organization and pre-filled with the intended victim's email address - which the recipient is lured to open. Should they naively enter their passphrase, it will be submitted, by the HTML form, to a server controlled by the attackers.

The campaign is far from sophisticated, but it is far from the first to target budget-constrained organizations using Zimbra Collaboration, suggesting that such campaigns are generally successful.

Šperka, Viktor, Mass-spreading campaign targeting Zimbra users, blog post, 17 August 2023. Available online at https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/.

WinRAR Vulnerability Leads to RCE

Zero Day Initiative researcher 'goodbyeselene' has disclosed a rather nasty vulnerability, CVE-2023-40477, in the popular WinRAR file archiving utility. The vulnerability, which has a CVSS 3.x score of 7.8, is in the code for processing recovery volumes, where a buffer overflow can allow an attacker to execute code in the context of the WinRAR process.

The result is that, by crafting a malicious archive file, or perhaps by luring a victim to a malicious web page, an attacker can achieve a remote code execution attack. The vulnerability was fixed in WinRAR 6.23, which was released on 2 August 2023.

Zero Day Initiative, RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability, security advisory, 17 August 2023. Available online at https://www.zerodayinitiative.com/advisories/ZDI-23-1152/.

BEC Attack Costs Home Buyers Their Life Savings

Finally, a salutary tale for those engaged in large personal purchases - which usually means cars and real estate. Business email compromise actors continue to attack these large transfers, and the results can be devastating.

A New South Wales couple were in the final stages of buying their first home, and had received an invoice from the conveyancer for the payment of their deposit. So they transferred the requested amount - and then heard nothing. When they investigated, they found that the account they had transferred their deposit to had been drained, and they had lost $A274,311.57. Their bank was able to recover only $A270.72.

“We were just emailing back and forth, and then we get an email saying, ‘This is the account you need to pay the money into’,” said the victim. “I had quite a reasonable relationship with the conveyancers. So I just didn’t think anything of it … It was getting close to completion.

“I just paid it. There was no warning to ring them before I pay.”

Unfortunately, the onus is on the customer to confirm the details of the destination bank account, and this should always be done out-of-band, by telephone or by using a funds transfer system that links the account to some other verification data.

Kelly, Cait, Gone in two transfers: the email scam that cost Australian homebuyers their life savings, The Guardian, 20 August 2023. Available online at https://www.theguardian.com/australia-news/2023/aug/20/australian-email-payment-redirection-scam.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.