Crying Out Cloud - May Newsletter

May's highlights: RCE in MOVEit Transfer, KeePass password extraction flaw, Azure API Management vulnerabilities, privilege escalation in Essential Addons for Elementor Plugin, path traversal vulnerability in GitLab, RCE vulnerability in ReportLab toolkit.

Over the last month, we've seen a couple of vulnerabilities pop up and some users have felt the impact of security incidents. We know you're busy too, so we've sifted through the noise to bring you the real game-changers, no fluff attached.

Without further ado, here are our handpicked cloud security highlights! 

✨ Highlights

RCE 0-day vulnerability in MOVEit Transfer exploited in the wild 

On May 31, 2023, Progress published details of an RCE 0day vulnerability being exploited in-the-wild in MOVEit Transfer (CVE-2023-34362), a Windows-Server-based managed file transfer (MFT) service. Users are urgently advised to patch to the fixed version. While our own data shows MOVEit Transfer can be found in less than 1% of cloud environments, based on other reports, most publicly exposed instances of this software are evidently hosted in the cloud, particularly in Azure. 

Refer to our blogpost to learn more.

🐞 High Profile Vulnerabilities

Exploitable and unpatched KeePass vulnerability 

A vulnerability in password manager KeePass (CVE-2023-32784) enables the extraction of the master password from the application's memory, allowing attackers with existing access to a vulnerable machine to retrieve the password, even when the database is locked.  
A proof of concept (PoC) was published on May 18, 2023, and a patch was included inversion 2.54.0, which was only released on June 4, 2023. Based on our data, KeePass can be found in around 13% of cloud environments, but it’s rarely found on publicly exposed workloads. However, with a public PoC available and the delayed patch release, we expect this vulnerability to be a prime post-exploitation target for threat actors aiming for credential compromise in cloud environments.  

Learn more in our blogpost.

Azure API management vulnerabilities

Microsoft patched three vulnerabilities in Azure API Management that could have allowed attackers to access sensitive data within internal Azure services, theoretically enabling attackers to mount further attacks with greater impact. All three vulnerabilities have been fully patched and remediated by Microsoft, but customers using the self-hosted Azure API Management developer portal should update to the latest version, as they may be impacted as well. Based on our own research, the root cause of one of these vulnerabilities was most likely a path traversal bug in PaperBits, a dependency of Azure API Management Developer Portal, which means that other projects utilizing PaperBits may be susceptible to a similar issue. 

Refer to the report to learn more. 

Critical Privilege Escalation in Essential Addons for Elementor Plugin

A critical privilege escalation vulnerability has been found in the Essential Addons for Elementor plugin (CVE-2023-32243), which is used by over 1 million WordPress sites. The vulnerability allows an unauthenticated attacker to reset the password of any user, including the administrator, which could allow the attacker to take full control of the site. The vulnerability has been fixed in the latest version of the plugin (5.7.2). 

Refer to the report to learn more. 

Critical path traversal vulnerability in GitLab

A critical vulnerability was discovered in GitLab (CVE-2023-2825), which received the maximum CVSS score of 10. In vulnerable instances, when there is an attachment in a public project nested within a minimum of five groups (in other words, if the project is in a folder, which is itself in a folder, and so on, at least five times), an unauthenticated attacker can exploit a path traversal issue, resulting in the ability to read arbitrary files on the server. It is recommended to patch vulnerable GitLab instances urgently. However, since this vulnerability only exists in a single minor version of the newest major version of GitLab (16.0.0), vulnerable instances are expected to be quite rare, and our own data supports this. 

Refer to the report to learn more. 

RCE vulnerability in ReportLab toolkit

On May 31, 2023, a proof-of-concept (PoC) exploit was published for an RCE vulnerability in ReportLab toolkit (CVE-2023-33733), a popular Python library for converting HTML to PDF. Developers using this library or users of applications incorporating it should patch to the latest version. According to Wiz data, 10% of cloud environments have instances vulnerable to CVE-2023-33733.  

Refer to the exploit repository to learn more.  

🔓 Security Incidents

GUI-Vil: Financially Motivated Cloud Threat Actor

GUI-vil is a financially motivated threat group from Indonesia that specializes in unauthorized cryptocurrency mining. The group gains access to AWS EC2 instances by using compromised credentials. Once they have access, they install cryptocurrency mining software on the instances. GUI-vil has been observed targeting a variety of industries, including healthcare, finance, and government. 

Refer to the report to learn more.

Gaining Access to Private GitHub Repositories using Dependabot

An issue was discovered in Dependabot, a tool that helps developers keep their dependencies up to date. The bug allowed an attacker to gain access to a private GitHub repository by creating a malicious pull request that would be automatically merged by Dependabot. 

Refer to the report to learn more. 

GuardDuty Finding Issue

A bypass was discovered in Amazon GuardDuty that allowed an attacker to grant public access to an S3 bucket without triggering a GuardDuty alert. The vulnerability could be exploited when the S3 bucket policy was updated with a new policy that included both an "Allow" for "Principal::"" or "Principal":"AWS":"" in one statement (making the bucket public) and also a “Deny” for "Action": "s3:GetBucketPublicAccessBlock in another. This prevented GuardDuty from checking the bucket configuration to determine if it was publicly accessible. This issue has since been fixed. 

Refer to the report to learn more. 

SIM Swapping and Abuse of the Microsoft Azure Serial Console

Mandiant identified an attacker group dubbed UNC3944 who was abusing the Microsoft Azure Serial Console to install third-party remote management software on Azure VMs. This method of attack allowed the threat actor to gain full administrative access to the VM without being detected by traditional Azure security measures. Mandiant has also observed this group using their access to a highly privileged Azure account to leverage Azure Extensions for reconnaissance purposes. Serial port abuse has previously been discussed by Mitiga as a method of exfiltrating data from compromised VMs in GCP using the getSerialPortOutput API call. Cloud customers concerned about either of these techniques should consider disabling serial port access to VMs in their environment. 

Refer to the report to learn more. 

Want to test your cloud security knowledge? Try The Big IAM Challenge!

The Big IAM Challenge is a cloud security Capture the Flag (CTF) cha organized by Wiz. It consists of five steps, each focusing on a different IAM configuration mistake commonly made in various AWS services. Participants are tasked with identifying and exploiting these mistakes to progress through the challenge. 

Victors attending fwd:cloudsec 2023 or AWS re:inforce 2023, swing by our booth to claim your prize!  Hold on to your headphones!

Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 👏

Listen on Spotify and Apple Podcasts.