Crying Out Cloud - November Newsletter

Recent cloud security issues include critical vulnerabilities in Exim, exploits of Netscaler vulnerabilities, a breach at Okta, a disruptive DDoS technique, and campaigns targeting Jupyter Notebooks and PyPI packages.

The past month has brought a series of vulnerabilities and security incidents that have left users affected. Amidst the noise, we've taken it upon ourselves to curate the most significant developments for you.   

Here are our top picks of cloud security highlights!  

🐞 High Profile Vulnerabilities

Critical and high severity 0day vulnerabilities in Exim

Multiple vulnerabilities were disclosed in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with a specific non-default configuration. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer. 

According to Wiz data, although Exim is very prevalent, with 23% of cloud environments containing at least one instance, less than 1% of environments have publicly exposed resources vulnerable to CVE-2023-42115. 

Learn more in our blog.

Critical vulnerabilities in WS_FTP Server exploited in the wild

CVE-2023-4863 is a critical vulnerability in libwebp, and CVE-2023-5217 is a high severity vulnerability in libvpx, both could potentially allow remote code execution and reportedly exploited in the wild. They are mainly client side vulnerabilities and thus unlikely to be exploitable on most affected cloud workloads other than virtual desktops and servers that handle images or video. Customers should therefore prioritize patching these cases as well as vulnerable instances detected in build environments. 

According to Wiz data, less than 1% of cloud environments have publicly exposed resources vulnerable to CVE-2023-40044.
Learn more here.

High severity buffer overflow vulnerability in cURL

The cURL team published version 8.4.0 on October 11, 2023, after pre-announcing that it would include a fix for a high severity vulnerability assigned CVE-2023-38545. This vulnerability is a buffer overflow flaw in the SOCKS5 proxy handshake. 

To be susceptible to this vulnerability, an application must be using libcurl with a socks5 proxy and make a request to a malicious URL (such as in a webhook scenario). It is recommended to upgrade cURL to the patched version 8.4.0 or up, especially if your organization is using cURL in this way. 

Learn more in our blog.

Critical vulnerabilities in Confluence Server

Two critical vulnerabilities were published this month which affect self-hosted Confluence Servers: CVE-2023-22515 is a critical privilege escalation vulnerability being exploited in-the-wild, and CVE-2023-22518 is an improper authorization vulnerability which could allow an unauthenticated attacker to delete data on the server. 

According to Wiz data, less than 1% of environments have resources vulnerable to CVE-2023-22515 and only 0.5% have vulnerable publicly exposed instances. 

Learn more here. 

Critical and high severity flaws in NetScaler exploited in-the-wild

Citrix published an advisory regarding a critical flaw tracked as CVE-2023-4966 (AKA CitrixBleed) that could lead to sensitive information disclosure, and a high severity flaw tracked as CVE-2023-4967 that can potentially cause denial of service (DoS). Both affecting NetScaler ADC and NetScaler Gateway configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. CVE-2023-4966 is being actively exploited in the wild, and it is highly recommended that customers upgrade their NetScaler ADC and NetScaler Gateway to a fixed version. 

According to Wiz data, 2% of cloud environments have publicly exposed resources vulnerable to CVE-2023-4966. 

 Learn more here.

🔓 Security Incidents

Credential harvesting campaign exploiting Netscaler vulnerability

Besides the aforementioned CitrixBleed, researchers also uncovered a campaign where attackers were exploiting a third Netscaler Gateway vulnerability (CVE-2023-3519) to attack unpatched NetScaler Gateways and insert a malicious script into the HTML content of the authentication web page, allowing the attackers to capture user credentials. All the more reason to update NetScaler Gateway to the latest version. 

Learn more here.

Session tokens compromised via Okta's support system

Okta has disclosed a security incident affecting their support system which resulted in customer session tokens being compromised by a malicious actor. This actor then proceeded to utilize these tokens to gain initial access to certain Okta customers. 

Learn more here.

Rapid Reset: HTTP/2 DDoS campaign

A DDoS (distributed denial of service) technique known as 'HTTP/2 Rapid Reset' emerged in August 2023, setting unprecedented records for attack magnitude. These attacks exploit a previously unknown weakness in the HTTP/2 protocol, overwhelming servers with a flood of continuous requests and resets, effectively inducing a DoS state. The technique leverages a vulnerability now tracked as CVE-2023-44487, which is known to affect many different products and libraries.  

Learn more here.

Qubitstrike Crypto Mining and Rootkit campaign

Researchers uncovered a campaign targeting exposed Jupyter Notebooks in an attempt to mine cryptocurrency and breach cloud environments. The attack utilizes Telegram API to exfiltrate cloud service provider credentials following a successful compromise. In the attack chain documented by researchers, publicly accessible Jupyter instances are breached to execute commands and retrieve a shell script, which acts as the primary payload and is responsible for executing an XMRig cryptocurrency miner.   

Learn more here.

Cloud Credentials targeted in PyPI malware campaign

 Researchers identified a malicious campaign via Pypi packages, aiming at developers using Alibaba cloud services, AWS, and Telegram. The malicious code within these packages was concealed within functions, activating only upon specific calls. The attackers used Typosquatting and Starjacking techniques to lure developers to their malicious packages. Notably, one package mimicked a popular repository, exploiting its absence from the Pypi package manager.  

Learn more here.

Click to listen!

Hold on to your headphones!

Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen, with special guest Chompie! 👏 

Listen on Spotify and Apple Podcasts.