In this article, we will be discussing several recent developments in cybersecurity. First, we will cover the FortiOS SSLVPN Buffer Overflow, a vulnerability that allows attackers to execute arbitrary code on affected devices. Next, we will discuss new Atlassian security flaws, which have been discovered in several of the company’s popular software tools. We will also examine the issue of JSON requests bypassing Web Application Firewalls and how this can leave systems vulnerable to attacks. Finally, we will discuss Apple’s efforts to patch iPhone and iPad Zero-Days, which are vulnerabilities that have not yet been publicly disclosed. These topics highlight the ongoing importance of staying vigilant and taking steps to protect against emerging threats in the digital landscape.
FortiOS SSL-VPN Heap-Based Buffer Overflow Discovered
FortiGuard Labs has published a critical advisory warning of a heap-based buffer overflow vulnerability in FortiOS SSL-VPN. This may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. The vulnerability is assigned the number FG-IR-22-398, has a CVSSv3 9.3 rating and has been confirmed to be exploited in the wild. FortiGuard Labs has included the indicators of compromise (IOCs) for FortiOS administrators to review the integrity of their systems. It is recommended that organizations upgrade to an unaffected version of FortiOS and follow FortiGuard’s advice to review existing systems for signs of compromise. To stay on top of new vulnerabilities like this, nGuard recommends having, at a minimum, quarterly vulnerability scans conducted on your internal and external environments. In addition, to get a full view of what an attacker could do if they gain access to your network, annual internal and external penetration testing is recommended.
Security Flaws Discovered in Atlassian Products
CloudSEK researchers have identified a flaw in Atlassian products Jira, Confluence, and BitBucket that could be exploited by threat actors to take over corporate Jira accounts. The researchers found that even if a password is changed with 2FA enabled, cookies are not invalidated and only expire when a user logs out or after 30 days. As a result, threat actors can restore Jira, Confluence, Trello, or BitBucket sessions using stolen cookies, even if they do not have access to the multi-factor authentication or one-time PIN required for 2FA. With over 10 million users across 180,000 companies, including 83% of Fortune 500 firms, Atlassian products are widely used, and threat actors are actively exploiting the flaw to compromise enterprise Jira accounts. CloudSEK is releasing a free tool that allows companies to check if their compromised computers and Jira accounts are being advertised on dark web marketplaces. Additionally, conducting a web application penetration test can help discover vulnerabilities with session cookies and other areas, using the OWASP Top 10 as the foundation of the assessment.
Web Application Firewalls Bypassed by JSON Requests
Researchers at Claroty have discovered that web application firewalls (WAFs) from Amazon Web Services, Cloudflare, F5, Imperva and Palo Alto are vulnerable to malicious requests that use the JavaScript Object Notation (JSON) format to obfuscate database commands and escape detection. This technique allows attackers to access and potentially change data as well as compromise the application. The researchers found that WAFs do not understand commands written in JSON, while major SQL databases do. This allows attackers to forward malicious requests to the back-end database without detection. WAFs are widely used to protect against application attacks, but they are not foolproof. A 2020 survey found that 40% of security professionals claimed at least half of application attacks had bypassed the WAF. This research shows that even if you have security devices in place, they can be bypassed. nGuard can find the vulnerabilities within your web applications before an attacker can by performing a web application penetration test.
Apple Send Updates to Patch New Zero-Day
Apple has released security updates for iOS, iPadOS, macOS, tvOS, and Safari to address a zero-day vulnerability that could result in the execution of malicious code. The issue, which has been given the code name of CVE-2022-42856, has been described as a type of confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content. This could lead to arbitrary code execution, with Apple saying it is aware of a report that the issue may have been actively exploited against versions of iOS released before iOS 15.1. It is thought that the issue involved social engineering or a watering hole attack, with the devices being infected when visiting a rogue or legitimate-but-compromised domain via the browser. The company has addressed the issue with improved state handling.