Weekly Security News – 8th July 2024

Hackers exploiting Cisco switches, Authy MFA phone numbers and patches for Juniper and Splunk... all in this week's Security News...

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

New Open SSH Vulnerability

The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration. This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization. Moreover, gaining root access would enable attackers to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further obscuring their activities. This could also result in significant data breaches and leakage, giving attackers access to all data stored on the system, including sensitive or proprietary information that could be stolen or publicly disclosed.

Juniper releases out-of-cycle fix for max severity auth bypass flaw

Juniper Networks has released an emergency update to address a maximum severity vulnerability that leads to authentication bypass in Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products. The security issue is tracked as CVE-2024-2973 and an attacker could exploit it to take full control of the device. “An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network-based attacker to bypass authentication and take full control of the device,” reads the description of the vulnerability. “Only Routers or Conductors that are running in high-availability redundant configurations are affected by this vulnerability,” Juniper notes in the security advisory.

Cyber Attacks

Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware

A China-nexus cyber espionage group named Velvet Ant has been observed exploiting a zero-day flaw in Cisco NX-OS Software used in its switches to deliver malware. The vulnerability, tracked as CVE-2024-20399 (CVSS score: 6.0), concerns a case of command injection that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. “By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices,” cybersecurity firm Sygnia said. Cisco said the issue stems from insufficient validation of arguments that are passed to specific configuration CLI commands, which could be exploited by an adversary by including crafted input as the argument of an affected configuration CLI command.

Hackers abused API to verify millions of Authy MFA phone numbers

Twilio has confirmed that an unsecured API endpoint allowed threat actors to verify the phone numbers of millions of Authy multi-factor authentication users, potentially making them vulnerable to SMS phishing and SIM swapping attacks. Authy is a mobile app that generates multi-factor authentication codes at websites where you have MFA enabled. In late June, a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service. The CSV file contains 33,420,546 rows, each containing an account ID, phone number, an “over_the_top” column, account status, and device count. Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.

In Other News...

TeamViewer Hack Officially Attributed to Russian Cyberspies

After we reported on a TeamViewer hack in last week’s edition, TeamViewer has confirmed that a notorious Russian cyberespionage group appears to be behind the recent hacker attack targeting the company’s systems. The remote connectivity software provider revealed last week that it had detected an intrusion on June 26. According to follow-up statements issued by the company on Friday and over the weekend, the breach only impacted its internal corporate IT environment, and did not affect its product environment, the TeamViewer connectivity platform, or any customer data. “Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place,” TeamViewer explained. “This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments.”

Splunk Patches High-Severity Vulnerabilities in Enterprise Product

Splunk has released two security advisories that address two high severity vulnerabilities within Splunk Enterprise and Splunk Cloud. Splunk is a data analysis platform used for business and web analytics, application management, compliance, and security. The first high-severity vulnerability, known as CVE-2024-29945 with a CVSSv3 score of 7.2 , could allow Splunk Enterprise software (in debug mode or the JsonWebToken component logs activity at the DEBUG logging level) to expose authentication tokens during the token validation process. The second high-severity vulnerability, known as CVE-2024-29946 with a CVSSv3 score of 8.1, could allow attackers to bypass SPL safeguards for risky commands in the Hub. Affected organisations are encouraged to review the following Splunk Security Advisories for more information.