Here are the most relevant headlines of the week, take note and keep informed of all the details:
A critical vulnerability in Apache Commons Text has recently been disclosed. It would allow an unauthenticated attacker to remotely execute code (RCE) on servers running applications with the affected component.
Identified with CVE-2022-42889 and a CVSS of 9.8, the flaw affects Apache Commons Text versions 1.5 to 1.9 and is located in insecure defaults at the time Apache Commons Text performs variable interpolation, which could lead to arbitrary code execution on remote servers.
According to the Apache Foundation itself, the Apache Commons Text library is reportedly present in more than 2,500 projects and recommends upgrading as soon as possible to Apache Commons Text 1.10.0, which disables interpolators that present problems by default.
On the other hand, several security researchers have pointed out the public availability of a proof of concept (PoC) for this vulnerability, a fact that considerably increases the risk.
Other sources have even compared this bug to the well-known Log4j vulnerability, although it seems likely that its impact is less widespread and for the time being there are no reports of its possible active exploitation on the network.
Microsoft Security Response Center has reported the remediation of a misconfigured endpoint, which could have resulted in unauthorized access to data contained on the endpoint.
The information that could have been exposed involved business transactions between Microsoft and customers, including sensitive information such as personal names, email addresses, email content, company names, phone numbers, or document attachments.
Microsoft became aware of the misconfigured endpoint on 24 September thanks to a tip-off from SOCRadar, and then proceeded to address the risk. According to the information published by Microsoft, there is no indication that customer accounts or systems have been compromised, and they have indicated that all affected customers have been notified directly.
Over the past few days, a proof-of-concept (PoC) has been published on GitHub that exploits the critical security flaw affecting Fortinet FortiOS, FortiProxy and FortiSwitchManager products that was reported over the past week under the coding CVE-2022-40684.
Specifically, exploitation of this vulnerability could allow a remote attacker to perform an authentication bypass, deriving their actions in performing malicious operations on the administrative interface via HTTP(S) requests.
In addition, according to Horizon3.ai, following an analysis of the PoC, they indicate that FortiOS would expose a management web portal, allowing the user to configure the system.
It is worth noting that when the PoC was published in open source, Fortinet had already reported active exploitation of the vulnerability. However, on Friday it issued an advisory that included mitigation guidance, as well as updates and fixes for customers.
Finally, it is worth noting that researchers from GreyNoise and Wordfence have published detection of exploitation attempts.
Security researchers have reportedly detected a threat actor selling a tool called BlackLotus on underground forums, with capabilities that have so far only been observed in state-sponsored groups and actors.
This tool, a type of UEFI bookit, would be installed in the computer’s firmware and would evade detection by security solutions by loading itself early in the device’s boot sequence.
According to the author of the tool in his publication, BlackLotus is said to have features to detect activity in virtual machines and has protections against removal, thus making malware analysis more difficult.
Finally, security researcher Scheferman says that until a sample of the malware has been fully analyzed, it cannot be ruled out that BlackLotus could be used to carry out a Bring Your Own Driver (BYOVD) attack.
