31 May 2019
Docker contains an unpatched race condition vulnerability
A major security vulnerability has been found in Docker containers. Apparently, a function called FollowSymlinkInScope in Docker is prone to a race condition that can be exploited by attackers to modify resource paths. The flaw was discovered by security researcher Aleksa Sarai, who says that the function can be used to carry out a Time-of-check to time-of-use (TOCTOU) attack. As of now, the vulnerability still remains unpatched and Docker is yet to respond with a fix. All current versions contain this flaw. FollowSymlinkInScope function was found incorrectly resolving resource paths in Docker container. According to Sarai, an attacker adding a symbolic link after the faulty resolution can read and write access to the resource path, leading to a race condition. Sarai also mentions that there are no workarounds except if the Docker is restricted through AppArmor. However, he has submitted a patch to Docker Inc, which is still under review. Sarai also describes two exploit scripts for this vulnerability, which can allow modification of resource paths. “Attacked are two reproducers of the issue. They both include a Docker image which contains a simple binary that does a RENAME_EXCHANGE of a symlink to "/" and an empty directory in a loop, hoping to hit the race condition. In both of the scripts, the user is trying to copy a file to or from a path containing the swapped symlink,” Sarai wrote in an email on the oss-sec mailing list. Docker Inc is expected to release a patch for this flaw anytime soon.
Critical vulnerability in Convert Plus WordPress Plugin lets attacker create admin accounts
Researchers from Defiant uncovered a critical vulnerability in Convert Plus WordPress Plugin that allows an unauthenticated attacker to create accounts with administrator privileges. The vulnerability arises from the lack of filtering issue while processing a new user subscription form supplied by the plugin. Administrators can define the role they want for the new subscribers in the subscription form. In the form, administrator role is not listed as the plugin keeps it off the list available in the drop-down menu. However, the vulnerable versions of the Convert Plus plugin made available the administrator role in a hidden field called "cp_set_user." “Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user,” Defiant researchers described. An attacker can take advantage of this by submitting a submission form and modifying the value of the ‘cp_set_user’ to set it to ‘administrator’ without filtering new subscriptions. This way attackers can create a new user with administrator privileges. The vulnerability has impacted all versions of the Convert Plus Plugin up to v3.4.2. The developer behind Convert Plus Plugin, BrainstormForce, was notified about the vulnerability on May 24, 2019. The developer immediately responded and released the patch on May 29, 2019. The vulnerability has been fixed in Convert Plus Plugin version 3.4.3. Due to the severity of the flaw, the developer has pushed an automatic update for the latest version in WordPress backend. Administrators are advised to enable it as soon as possible.
Remote code execution flaw detected in Microsoft’s Notepad text editor
Microsoft’s Notepad text editor has been found to be vulnerable to a newly discovered remote code execution flaw. In a Twitter post, Google Project Zero researcher Travis Ormandy revealed that he has identified a remote code execution vulnerability in Microsoft’s Notepad text editor. Ormandy has reported the issue to Microsoft. As per Project Zero’s vulnerability disclosure policy, Microsoft has to release a patch within 90 days of the discovery after which the technical details of the flaw will be disclosed to the public. Earlier, Ormandy anticipated that the vulnerability was a memory corruption bug. He even shared an image, demonstrating how to launch a Command Prompt. The expert confirmed that he has already developed a ‘real exploit’ for the issue. Chaouki Bekrar, a founder of zero-day broker Zerodium has explained that such type of issue found by the Google white hat hacker is not uncommon. He noted it is not the only vulnerability that can be used ‘pwn’ Notepad.
UK pub chain Greene King suffers data breach following hack on its gift card website
Major UK pub chain, Greene King, has disclosed a data breach on its card gift website https[:]//www[.]gkgiftcards[.]co[.]uk. The incident has resulted in the compromise of personal details of customers. In a breach notification, the firm revealed that it detected the breach on May 14, 2019. The hackers behind the attack had gained unauthorized access to the website and were able to access customers’ sensitive details. The compromised information includes names, email addresses, user IDs, encrypted passwords, addresses, postcode, and gift card order numbers of customers. However, no bank details or payment information were accessed in the breach. “Suspicious activity was discovered on 14th May and a security breach was confirmed on 15th May. No bank details or payment information were accessed. However, the information you provided to us as part of your gift card registration was accessed. Specifically, the hackers were able to access your name, email address, user ID, encrypted password, address, postcode and gift card order number. Whilst your password was encrypted, it may still be compromised,” said the firm in its notification, Security Boulevard reported. While the number of impacted users is unknown, the firm has begun taking appropriate security measures to secure users’ data. It has also notified Information Commissioner’s Office (ICO) as well as its customers about the breach.
Vulnerability in DuckDuckGo allows attackers to launch URL spoofing attacks
Gnosticplayers hacked Canva website and stole data of over 139 million users
Canva, an Australia-based company that provides a graphic design platform, has been hacked and data for roughly 139 million users have been compromised. The infamous hacker ‘Gnosticplayers’ who had earlier put up stolen data of 932 million users for sale on the dark web, is responsible for this breach. Gnosticplayers contacted ZDNet on May 24, 2019, and said that he breached the company just hours before contacting them. “I download everything up to May 17. They detected my breach and closed their database server,” Gnosticplayers said. ZDNet requested a sample of the hacked data, to verify the hacker's claims. Upon which, Gnosticplayers provided a sample data of 18,816 accounts, including the account details for some of the company’s staff and admins. Of the total 139 million users, 78 million users had their Gmail addresses associated with their Canva account. ZDNet contacted Canva users to verify the validity of the sample data received. Upon verifying, they notified the site's administrators about the breach. “Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses. We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users' credentials have been compromised,” a spokesperson for Canva said. However, the company is recommending its users to reset their passwords as a precaution.
New bitcoin scam installs ransomware or info-stealer malware on victim’s computer
A new bitcoin scam that promises to earn you $15-45 Bitcoin in a day for free and automatically, installs ransomware or info-stealer malware on victim’s computer. An independent malware hunter who goes under the name ‘Frost’ has uncovered the scam which has been promoted via several sites. The scam promise to earn you Ethereum by referring other people to their site. When users click on the site, they will be redirected to another page that promotes a program called ‘Bitcoin Collector’. This program is a Trojan that executes a malicious payload. When users download the program and extract it, it will generate numerous files including an executable called BotCollector.exe. Upon executing the ‘BotCollector.exe’, a malware disguised as a bitcoin generator program dubbed ‘Freebitco.in - Bot’ is launched. Clicking on the ‘Start’ button would cause the ‘Freebitco.in-Bot’ to trigger the malicious payload which is either ransomware or an info-stealer. When Frost initially analyzed this scam, the malicious payload was found to be ‘Marozka Tear’ ransomware. Once on the compromised computer, the ransomware encrypts all files and appends the .Crypted extension to the encrypted files. It then drops a ransom note named ‘HOW TO DECRYPT FILES.txt’. The ransom note urges the victim to contact the attacker at firstname.lastname@example.org in order to receive payment instructions. Frost noted that the scam now pushes an info-stealer malware ‘Baldr’ which currently has 32/70 detections at VirusTotal. This info-stealer malware attempts to steal login credentials for all the sites visited, take screenshots, retrieve browser history, steal files and cryptocurrency wallets.