Now MOVEit maker Progress patches holes in WS_FTP
Plus: Johnson Controls hit by IT 'incident', Exim and Chrome security updates, and more
Infosec in brief Progress Software, maker of the mass-exploited MOVEit document transfer tool, is back in the news with more must-apply security patches, this time for another file-handling product: WS_FTP.
We're told this software's ad hoc transfer module and WS_FTP's server management interface were found to have eight vulnerabilities, with CVSS severity scores ranging from 5.3 all the way to 10 out of 10.
At their most severe, all versions of WS_FTP Server prior to 8.7.4 and 8.8.2 are vulnerable to a .NET deserialization attack from a pre-authenticated attacker. If successful, the attacker could execute commands on the underlying host system, leveraging the other seven vulnerabilities, such as path traversal, XSS, SQL injection, missing cross-site request forgery protection, and the like.
According to the Progress' website, WS_FTP is used by some high-profile customers, including Scientific American, clothing store H&M, and the The Denver Broncos American football team to name a few. Those companies, and the rest of the WS_FTP community, are being advised to update their installation immediately. Exploitation of these bugs could well lead to public-facing systems being hijacked, and IT networks infiltrated at a large scale.
For those who don't recall, a hole in Progress' MOVEit software allowed miscreants to break into at least 400 organizations so far. Progress is facing over a dozen lawsuits connected to the MOVEit security fiasco. The Cl0p ransomware gang notably exploited the flaw to swipe people's data.
Progress said it has seen no evidence that the WS_FTP vulnerabilities have been exploited in the wild, which is similar to what it said about another bug discovered in MOVEit in June.
MOVEit attacks are ongoing as orgs fail to update their installations. Patches for WS_FTP are available for all supported versions, as well as a workaround for those who can't immediately fix the flaws.
Critical vulnerabilities: Is there something in the air?
My, has it been a week. Along with that nasty new Progress bug, a number of big tech names have had to issue urgent updates this week.
Exim, the open source mail server that is widely used on the internet, had some details of six flaws made public this week, and only three of them are patched. The two most serious issues allow full remote code execution, and according to the finders at the Zero Day Initiative the Exim Project has known about them since last year. Look out for updates and apply them as soon as you can.
"Fixes are available in a protected repository and are ready to be applied by the distribution maintainers," commented Exim representative Heiko Schlittermann on Friday. "The remaining issues are debatable or misinformation [regarding whether] we need to fix them."
Cisco has also had a bad week. The company's Group Encrypted Transport VPN feature in IOS has a remote code execution bug that's currently being tried in the wild, so get patching immediately.
Along with that issue, Cisco published 14 other security advisories this week, including news of several critical vulnerabilities in its SD-WAN Manager.
Not to be outdone, Apple released a bunch of patches for Safari 17 and macOS Sonoma this week addressing a whole host of issues - several critical, including a one that's under active exploit. The exploited code is yet another WebKit code execution vulnerability that can be triggered by opening malicious web content.
Google also patched its fifth Chrome zero day of 2023 this week, which is under active exploit, along with issuing other fixes for nine other issues.
Oh, and Mozilla issued updates to Firefox (regular, ESR, Android and Focus for Android) and Thunderbird to address a critical heap buffer overflow vulnerability in libvpx.
Lastly, Mitsubishi Electric's GX Works3 software is vulnerable (CVSS 9.8, CVE-2023-4088) to remote code execution thanks to permissions issues.
One more active exploit to point out, and it's a doozy:
- CVSS 9.8 - CVE-2018-14667: An expression language injection vulnerability in RedHat's RichFaces Framework may be exploited in the wild already.
Johnson Controls hit by IT 'disruption'
Johnson Controls, a massive industrial control systems concern, has been hit by an equally massive ransomware attack that has reportedly taken a number of its systems offline and may even pose a national security risk.
The afflicted business admitted to a "cybersecurity incident" in an SEC filing this week that multiple sources reported as a ransomware attack whose perpetrators made off with more than 27 terabytes of company data - neither of which Johnson has confirmed.
"Johnson Controls International plc (the "Company") has experienced disruptions in portions of its internal information technology infrastructure and applications," the biz said, adding that other systems "are largely unaffected and remain operational."
According to one cybersecurity researcher, a ransomware group called Dark Angels is behind the attack. The group is reportedly demanding a $51 million ransom from Johnson Controls.
The US Department of Homeland Security is also reportedly concerned that some of the stolen data may include sensitive information about Uncle Sam's buildings, as Johnson handles physical security equipment for several important facilities.
Japanese ransomware attack triggers supply chain fears
A group that recently claimed to have leaked data stolen from Sony online has apparently struck again, claiming to have hit Japanese cell carrier NTT Docomo in what researchers fear could be a sign of a new supply chain attack.
Ransomed.vc, the group behind the claimed attack, is a relative newcomer whose attacks have raised questions in the underground world. But researchers at Resecurity are worried the miscreants may have used the Sony attack to sow seeds of future chaos.
While it hasn't confirmed the alleged NTT Docomo attack and Sony incidents are linked, the security shop said it's investigating "whether the Sony incident served as an intrusion vector for broader supply-chain compromise that enabled the group to illegally access the telecom operator's data."
Ransomed.vc reportedly claimed to have abandoned trying to get Sony to pay a ransom and instead was looking for a buyer for 3.14GB of data stolen from the tech giant, but another individual released all the data while claiming Ransomed was lying about their attack. ®