Tag: CVE

SolarWinds New 0-Day: Serv-U Update

Posted on by Srishti Chaubey

SolarWinds Serv-U, one of the leading multi-protocol file servers, reported a critical exploit marked as CVE-2024-28995. It allows unauthorised access to sensitive files. This path traversal flaw poses a significant security risk.

Credit: CyberInsider

What is CVE-2024-28995?

CVE-2024-28995 is a path traversal vulnerability in SolarWinds Serv-U. Attackers can exploit it remotely and without authentication. It allows an attacker to send specially crafted requests to the server, potentially accessing sensitive files and data from the underlying operating system. This could include user data, server logs, and other critical files​

Historical Context

SolarWinds Serv-U has been targeted before. In 2021, a zero-day vulnerability (CVE-2021-35211) was exploited by a group called Circle Typhoon. This historical precedent underscores the importance of patching vulnerabilities in managed file transfer solutions, which are prime targets for cyber criminals​.

Exploitation Details

Researchers have observed both automated and manual exploitation attempts. These began after the release of proof-of-concept (PoC) exploit details on June 18, 2024. GreyNoise reported seeing active exploitation in the wild. The PoC scripts made it relatively straightforward for attackers to leverage this vulnerability, prompting urgent calls for patching​

Implications for Organisations

Managed file transfer solutions are prime targets for ransomware groups. Examples include attacks on Accellion’s FTA, Fortra’s GoAnywhere MFT, and Progress Software’s MOVEit Transfer. These attacks often result in data breaches and extortion attempt.

Mitigation and Recommendations

SolarWinds released a patch to address CVE-2024-28995. Users of Serv-U FTP and MFT solutions should upgrade to version 15.4.2 HF 2 or later. Immediate patching is crucial due to the active exploitation and sensitivity of the data at risk.

Identifying Affected Systems

Tenable has developed plugins to identify vulnerable systems. These plugins are available on the CVE page for CVE-2024-28995. Organisations should use these tools to detect and remediate this vulnerability.

Enhancing Security with Passwordless Systems

To bolster security and protect against vulnerabilities like CVE-2024-28995, consider implementing passwordless authentication systems. Traditional passwords are often a weak link in cybersecurity, prone to phishing, brute force attacks, and credential stuffing. By moving to a passwordless system, you can significantly enhance the security posture of your SolarWinds Serv-U environment.

Benefits of Passwordless Authentication:

  1. Reduced Attack Surface
  2. Improved User Experience
  3. Enhanced Security
  4. Compliance and Standards

Implementing Passwordless Systems with PureAuth:

PureAuth offers a robust passwordless authentication solution that can be integrated into your existing infrastructure. By using PureAuth, you can secure your SolarWinds Serv-U environment against unauthorised access and potential vulnerabilities.

Conclusion:

CVE-2024-28995 is a serious vulnerability actively exploited in the wild. Organisations using SolarWinds Serv-U must prioritise patching to protect their systems. Enhancing security with passwordless systems is a proactive step in safeguarding your SolarWinds Serv-U environment. By implementing solutions like PureAuth, you can reduce the risk of exploitation from vulnerabilities like CVE-2024-28995 and ensure a more secure and user-friendly authentication process.

PuTTY Vulnerability Exposes Private Keys

Posted on by Srishti Chaubey

Introduction: Understanding the PuTTY Vulnerability

PuTTY, a widely-used SSH and Telnet client, contains a critical vulnerability, tracked as CVE-2024-31497, affecting versions 0.68 through 0.80. This flaw allows threat actors to potentially recover private keys used for cryptographic signatures, posing significant security risks. 

Exploring the Vulnerability: How Attackers Exploit PuTTY

The vulnerability arises from the biased generation of ECDSA nonces for the NIST P-521 curve, used in SSH authentication. Attackers can leverage this flaw to recover private keys by collecting cryptographic signatures, enabling unauthorised access to SSH servers or the ability to sign commits masquerading as legitimate users.

PuTTY Vulnerability Exposes Private Keys

Expert’s Insights

“PuTTY’s technique worked by making a SHA-512 hash and then reducing it mod q, where q is the order of the group used in the DSA system. For integer DSA (for which PuTTY’s technique was originally developed), q is about 160 bits; for elliptic-curve DSA (which came later), it has about the same number of bits as the curve modulus, so 256 or 384 or 521 bits for the NIST curves.”

“In all of those cases except P521, the bias introduced by reducing a 512-bit number mod q is negligible. But in the case of P521, where q has 521 bits (i.e. more than 512), reducing a 512-bit number mod q has no effect at all – you get a value of k whose top 9 bits are always zero.”

-PuTTY security advisory.

Impact and Implications: Risks Posed by the Flaw

The exploitation of this vulnerability can lead to severe consequences, including unauthorised access to sensitive systems, data breaches, and potential supply chain attacks. Affected software includes FileZilla, WinSCP, TortoiseGit, and TortoiseSVN, urging users to take immediate action.

The following software that uses the vulnerable PuTTY is confirmed as impacted:

  • FileZilla 3.24.1 – 3.66.5 (fixed in 3.67.0)
  • WinSCP 5.9.5 – 6.3.2 (fixed in 6.3.3)
  • TortoiseGit 2.4.0.2 – 2.15.0 (fixed in 2.15.0.1)
  • TortoiseSVN 1.10.0 – 1.14.6 (mitigation possible by configuring TortoiseSVN to use Plink from the latest PuTTY 0.81 release)

Mitigation and Resolution: Steps to Address the Vulnerability

In light of the vulnurability, users are advised do the following:

  1. Improved Randomness: Enhance the randomness of nonce generation by integrating a more robust cryptographic random number generator (RNG). This ensures nonces with sufficient entropy to prevent bias and enhances overall security.
  2. Different Hashing Algorithm: Consider utilising a different hashing algorithm or a combination of algorithms suitable for the NIST P-521 curve. Selecting a hash function compatible with curve parameters can mitigate bias introduced by modulo “q” reduction.
  3. Nonce Generation Scheme: Implement a nonce generation scheme independent of reducing the hash value modulo “q.” Develop a method to directly produce nonces within the defined range of “q” to preserve randomness and prevent bias.
  4. Comprehensive Review: Conduct a thorough review of the nonce generation process and cryptographic operations in PuTTY. Collaborate with security experts to identify and address any additional vulnerabilities or weaknesses, ensuring the fix is robust and effective.
  5. Update and Patch: Once a fix is developed, PuTTY would release a patch. Encourage users to upgrade to the latest version promptly to mitigate the vulnerability and enhance the security of their SSH connections.

Conclusion: Ensuring Security in SSH Environments

The PuTTY vulnerability underscores the importance of robust security measures in SSH environments. By staying informed and implementing necessary updates and precautions, organizations can bolster their defence against potential threats.

Read Also

Unveiling Terrapin: A New Threat to SSH Security

© 2024 | PureID. All Rights Reserved

Privacy & Terms | Licenses