DFSCoerce-A new NTLM relay attack can take control over a Windows domain
Description:
A new kind of Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to seize control of a domain.
The NTLM (NT Lan Manager) relay attack is a well-known method that exploits the challenge-response mechanism. It allows malicious parties to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources, effectively gaining an initial foothold in Active Directory environments
By relaying an NTLM authentication request from a domain controller to the Certificate Authority Web Enrollment or the Certificate Enrollment Web Service on an AD CS system, an attacker can obtain a certificate that can be used to obtain a Ticket Granting Ticket (TGT) from the domain controller.
Source:
New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain (thehackernews.com)
Impact:
Successful exploitation of this attack,
attacker can take control over the windows
domain
Suggestions and Recommendations:
To mitigate NTLM relay attacks,
Microsoft recommends enabling protections
like Extended Protection for Authentication
(EPA), SMB signing, and turning off HTTP
on AD CS servers
High-Severity RCE Vulnerability Reported in Popular Fastjson Library
Description:
A high-severity security vulnerability has been disclosed in the popular Fastjson library that could be potentially exploited to achieve remote code execution.
Tracked as CVE-2022-25845,the issue relates to a case of deserialization of untrusted data in a supported feature called "AutoType.
This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize.
CVE_IDs:
- CVE-2022-25845
Source:
CVE-2022-25845
- Fastjson RCE vulnerability analysis (jfrog.com)
Impact:
The vulnerability could have allowed an
attacker to perform remote command
execution.
Suggestions and Recommendations:
The patch for the flaw has been released.
We recommended users to apply the
patches
Critical Vulnerability Patched in Ninja Forms WordPress Plugin
Description:
WordPress websites using a widely used plugin named Ninja Forms have been updated automatically to remediate a critical security vulnerability that's suspected of having been actively exploited in the wild. Ninja Forms is a customizable contact form builder that has over 1 million installations.
The issue, which relates to a case of code injection, is rated 9.8 out of 10 for severity and affects multiple versions starting from 3.0. It has been fixed in 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.
According to Wordfence, the bug “made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection”
Source:
PSA: Critical Vulnerability Patched in Ninja Forms WordPress Plugin (wordfence.com)
Impact:
This flaw could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.
Suggestions and Recommendations:
WordPress may have performed a forced
update so your site may already be on one
of the patched versions. If that is not the
case, we strongly recommend the users to
upgrade to the latest versions of Ninja Forms
GitLab Issues Security Patch for Critical Account Takeover Vulnerability
Description:
Gitlab has addressed a critical security flaw in its service that, if successfully exploited, could result in an account takeover.
Tracked as CVE-2022-1680, The security flaw affects all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1.
When group SAML SSO is configured, the SCIM feature may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker-controlled email address and thus, in the absence of 2FA can take over those accounts.
CVE_IDs:
-
CVE-2022-1680
Source:
GitLab Issues Security Patch for Critical Account Takeover Vulnerability
Impact:
Successful exploitation of the flaw could
allow an attacker take full control of the
account.
Suggestions and Recommendations:
We strongly recommend that all installations running affected version to upgraded to the latest version as soon as possible.