DFSCoerce-A new NTLM relay attack can take control over a Windows domain

DFSCoerce-A new NTLM relay attack can take control over a Windows domain

Description:

A new kind of Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to seize control of a domain.

The NTLM (NT Lan Manager) relay attack is a well-known method that exploits the challenge-response mechanism. It allows malicious parties to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources, effectively gaining an initial foothold in Active Directory environments

By relaying an NTLM authentication request from a domain controller to the Certificate Authority Web Enrollment or the Certificate Enrollment Web Service on an AD CS system, an attacker can obtain a certificate that can be used to obtain a Ticket Granting Ticket (TGT) from the domain controller.

Source: 

New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain (thehackernews.com)

Impact: 

Successful exploitation of this attack, attacker can take control over the windows domain

Suggestions and Recommendations: 

To mitigate NTLM relay attacks, Microsoft recommends enabling protections like Extended Protection for Authentication (EPA), SMB signing, and turning off HTTP on AD CS servers

High-Severity RCE Vulnerability Reported in Popular Fastjson Library

Description:

A high-severity security vulnerability has been disclosed in the popular Fastjson library that could be potentially exploited to achieve remote code execution.

Tracked as CVE-2022-25845,the issue relates to a case of deserialization of untrusted data in a supported feature called "AutoType.

This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize.

CVE_IDs: 

  • CVE-2022-25845

Source: 

CVE-2022-25845 - Fastjson RCE vulnerability analysis (jfrog.com)

Impact: 

The vulnerability could have allowed an attacker to perform remote command execution.

Suggestions and Recommendations: 

The patch for the flaw has been released. We recommended users to apply the patches

Critical Vulnerability Patched in Ninja Forms WordPress Plugin

Description:

WordPress websites using a widely used plugin named Ninja Forms have been updated automatically to remediate a critical security vulnerability that's suspected of having been actively exploited in the wild. Ninja Forms is a customizable contact form builder that has over 1 million installations.

The issue, which relates to a case of code injection, is rated 9.8 out of 10 for severity and affects multiple versions starting from 3.0. It has been fixed in 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

According to Wordfence, the bug “made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection”

Source: 

PSA: Critical Vulnerability Patched in Ninja Forms WordPress Plugin (wordfence.com)

Impact: 

This flaw could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.

Suggestions and Recommendations: 

WordPress may have performed a forced update so your site may already be on one of the patched versions. If that is not the case, we strongly recommend the users to upgrade to the latest versions of Ninja Forms

GitLab Issues Security Patch for Critical Account Takeover Vulnerability

Description:

Gitlab has addressed a critical security flaw in its service that, if successfully exploited, could result in an account takeover.

Tracked as CVE-2022-1680, The security flaw affects all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1.

When group SAML SSO is configured, the SCIM feature may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker-controlled email address and thus, in the absence of 2FA can take over those accounts.

CVE_IDs: 

  • CVE-2022-1680

Source: 

GitLab Issues Security Patch for Critical Account Takeover Vulnerability

Impact: 

Successful exploitation of the flaw could allow an attacker take full control of the account.

Suggestions and Recommendations: 

We strongly recommend that all installations running affected version to upgraded to the latest version as soon as possible.

Monal Tech, Arjun Aryal 26 June, 2022
Share this post
Tags
Our blogs
Archive
Sign in to leave a comment

VMware Releases Patches for New Vulnerabilities Affecting Multiple Products