Oct 02, 2023THNVulnerability / Cyber Assault
A high-severity safety flaw has been disclosed within the open-source OpenRefine knowledge cleanup and transformation instrument that might lead to arbitrary code execution on affected programs.
Tracked as CVE-2023-37476 (CVSS rating: 7.8), the vulnerability is a Zip Slip vulnerability that might have antagonistic impacts when importing a specifically crafted mission in variations 3.7.3 and under.
“Though OpenRefine is designed to solely run domestically on a person’s machine, an attacker can trick a person into importing a malicious mission file,” Sonar safety researcher Stefan Schiller mentioned in a report printed final week. “As soon as this file is imported, the attacker can execute arbitrary code on the person’s machine.”
Software program vulnerable to Zip Slip vulnerabilities can pave the way in which for code execution by profiting from a listing traversal bug that an attacker can exploit to achieve entry to elements of the file system that must be out of attain in any other case.
The assault is constructed on two shifting elements: a malicious archive and extraction code that doesn’t carry out satisfactory validation checking, which might permit for overwriting information or unpacking them to unintended areas.
The extracted information can both be invoked remotely by the adversary or by the system (or person), leading to command execution on the sufferer’s machine.
The vulnerability recognized in OpenRefine is alongside related strains in that the “untar” methodology for extracting the information from the archive allows a nasty actor to put in writing information outdoors the vacation spot folder by creating an archive with a file named “../../../../tmp/pwned.”
Following accountable disclosure on July 7, 2023, the vulnerability has been patched in model 3.7.4 launched on July 17, 2023.
“The vulnerability provides attackers a powerful primitive: writing information with arbitrary content material to an arbitrary location on the filesystem,” Schiller mentioned.
“For functions working with root privileges, there are dozens of prospects to show this into arbitrary code execution on the working system: including a brand new person to the passwd file, including an SSH key, making a cron job, and extra.”
The disclosure comes as proof-of-concept (PoC) exploit code has surfaced for a pair of now-patched flaws in Microsoft SharePoint Server – CVE-2023-29357 (CVSS rating: 9.8) and CVE-2023-24955 (CVSS rating: 7.2) – that might be chained to attain privilege escalation and distant code execution.
It additionally follows an alert from Cyfirma warning of a high-severity bug in Apache NiFi (CVE-2023-34468, CVSS rating: 8.8) that permits distant code execution through malicious H2 database connection strings. It has been resolved in Apache NiFi 1.22.0.
“The affect of this vulnerability is extreme, because it grants attackers the flexibility to achieve unauthorized entry to programs, exfiltrate delicate knowledge, and execute malicious code remotely,” the cybersecurity agency mentioned. “An attacker might exploit this flaw to compromise knowledge integrity, disrupt operations, and doubtlessly trigger monetary and reputational harm.”