Urgent: Critical RCE Vulnerability in ForgeRock Access Manager Under Active Exploitation

Cybersecurity agencies in Australia and the U.S. are sounding the alarm about a serious vulnerability in ForgeRock’s OpenAM access management system, which is being actively exploited to execute remote code on compromised systems. The Australian Cyber Security Centre (ACSC) has reported that threat actors are leveraging this flaw to infiltrate multiple hosts, deploying additional malware and tools. However, details regarding the nature and scope of the attacks, as well as the identities of the perpetrating actors, remain undisclosed.

Identified as CVE-2021-35464, this vulnerability is a pre-authentication remote code execution (RCE) flaw linked to unsafe Java deserialization in the Jato framework used by ForgeRock Access Manager. Exploiting this vulnerability allows attackers to execute commands within the context of the current user rather than as a root user.

Critical RCE Vulnerability in ForgeRock Access Manager Under Active Exploitation

On July 13, 2021, cybersecurity agencies from Australia and the United States issued a serious warning regarding an actively exploited vulnerability within ForgeRock’s OpenAM access management solution. This security flaw could allow attackers to execute arbitrary code on affected systems from a remote location. The Australian Cyber Security Centre (ACSC) has reported observing malicious actors leveraging this vulnerability to infiltrate multiple hosts and deploy additional malware and tools. However, the alert did not specify the nature of these attacks, their extent, or the identities of the threat actors involved.

Designated as CVE-2021-35464, this vulnerability involves a pre-authentication remote code execution (RCE) issue within the ForgeRock Access Manager, which is critical for identity and access management. The root of the problem lies in an unsafe Java deserialization process within the Jato framework utilized by the software. This design oversight poses significant risks, as an attacker exploiting the vulnerability could execute commands in the context of the current user rather than as a system’s privileged root user, potentially leading to severe consequences for compromised systems.

The targets of this attack appear primarily to be organizations using ForgeRock’s solutions, which are prevalent among enterprises relying on robust identity management systems to control access to sensitive information. As such, businesses particularly in the technology, finance, and health sectors may find themselves in the crosshairs of these evolving threats.

Both the ACSC and its U.S. counterparts are particularly concerned with the potential for this vulnerability to facilitate a range of adversarial tactics as outlined in the MITRE ATT&CK framework. Notably, the initial access tactic could enable attackers to gain entry into secure environments, while subsequent actions might include persistence techniques to maintain footholds within the affected networks. Moreover, the vulnerability allows for privilege escalation, which can enhance attackers’ control over compromised systems, further exacerbating the risks.

Organizations are urged to take immediate precautionary measures, including assessing their systems for the presence of this vulnerability and implementing robust security protocols to mitigate exposure. Patching the affected software is paramount, as well as instituting monitoring and detection mechanisms to identify any unauthorized access attempts or compromise indicators.

In a landscape where cyber threats are becoming increasingly sophisticated, the situation surrounding this vulnerability serves as a stark reminder of the importance of maintaining up-to-date security practices. Business owners must stay vigilant and informed about such risks to safeguard their critical infrastructure and protect sensitive data from potential breaches.

As more information becomes available, organizations must remain proactive in understanding the implications of this vulnerability and adopt comprehensive cybersecurity strategies to shield themselves from a variety of potential exploitative tactics identified in frameworks such as MITRE ATT&CK. The evolving nature of cyber threats demands an equally dynamic response to ensure organizational resilience against ongoing and future attacks.

Source link

Related Posts

Critical Windows Update: Address 117 Security Flaws, Including 9 Active Zero-Days

July 14, 2021

Microsoft has released its July Patch Tuesday updates, addressing a total of 117 security vulnerabilities, among which are nine zero-day flaws—four of which are currently being exploited in the wild, potentially allowing attackers to gain control of affected systems. Out of these vulnerabilities, 13 are classified as Critical, 103 as Important, and one as Moderate in severity. Notably, six of these vulnerabilities were publicly known at the time of the update.

The updates affect a wide range of Microsoft products, including Windows, Bing, Dynamics, Exchange Server, Office, the Scripting Engine, Windows DNS, and Visual Studio Code. This month saw a significant increase in the number of vulnerabilities patched, surpassing the totals from May (55) and June (50).

Among the most critical actively exploited vulnerabilities are:

  • CVE-2021-34527 (CVSS Score: 8.8) – Windows Print Spooler Remote Code Execution…

Microsoft Alerts Users to Unpatched Vulnerability in Windows Print Spooler

On July 16, 2021, Microsoft issued new guidance about a vulnerability in the Windows Print Spooler service, stating that it is working on a fix for an upcoming security update. Identified as CVE-2021-34481 (CVSS score: 7.8), this local privilege escalation flaw can be exploited for unauthorized actions on affected systems. The vulnerability was discovered and reported by security researcher Jacob Baines.

According to Microsoft’s advisory, “An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability could execute arbitrary code with SYSTEM privileges.” This would allow them to install software, access, modify, or delete data, and create new accounts with full user rights. It is important to note that successful exploitation requires the attacker to have specific conditions met.

Important: Update Your Chrome Browser to Fix New Zero-Day Vulnerability

Jul 16, 2021

Google has released a critical security update for the Chrome browser on Windows, Mac, and Linux, addressing several vulnerabilities, including a zero-day being actively exploited. This latest patch resolves eight issues, notably a type confusion vulnerability in the V8 open-source and JavaScript engine (CVE-2021-30563). An anonymous researcher reported this flaw on July 12.

In light of the ongoing threat, Google issued a brief statement confirming that “an exploit for CVE-2021-30563 exists in the wild,” but refrained from providing specific details about the vulnerability to prevent further misuse. This marks the ninth zero-day flaw addressed by Google this year, highlighting the ongoing risks to Chrome users.

Israeli Company Aided Governments in Targeting Journalists and Activists with Zero-Day Exploits and Spyware

Two recently patched zero-day vulnerabilities in Windows, addressed in Microsoft’s Patch Tuesday update, were reportedly exploited by the Israeli firm Candiru in a series of targeted attacks on over 100 journalists, academics, activists, and political dissidents worldwide. This spyware vendor has also been identified by Google’s Threat Analysis Group (TAG) as having exploited various zero-day vulnerabilities in the Chrome browser to compromise targets in Armenia, according to a report by the University of Toronto’s Citizen Lab. Citizen Lab researchers noted that “Candiru’s widespread presence and the use of its surveillance technology against global civil society highlight the significant risks posed by the mercenary spyware industry, which is rife with potential for abuse.”