A recent security vulnerability has been discovered in the popular WordPress plugin Essential Addons for Elementor. The issue, which is tracked as CVE-2023-32243, could allow attackers to gain elevated privileges on affected websites. This could lead to a total takeover of the website if an attacker is able to reset the password of an administrator account. The plugin maintainers have addressed this issue in version 5.7.2, which was released on May 11, 2023. Essential Addons for Elementor is a widely used plugin, with over one million active installations.
According to Patchstack researcher Rafie Muhammad:
"This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site."
The flaw could be exploited by an attacker to reset the password of any arbitrary user, as long as they are aware of the username. This vulnerability has existed since version 5.4.0 of the plugin.
It is essential that users of the Essential Addons for Elementor plugin update to the latest version to avoid exploitation of this vulnerability. Wordfence has reported that the vulnerability is being actively exploited in the wild, with the security company blocking 200 attacks targeting the flaw in the past 24 hours.
In addition to this vulnerability, a new wave of attacks targeting WordPress sites with the SocGholish malware has been detected since late March 2023. The malware, which is designed to provide initial access to compromised websites and inject additional malware, has been distributed via drive-by downloads that masquerade as a web browser update. The latest campaign detected by Sucuri has been found to leverage compression techniques using a software library called zlib to conceal the malware, reduce its footprint, and avoid detection.
Sucuri researcher Denis Sinegubko warned:
"Bad actors are continually evolving their tactics, techniques, and procedures to evade detection and prolong the life of their malware campaigns. SocGholish malware is a prime example of this, as attackers have altered their approach in the past to inject malicious scripts into compromised WordPress websites."
It is important for website owners to remain vigilant and keep their WordPress installations and plugins up-to-date to avoid falling victim to these types of attacks. It is also recommended to use strong and unique passwords, and to implement multi-factor authentication where possible. By taking these steps, website owners can help protect their websites and data from cyber threats.
Microsoft has released its May 2023 Patch Tuesday updates to address 38 security flaws, including two zero-day vulnerabilities that are being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) highlighted that the number of vulnerabilities is the lowest since August 2021, although it pointed out that the number is expected to increase in the coming months. Of the 38 vulnerabilities, six are classified as critical, and 32 are rated as important. Microsoft has tagged eight of the flaws with an "Exploitation More Likely" assessment.
One of the critical vulnerabilities is CVE-2023-29336, a privilege escalation flaw in Win32k that is currently under active exploitation. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges, Microsoft said. This development has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog and urge organizations to apply vendor fixes by May 30, 2023.
Microsoft has also addressed 18 other flaws in its Chromium-based Edge browser following the April Patch Tuesday updates. The most notable vulnerability in the May updates is a critical remote code execution flaw affecting Windows OLE (CVE-2023-29325) that can be exploited by sending a specially crafted email to the victim. Microsoft is recommending that users read email messages in plain text format to protect against this vulnerability.
The second publicly known vulnerability is CVE-2023-24932, a Secure Boot security feature bypass that's weaponized by the BlackLotus UEFI bootkit to exploit CVE-2022-21894, which was resolved in January 2022. The fix shipped by Microsoft is disabled by default and requires customers to manually apply the revocations, but not before updating all bootable media.
Microsoft has cautioned that the mitigation for this issue cannot be reverted if users continue to use Secure Boot on that device, even after reformatting the disk. Microsoft is taking a phased approach to completely plug the attack vector to avoid unintended disruption risks, an exercise that's expected to stretch until the first quarter of 2024.
Last month, Taiwanese PC maker MSI suffered a ransomware attack that resulted in the leak of the company's private code signing keys by the threat actors behind the attack. The leaked keys were posted on a dark website, causing concern among security experts and the wider tech community.
According to Alex Matrosov, founder and CEO of firmware security firm Binarly, the leaked data includes firmware image signing keys for 57 PCs and private signing keys for Intel Boot Guard used on 116 MSI products. This is believed to have a significant impact on the entire ecosystem, with Matrosov stating that:
"it appears that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake."
Intel Boot Guard is a hardware-based security technology that's designed to protect computers against executing tampered UEFI firmware. The leak of the Boot Guard keys could potentially allow threat actors to sign malicious updates and other payloads and deploy them on targeted systems without raising any red flags. This poses a significant risk as it undermines a vital firmware integrity check.
The impact of the MSI data breach is believed to extend beyond MSI itself, with several device vendors such as Intel, Lenovo, and Supermicro believed to be affected. However, Supermicro has stated that its products are not affected by the leak of the Boot Guard keys.
This is not the first time that UEFI firmware code has entered the public domain. In October 2022, Intel acknowledged the leak of Alder Lake BIOS source code by a third party, which also included the private signing key used for Boot Guard.
In response to the leak of the MSI private signing keys, Intel has stated that it is aware of the reports and actively investigating the matter. However, it also noted that the Boot Guard OEM keys are generated by the system manufacturer and are not Intel signing keys.
MSI, in a regulatory filing, stated that:
"the affected systems have gradually resumed normal operations, with no significant impact on financial business."
However, it urged users to obtain firmware/BIOS updates only from its official website and refrain from downloading files from other sources.
This incident serves as a reminder of the ongoing threat of ransomware attacks and the importance of taking cybersecurity measures seriously. With the leak of private code signing keys, it's essential that device vendors and users alike remain vigilant and take all necessary steps to protect their systems and data from potential threats.
*Subscribe to our newsletter
.svg)
.png)
.png)
.png)