The Cybersecurity Express – 21 August, 2024

You stand on the platform, the distant hum of the approaching train sending a thrill down your spine. The station is alive with a quiet anticipation, the kind that buzzes with the promise of discovery. You check your watch—right on time. As the Cybersecurity Express pulls into view, sleek and gleaming, you know you’re about to embark on a journey filled with the latest in digital defense, a voyage through the unseen realms of cyber threats and the countermeasures that keep our virtual world safe.

The doors slide open with a whisper, inviting you to step aboard. As you find your seat by the window, the conductor tips his hat, signaling that the journey is about to begin. The landscape of the digital world stretches out before you, each stop promising insights and revelations into the ever-evolving world of cybersecurity. You’re not just a passenger on this train; you’re a participant in the unfolding story of technology, security, and the endless battle to protect the virtual spaces we all inhabit. The first stop is just ahead—are you prepared?

Critical Vulnerability in GiveWP Plugin Puts 100,000+ WordPress Sites at Risk

A critical security flaw in the popular GiveWP donation and fundraising WordPress plugin has exposed over 100,000 websites to potential remote code execution (RCE) attacks. Tracked as CVE-2024-5932 and given a maximum CVSS score of 10.0, the vulnerability stems from a PHP Object Injection issue caused by the deserialization of untrusted input from the ‘give_title’ parameter. This comes just days after InPost PL and InPost for WooCommerce WordPress plugins were found flawed in equal severity, CVE-2024-6500 CVSS score: 10.0, which allowed unauthenticated threat actors to read and delete arbitrary files, including the wp-config.php file.

The vulnerability was discovered by security researcher villu164 and reported to the WordPress security team. The flaw allows unauthenticated attackers to inject a malicious PHP object through the ‘give_title’ parameter. Due to the presence of a Property-Oriented Programming (POP) chain, attackers can execute arbitrary code remotely or delete files on the server.

The root of this flaw lies within the function give_process_donation_form(), which is responsible for validating and sanitizing form data submitted through donation forms. However, the function fails to properly sanitize the ‘give_title’ parameter. After the form data is processed, the information, including potentially malicious user-supplied values, is passed to various functions that handle payment and user data processing. These functions ultimately deserialize the user title, enabling attackers to manipulate the deserialized object and execute arbitrary code on the server.

For instance, by controlling the deserialized object’s properties, an attacker could chain together code segments to achieve remote code execution or delete critical files. If the attacker deletes essential files like wp-config.php, it could result in a site reset, potentially allowing the attacker to take over the website by connecting it to a remote database under their control.

The vulnerability affects GiveWP versions 3.14.1 and earlier. A patch was released in version 3.14.2 on August 7, 2024. However, many sites may remain unpatched, leaving them vulnerable. As of the latest statistics, over 60,000 downloads of the patched version have been recorded, but a significant number of websites may still be at risk.

Some of the other security flaws resolved in various WordPress plugins are listed below –

• CVE-2024-7094 CVSS score: 9.8 – A JS Help Desk plugin flaw enabling remote code execution due to a PHP code injection flaw. A patch for the vulnerability has been released in version 2.8.7.
• CVE-2024-6220 CVSS score: 9.8 – An arbitrary file upload flaw in the 简数采集器 (Keydatas) plugin that allows unauthenticated attackers to upload arbitrary files on the affected site’s server, ultimately resulting in code execution
• CVE-2024-5441 CVSS score: 8.8 – An arbitrary file upload flaw in the Modern Events Calendar plugin that allows authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site’s server and execute code
• CVE-2024-6467 CVSS score: 8.8 – An arbitrary file read flaw in the BookingPress appointment booking plugin that allows authenticated attackers, with Subscriber-level access and above, to create arbitrary files and execute arbitrary code or access sensitive information
• CVE-2024-6411 CVSS score: 8.8 – A privilege escalation flaw in the ProfileGrid – User Profiles, Groups and Communities plugin that allows authenticated attackers, with Subscriber-level access and above, to update their user capabilities to that of an Administrator

Given the severity of this flaw, it is crucial for site administrators to update their GiveWP plugin to the latest version immediately. Additionally, the disclosure of this flaw follows recent reports of other critical vulnerabilities in WordPress plugins, underscoring the importance of keeping all components of a WordPress site up to date to prevent exploitation.

Microchip manufacturing impaired in wake of cyberattack

Microchip Technology Inc. (NASDAQ: MCHP), a prominent US-based semiconductor supplier, recently disclosed a significant cyberattack that has disrupted operations at several of its manufacturing facilities. The company detected unusual activity on its IT systems on August 17, and by August 19, it determined that the intrusion had impacted certain servers and critical business operations. At the writing of this article https://www.microchipdirect.com/ is down, but we cannot be certain if this is related to the breach.

In response, Microchip swiftly isolated the affected systems, with some being completely shut down to prevent further damage. The company has engaged external cybersecurity experts to assist in investigating the breach and to help restore normal operations. According to a regulatory filing, the attack has forced some of the company’s manufacturing facilities to operate below normal capacity, which has subsequently impacted its ability to fulfill customer orders.

Microchip, which serves approximately 123,000 customers across various sectors including industrial, automotive, aerospace, and defense, has not yet determined the full scope or financial impact of the incident. This disclosure comes in line with SEC regulations requiring companies to report any material cybersecurity breaches within four business days. While the company has not confirmed the nature of the attack, the disruption’s characteristics suggest it could be a ransomware incident. However, no known ransomware group has claimed responsibility, which is often the case when negotiations are still ongoing.

This incident adds to a growing list of cybersecurity challenges faced by US semiconductor manufacturers this year. Notably, Advanced Micro Devices (AMD) also reported earlier this year that it was investigating claims of data theft due to a cyberattack. The timing of the attack on Microchip is particularly challenging, as the company is already navigating a slowdown in chip orders, attributed to customers managing excess inventory from the COVID-19 pandemic.

As a recently designated CVE Numbering Authority (CNA), Microchip is authorized to assign CVE identifiers to vulnerabilities in its products, underscoring its critical role in the global semiconductor supply chain. The company is working diligently to bring its systems back online and minimize the incident’s impact on its operations.

Critical Backdoor in RFID Cards Enables Instant Cloning Across Millions of Devices

Security researchers have uncovered a significant backdoor in millions of RFID smart cards produced by Shanghai Fudan Microelectronics Group, one of China’s foremost chip manufacturers. This backdoor vulnerability allows for the rapid and unauthorized cloning of these cards, which are widely used for access control in industries such as hospitality and public transportation.

The flaw primarily affects the FM11RF08S variant of the MIFARE Classic card family, which was released in 2020 by Shanghai Fudan Microelectronics. This card family, originally launched by Philips (now NXP Semiconductors) in 1994, has been subject to various attacks over the years. However, the FM11RF08S was believed to have implemented countermeasures against known vulnerabilities, especially those involving “card-only” attacks that require only brief physical proximity to the card.

During their analysis, researchers discovered that while the FM11RF08S card employs a “static encrypted nonce” as a countermeasure, this approach is still vulnerable. Specifically, if encryption keys are reused across at least three sectors or three cards, an attacker could crack these keys within minutes. More alarmingly, researchers identified a hardware backdoor within the FM11RF08S that enables authentication with a previously unknown universal key. Upon cracking this key, it was found to be common across all FM11RF08S cards.

Further investigation revealed that this issue is not isolated to the FM11RF08S variant. Similar backdoors were found in the earlier FM11RF08 model and several other card models produced by the same manufacturer, including the FM11RF32 and FM1208-10. Even older cards from NXP Semiconductors and Infineon Technologies were found to be vulnerable, indicating a widespread issue within the RFID card ecosystem.

The implications of this discovery are far-reaching. With knowledge of the backdoor, any entity could potentially compromise all user-defined keys on these cards, even if those keys were diversified. This vulnerability poses a substantial risk to security systems relying on these cards for access control.

Researchers have urged organizations using MIFARE Classic cards to conduct immediate assessments of their infrastructure. Given that these cards are not confined to the Chinese market, they have been found in various high-security environments, including hotels across the United States, Europe, and India.

As the cybersecurity landscape continues to evolve, this discovery serves as a critical reminder of the importance of rigorous security testing and the potential risks associated with supply chain vulnerabilities in widely deployed technologies.

As we conclude this journey through critical cybersecurity issues, it’s clear that staying informed and taking proactive measures are crucial in today’s rapidly evolving threat landscape. From vulnerabilities in widely-used plugins to significant risks in essential technology sectors, the importance of regular updates, vigilant monitoring, and swift responses cannot be overstated. Thank you for joining us on this ride with the Cybersecurity Express. We appreciate your time and invite you to return for more insightful and timely content as we continue to navigate the complexities of cybersecurity together. Safe travels until our next journey!