In today’s fast-paced cybersecurity landscape, vulnerabilities in popular platforms pose significant risks to organizations. Two recently disclosed vulnerabilities have garnered attention: CVE-2024-9822, impacting WordPress sites using the Pedalo Connector plugin, and Perfctl malware, which targets misconfigured Linux servers. Additionally, CVE-2024-9164 in GitLab Enterprise Edition (EE) enables unauthorized pipeline execution. This article will explore how these vulnerabilities work, their potential consequences, and the best defense strategies.
CVE-2024-9822: Authentication Bypass in WordPress Pedalo Connector
What are the Security Vulnerabilities in Linux?
The CVE-2024-9822 vulnerability in WordPress allows attackers to bypass authentication and gain administrative access on websites using the Pedalo Connector plugin. This flaw impacts versions up to 2.0.5 due to improper restriction of the ‘login_admin_user’ function. With a CVSS score of 9.8, this is a critical vulnerability, potentially allowing attackers to alter content, install malicious plugins, and access sensitive data.
Impact of CVE-2024-9822
Once an attacker exploits this vulnerability, they can:
- Modify website configurations and content.
- Install malware or unauthorized plugins.
- Steal confidential user information.
- Utilize the compromised site for further attacks.
This vulnerability poses a severe risk to website confidentiality, integrity, and availability.
Bornsec’s expert Vulnerability Assessment and Penetration Testing (VAPT) services can help secure your organization against evolving threats.
Mitigating CVE-2024-9822
While there is no definitive patch available yet, the following measures can mitigate the risk:
- Update to the Latest Version: Upgrade to a newer version of the Pedalo Connector plugin if available.
- Temporarily Disable the Plugin: If no updates exist, disabling the plugin may help prevent exploitation.
- Strengthen Access Controls: Implement two-factor authentication (2FA) for admin accounts, and monitor login activity.
- Conduct Regular Audits: Periodically audit administrative accounts for suspicious activity.
Perfctl Malware: Threat to Misconfigured Linux Servers
How Do You Explain Vulnerability in GitLab?
Perfctl is a highly dangerous malware actively targeting Linux servers. It capitalizes on server misconfigurations and exploits critical vulnerabilities like CVE-2023-33246 (Apache RocketMQ) and CVE-2021-4043 (Polkit) to infiltrate systems. Though primarily known for its cryptocurrency mining activities, Perfctl can also act as a loader for other malware, enable proxy-jacking, and install backdoors.
How Perfctl Operates
Perfctl malware infiltrates Linux servers through two main vectors:
- Server Misconfigurations: Weak passwords and exposed login interfaces make servers vulnerable, affecting over 20,000 systems.
- Exploiting Critical Vulnerabilities: Perfctl exploits Apache RocketMQ (CVE-2023-33246) and Polkit (CVE-2021-4043) to gain access and escalate privileges.
Key Features of Perfctl Malware
- Evasion Techniques: Perfctl uses rootkits to conceal its presence and suppress resource-intensive processes when users log in.
- Persistence: The malware alters login scripts to persist even after reboots.
- Malicious Utilities: It replaces crucial system tools, such as ldd and crontab, with trojanized versions.
Mitigating Perfctl Malware
To guard against Perfctl, organizations should adopt a multi-layered defense:
- Patch Vulnerabilities: Regularly update software, particularly Apache RocketMQ (CVE-2023-33246) and Polkit (CVE-2021-4043).
- Restrict File Execution: Set the NOEXEC option on directories like
/tmp
to prevent malicious binary execution. - Disable Unnecessary Services: Limit attack vectors by disabling unused HTTP services.
- Advanced Security Tools: Deploy anti-malware solutions that can detect rootkits and trojanized utilities while monitoring network traffic for suspicious activity.
CVE-2024-9164: Arbitrary Pipeline Execution in GitLab EE
What Is the Latest Vulnerability in GitLab?
The CVE-2024-9164 vulnerability allows unauthorized pipeline execution on arbitrary branches in GitLab Enterprise Edition (EE). Affecting versions 12.5 to 17.4.1, this flaw poses significant risks to code repositories and CI/CD processes, with a CVSS score of 9.6.
Impact of CVE-2024-9164
The key risks associated with this vulnerability include:
- Unauthorized Access: Attackers can execute pipelines and access sensitive data.
- Code Manipulation: Malicious actors may alter repositories or inject harmful code.
- Denial of Service (DoS): Running resource-intensive pipelines could lead to system slowdowns or crashes.
- Privilege Escalation: Exploiting this flaw can enable attackers to escalate privileges within the system.
Mitigating CVE-2024-9164
GitLab has released patches in versions 17.2.9, 17.3.5, and 17.4.2. To mitigate this vulnerability, consider the following steps:
- Update to the Latest Version: Apply the patches as soon as possible.
- Restrict Pipeline Permissions: Limit pipeline execution to trusted users and verified projects.
- Monitor Pipeline Activity: Implement monitoring tools to detect unusual pipeline executions.
- Follow GitLab Best Practices: Regularly update software, audit pipeline configurations, and restrict access to CI/CD environments.
National Vulnerability Database (NVD) to keep abreast of the latest vulnerability disclosures and best practices for mitigating risks.
Conclusion: Staying Ahead of Vulnerabilities
GitLab Vulnerability Management
With emerging vulnerabilities like CVE-2024-9822, Perfctl malware, and CVE-2024-9164, proactive cybersecurity is essential. Regularly patching software, monitoring systems, and implementing strong security protocols can drastically reduce the risk of exploitation. By following industry best practices, your organization can stay ahead of these evolving threats.
Bornsec offers comprehensive solutions to help your business stay secure. Explore our services to protect against vulnerabilities and ensure compliance with industry standards.