Snapchat

The Sitecore CMS had an account with a hardcoded password
Threat actors could use it to upload arbitrary files, achieving RCE
Thousands of endpoints are potentially at risk

Sitecore Experience Platform, an enterprise-level content management system (CMS) carried three vulnerabilities which, when chained together, allowed threat actors full takeover of vulnerable servers, experts have warned.

Cybersecurity researchers watchTowr found the first flaw is a hardcoded password for an internal user – just one letter – ‘b’ – making it super easy to guess.

The account does not have admin privileges, but watchTowr found malicious users could authenticate via an alternate login path, which would give them authenticated access to internal endpoints.

Patching the flaws

This sets the stage for the exploitation of the second flaw, described as a “Zip Slip” in the Sitecore Upload Wizard.

In a nutshell, the now-authenticated attackers can upload malicious files due to insufficient path sanitation, and the way Sitecore maps paths. As a result, they can write arbitrary files in the webroot.

These two issues alone could be enough to cause some serious damage on the compromised server, but the problems don’t stop there.

If the website has the Sitecore PowerShell Extensions (SPE) module installed, which is commonly bundled with SXA, attackers can upload arbitrary files to specific paths, bypassing extension or location restrictions and resulting in a “reliable RCE”.

All Sitecore versions from 10.1 to 10.4 are apparently vulnerable, which translates to roughly 22,000 publicly exposed instances, at press time – but just because they’re all accessible and running these versions, it doesn’t necessarily mean they’re all vulnerable.

“Sitecore is deployed across thousands of environments, including banks, airlines, and global enterprises — so the blast radius here is massive,” watchTowr CEO Benjamin Harris told BleepingComputer.

“And no, this isn’t theoretical: we’ve run the full chain, end-to-end. If you’re running Sitecore, it doesn’t get worse than this – rotate creds and patch immediately before attackers inevitably reverse engineer the fix.”

So far there were no reports of abuse in the wild, but a patch is available now, so users should update as soon as possible.

Source link

Google Cloud experienced outages today that led to disruptions for many online services. Reports of issues for Google products and others began around 2 PM ET. The company was able to restore function to its own apps, but several other businesses have continued to experience problems for some users.

In an update at 4:16PM ET, Google said, “We have identified the root cause and applied appropriate mitigations. Our infrastructure has recovered in all regions except us-central1. Google Cloud products that rely on the affected infrastructure are seeing recovery in multiple locations. Our engineers are aware of the customers still experiencing issues on us-central1 and multi-region/us and are actively working on full recovery. We do not have an ETA for full recovery.”

Screenshot from DownDetector at about 3:25PM ET

Spotify, Discord, Snapchat, Etsy, UPS and OpenAI all experienced a high volume of reports on DownDetector, with some informing users of disruptions. Even the Pokemon Trading Card Game and Pokemon Go weren’t spared issues. Snapchat acknowledged the ongoing issues on its support page. OpenAI has posted that users may have trouble logging in due to “issues affecting multiple external internet providers.” AWS also experienced a higher-than-usual volume of reports on DownDetector during the outage, but Amazon clarified in a statement to Engadget that it has no broad service issues and noted that its AWS Health Dashboard is a better indicator of its current status than DownDetector.

Almost all services have now returned to normal operation. By 5PM ET, Spotify’s main page loaded for our editors and reports of outages on DownDetector had fallen back to close to their baseline. Other platforms like Snapchat and Discord also seemed to be functioning normally for us. Google said at the time that its products were coming back online across multiple regions and that it expected the recovery to be complete “in less than an hour.” However, as of 7:13PM ET, the company noted that several Google Cloud components were still experiencing “residual impact.” Google Cloud Dataflow, Vertex AI Online Prediction and Personalized Service Health are all still somewhat affected, and the company has not provided a timeline for when everything will be back to normal.

Source link

Public database exposed 184 million credentials including Microsoft, Facebook, Snapchat, and government account logins

Patching the flaws

You might also like

Spotify, Discord, Snapchat and more were down for hours