Despite the existence of patches, the proliferation of unpatched installations are enticing targets for malicious actors, according to a WhiteHat report.
Security vulnerabilities are a reality of working in IT, with
tech professionals tasked with ensuring devices on network are secured against
the latest disclosed flaws. With thousands responsibly disclosed each year—to
say nothing of vulnerabilities sold on the Dark Web—the task
of maintaining the security integrity of devices and applications running on
your network can be daunting.
On
Wednesday, WhiteHat Security released its Top 10
Application Security Vulnerabilities of 2018report, detailing the
most common exploits used last year. Most, if not all, of these vulnerabilities
are still being exploited in the wild by malicious actors, with some of the
vulnerabilities existing as components in software packages that you may be
unaware you are using.
Here
are the top 10 app security vulnerabilities to watch out for in the coming
year.
1. jQuery File Upload (CVE-2018-9206)
Cryptojacking is one of the
newest – and most lucrative– threats to cybersecurity in the last two years.
Easy to carry out and difficult to detect, these attacks involve cybercriminals
taking control of a third-party device’s CPU to mine valuable...
Though the jQuery File
Upload vulnerability was only identified last year, hackers
have used it to implant web shells and commandeer vulnerable servers since at
least 2016, researchers at Akamai told our sister site ZDNet. The plugin is the
second most-starred jQuery project on GitHub, second only to the jQuery
framework itself.
2. Magecart credit card skimming
A
variety of malicious groups are using Magecart to inject malware into ecommerce
sites to steal payment details. Magecart is the key behind the TicketMaster, British
Airways, and Neweggbreaches,
the Shopper Approved ecommerce
toolkit, and extensions of ecommerce platform Magento,
first reported in 2018, with OXO
International disclosing a data breach in January 2019.
3. WordPress Denial of Service
(CVE-2018-6989)
The
ubiquity of WordPress makes the blogging platform a popular target for
malicious actors, with this vulnerability allowing unauthenticated users to
abuse the load-scripts.php component to request mass quantities of JavaScript
files, quickly overloading servers.
4. Drupalgeddon 2 (CVE-2018-7600)
One
of the design quirks of Drupal is the use of the hash (#) in the beginning of
array keys to signify special keys requiring further computation. This,
combined with how PHP handles arrays in parameters, led to a vulnerability
exploitable by anyone visiting a page with a maliciously-crafted URL.
Fundamentally, the patch for this did nothing other than sanitize inputs.
The
vulnerability was nicknamed "Drupalgeddon 2: Electric
Hashaloo" by noted programmer Scott Arciszewski of Paragon Initiative among other members of
the Drupal community.
5. Drupalgeddon 3 (CVE-2018-7602)
The
first attempt to patch this issue was not entirely successful, with a secondary vulnerabilityinvolving
URL handling of GET parameters that were not properly sanitized to remove the #
symbol, creating a remote code execution vulnerability.
Despite
the highly publicized nature of the vulnerability, over 115,000
Drupal websites were still vulnerable to the issue months after
patches were issued, and various
botnets were actively leveraging the vulnerability to deploy cryptojacking
malware.
6. Telerik's RadAsyncUpload
With
this vulnerability, a default, hard-coded encryption key allows attackers to
decrypt data and modify script configuration, including changing allowable file
types and destinations where the file should be saved.
7. Spring Data Commons (CVE-2018-1273)
Pivotal's
Spring Data Commons contained a
vulnerability allowing an unauthenticated remote user the ability to send
"specially crafted request parameters against Spring Data REST backed HTTP
resources or using Spring Data's projection-based request payload binding that
can lead to a remote code execution attack."
8. MathJax XSS (CVE-2018-1999024)
The
open source MathJax library, used to make MathML, LaTeX and ASCIIMathML
notation look better in web pages, contained a cross site scripting (XSS)
vulnerability in the \unicode{} macro allowing JavaScript to be
injected in a web page.
9. Flash Player Hack (CVE-2018-4878)
Given
Adobe's track record with Flash, the absence of a vulnerability may be more
noteworthy than the existence of one. A use-after-free
exploit was leveraged by suspected North Korean hackers,
delivered through maliciously
crafted Excel documents.
10. Spring OAuth Approval (CVE-2018-1260)
A
vulnerability in the default approval endpoint in Spring OAuth allows for a
remote code execution using injected Spring Expression Language. According to
WhiteHat Security, "This remote code execution occurs when a malicious
attacker creates an authorized request to the authorization endpoint, and the
resource owner is then able to forward to the approval endpoint."
What to do to keep your organization
secure
All
of these vulnerabilities can be addressed by simply updating to the latest
available version of the software. Particularly in the case of Drupal and
WordPress, relying on extensive custom code that hampers the ability to perform
upgrades in a timely manner should be strongly avoided, as this creates
enticing targets for malicious actors.
Knowing
what software is used in your organization is also paramount. In particular,
the ubiquity of WordPress has led to plugin-specific vulnerabilities, though
such plugins are typically not the highest priority updates in any
organization. Check out TechRepublic's coverage of the WordPress plugins most
vulnerable to attacks.
