October 2023 Vulnerability Tracking: Spotlight on QNAP, HTTP/2, and WordPress Security Flaws
Introduction to the Vulnerability Tracking Update!
Welcome to the first Greenbone Vulnerability Tracking blog post! This series of blog posts will summarize the most important new vulnerability tests (VTs) added to the Greenbone community and enterprise vulnerability feeds. The blog series will provide updates about new vulnerability detection capabilities that have been added to Greenbone’s community and enterprise vulnerability feeds and support the learning curve into cybersecurity vulnerability management (VM).
That being said, let’s dive into some recent events making waves in the global threat landscape!
Summary
In October 2023, several high-severity vulnerabilities in the QNAP Turbo NAS System were exposed rendering many QNAP products vulnerable and a DoS attack dubbed the “Rapid Reset Attack,” was identified in many implementations of the HTTP/2 protocol. The amplification magnitude of the HTTP/2 DoS vulnerability was evidenced by record-breaking DDoS attacks against CloudFlare and Google.
Google Chrome is again the subject of multiple high-severity vulnerabilities, building upon those previously identified in CVE-2023-4863 and CVE-2023-5217. Finally, Greenbone’s VTs can also detect several new vulnerabilities in the WordPress core and several plugins. WordPress users are encouraged to adopt proactive security practices such as enabling automatic updates and only implementing plugins that have a broad user base and receive regular updates.
Greenbone’s vulnerability feed includes detection for all items discussed in this report as well as over 160,000 other vulnerabilities in total. IT security teams are urged to conduct regular vulnerability scanning for all assets and update any impacted systems according to the appropriate mitigation methods.
Multiple Vulnerabilities In QNAP OS
Three Days after the publication of the vulnerability, Greenbone released detection for CVE-2023-32974, CVE-2023-32970, and CVE-2023-32973. These all impact “QTS” (QNAP Turbo NAS System), a proprietary Linux-based operating system developed by QNAP Systems, Inc., which is the embedded OS in the company’s Network-Attached Storage (NAS) devices. Greenbone community vulnerability feed now includes vulnerability tests to address CVE-2023-32974, CVE-2023-32970, and CVE-2023-32973 [1][2][3][4][5].
QNAP has released security updates for:
-
QTS 5.0.1.2425 build 20230609 and later
-
QTS 4.5.4.2467 build 20230718 and later
-
QuTS hero h5.1.0.2424 build 20230609 and later
-
QuTS hero h4.5.4.2476 build 20230728 and later
-
QuTScloud c5.1.0.2498 and later
Here is a summary of each vulnerability:
-
CVE-2023-32974 (CVSS 7.5 High): A path traversal vulnerability [CWE-22] affecting several versions of QTS can be triggered remotely via a network connection adding to the severity of its impact. “Path traversal” vulnerabilities are typically caused by improperly sanitized input allowing an attacker to supply malicious input that references resources outside of the intended scope, potentially leading to unauthorized data access or execution of malicious code.
-
CVE-2023-32970 (CVSS 4.9 Medium): A NULL pointer dereference [CWE 476] vulnerability affecting several versions of QTS. If exploited, the vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack remotely. QNAP Enterprise Storage (QES) is not affected.
-
CVE-2023-32973 (CVSS 7.2 High): A buffer copy without checking the size of input [CWE-120] vulnerability has been reported for several versions of QTS. The vulnerability could allow authenticated administrators to execute arbitrary code via a network connection.
QNAP has published mitigation advisories QSA-23-42 and QSA-23-41 with instructions for installing the available firmware updates. Those using QNAP products built with the QTS operating system, as well as the QuTS hero cloud NAS solution or QuTScloud should update their systems as soon as possible.
The HTTP/2 “Rapid Reset Attack” Emerges
Several unrelated DoS vulnerabilities [T1464] were identified and disclosed in the HTTP/2 application layer protocol. HTTP/2 makes up about 65% percent of the internet traffic while less than 10% still uses HTTP/1 and the newer HTTP/3 makes up almost 25%. The weakness in HTTP/2 was disclosed by Internet WAF provider CloudFlare which claims to have mitigated a record-breaking DDoS attack, exceeding 201 million requests per second (RPS). For context, the entire Internet has between 1 and 3 billion requests per second.
CloudFlare named the attack “Rapid Reset Attack”. The attack works by leveraging a sizable botnet to abuse HTTP/2’s stream cancellation feature by continuously sending and then immediately canceling connection requests. HTTP/2’s stream multiplexing feature allows a single connection to manage multiple concurrent streams without requiring an individual connection for each request. The Rapid Reset Attack leverages this multiplexing feature to open many parallel streams per “round-trip” connection request triggering the target server to open an equivalent number of parallel processes and imposing a high resource cost. The attacker can then quickly issue a large number of RST_STREAM frames to cancel all the requested streams, also in a single round-trip, and repeat the process.
While the size of the botnet required to carry out the attack depends on the target’s resources, the Rapid Reset Attack is considered to be a substantial improvement over other known forms of amplification DoS attacks. The vulnerability is tracked as CVE-2023-44487 allowing various software vendors to reference it in any mitigation advisories or security patches.
Here are CVE references to the HTTP/2 Rapid Reset CVE and two other previously disclosed HTTP/2 DoS vulnerabilities that were recently added to Greenbone’s detection NVTs:
-
CVE-2023-44487 aka “HTTP/2 Rapid Reset Attack” (CVSS 7.5 High): The HTTP/2 protocol allows a denial of service (DoS) due to server resource consumption because request cancellation can quickly reset multiple streams at once.CVE-2023-44487 has been observed being actively exploited during August and October 2023.
-
CVE-2020-11080 (CVSS 7.5 High): nghttp2, a C library for implementing HTTP/2 and HTTP/3 protocols is vulnerable to an attack that leverages an overly large HTTP/2 SETTINGS frame to achieve DoS. nghttp2 before version 1.41.0 are vulnerable. A proof of concept attack is reportedly available which induces a CPU spike reaching 100% consumption. The vulnerability exploits [CWE-400] “Uncontrolled Resource Consumption” and [CWE-707] “Improper Neutralization”. nghttp2 v1.41.0 fixes this vulnerability, and a workaround is available for those who cannot update. The workaround involves implementing the `nghttp2_on_frame_recv_callback` setting, and if the received frame is SETTINGS frame and the number of settings entries is large (e.g., > 32), drop the connection.
-
CVE-2023-36478 (CVSS 7.5 High): In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52 of Eclipse Jetty, an integer overflow [CWE-190] in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. Although there are no known workarounds, the issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53.
How Is HTTP/3 Different Than HTTP/2?
HTTP/3 was published in 2022 and uses QUIC protocol which runs on top of UDP instead of TCP. This is different from HTTP/1 and HTTP/2 which both use TCP as a transport layer protocol. HTTP/3 is enabled on over one-quarter of all websites and is at least partially supported by most web browsers.
HTTP/3 has lower latency due to QUIC’s ability to initialize an encrypted connection using fewer round trips than TCP, and it also leverages multiplexing – allowing a single connection to relay multiple streams of data simultaneously. However, Google believes that HTTP/3 is not susceptible to the Rapid Reset Attack.
More High Severity Vulnerabilities In Chromium
The Chromium browser engine is again subject to a significant set of vulnerabilities in close succession to CVE-2023-4863 and CVE-2023-5217. The additional disclosures include several high-severity CVSS 8.8 CVEs that impact any Chromium-based browsers earlier than version 118.0.5993.70 across all OS platforms including Google Chrome, Microsoft Edge, Opera, and others.
This most recent group of vulnerabilities spans a wide range of components in Chrome. The most severe were found in Chrome’s Site Isolation feature, its Blink rendering engine, and the Chromium PDF renderer. All allow a remote attacker to execute arbitrary code by supplying a victim with specially crafted resources such as a malicious HTML web page or PDF file.
These vulnerabilities do not grant an attacker elevated privileges and exploitation requires at least the minimal form of user interaction preventing them from receiving the highest possible CVSS score of 10. The less severe vulnerabilities disclosed in the group range from CVSS 6.5 to 4.3, classifying them as medium severity. Their technical impacts range from allowing an attacker to change the security UI of the browser or gaining access to limited information.
Here are the specific details of each associated CVE:
-
CVE-2023-5218 (CVSS 8.8 High): Use after free [CWE-416] in Site Isolation allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. Site Isolation is a security feature designed to prevent cross-site data leaks that exploit vulnerabilities in modern processors such as Spectre and Meltdown by isolating each browser tab into its own system process.
-
CVE-2023-5476 (CVSS 8.8 High): Use after free [CWE-416] in Blink History allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. Microsoft is tracking this vulnerability as CVE-2023-4074. Blink is a critical component of the Chromium browser engine responsible for rendering web pages and displaying content on the screen.
-
CVE-2023-5474 (CVSS 8.8 High): Heap buffer overflow [CWE-122] in Chrome’s PDF rendering engine allows a remote attacker to execute arbitrary commands on a victim’s computer via a maliciously crafted PDF file [T1204.002] opened in the browser.
-
CVE-2023-5487 (CVSS 6.5 Medium): Inappropriate implementation in full-screen allows an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.
-
CVE-2023-5484, CVE-2023-5483, CVE-2023-5481, and CVE-2023-5486 (CVSS 6.5 – 4.3 Medium): Inappropriate implementation in Navigation allows a remote attacker to spoof the security UI via a crafted HTML page. These security UI elements typically include visual cues or warnings displayed in the web browser to help users assess the trustworthiness of a website such as the SSL/TLS certificate validation icon, information about the website’s identity such as the organization’s name or the website’s verified identity, and the contents of the URL bar.
-
CVE-2023-5479 (CVSS 6.5 Medium): Inappropriate implementation in Extensions API allows an attacker who convinced a user to install a malicious extension [T1204] to bypass an enterprise policy [CWE-284] via a crafted HTML page.
-
CVE-2023-5485 (CVSS 4.3 Medium): Inappropriate implementation in Autofill allows a remote attacker to bypass autofill restrictions via a crafted HTML page.
-
CVE-2023-5478 (CVSS 4.3 Medium): Inappropriate implementation in Autofill allows a remote attacker to leak cross-origin data [CWE-200] via a crafted HTML page.
-
CVE-2023-5477 (CVSS 4.3 Medium): Inappropriate implementation in the installer allows a local attacker to bypass discretionary access control [CWE-284] via a crafted command.
-
CVE-2023-5473 (CVSS 4.3 Medium): Use after free [CWE-416] in Cast in Google Chrome allows a remote attacker who had compromised the renderer process to potentially exploit heap corruption [CWE-122] via a crafted HTML page [T1204.001].
How Can Zero-Day Browser Vulnerabilities Be Mitigated?
Browser client-based attacks are especially hard to avoid because accessing internet resources is so fundamental to business operations and daily life. Browser isolation is a virtualization technology that helps increase security when handling web-based content. Browser isolation is designed to prevent attackers from gaining initial access to a device through browser-based vulnerabilities such as the ones mentioned above. Fundamentally, browser isolation sandboxes web browsers so that they operate within a controlled environment, shielding the user’s underlying device and OS from being accessed by malicious web content [T1611] including zero-day vulnerabilities.
Browser isolation comes in two primary forms: process-level isolation and remote browser isolation (RBI). Process-level isolation creates isolated containers for each browsing session, preventing a compromise in one session from affecting others or the underlying host system. RBI goes a step further by operating the browser application on a remote server and using a remote desktop protocol like VNC or RDP to replay the web content and allow users to interact seamlessly. RBI solutions allow the browser to look and operate in the same way as a browser installed locally.
A New Round Of WordPress Vulnerabilities
Greenbone has also added detection for several new CVEs that impact all versions of WordPress up to version 6.3.2. The exploits in WordPress core reported by WordPress security vendor WordFence were called the “most significant security fixes we’ve seen in a while”.
The release of WordPress core 6.3.2 fixes arbitrary shortcode execution resulting from improper input validation [CWE-20]. The WordFence Intelligence Database has added an extensive list of shortcode-related vulnerabilities. Several XSS vulnerabilities were also patched that allow attackers to execute client-side attacks via specially crafted URLs. Greenbone has added detection for the missing security updates [1][2].
A summary of the issues reported include:
-
Potential disclosure [CWE-200] of user email addresses
-
Remote code execution (RCE) [CWE-94] POP Chains vulnerability
-
Cross-site scripting (XSS) [CWE-725] issue in the post-link navigation block
-
Comments on private posts could be leaked to other users [CWE-200]
-
A way for low-privileged logged-in users to execute any shortcode [CWE-78]
-
XSS vulnerability [CWE-725] in the application password screen
-
XSS vulnerability [CWE-725] in the footnotes block
-
Cache poisoning [CAPEC-14
Whenever possible it is a good idea to enable automatic WordPress updates and avoid the use of unnecessary plugins or those that represent a high potential for security risk. In general, plugins that have a high number of total installations and regularly receive updates are better choices than less popular or unmaintained plugins.