Read more here

Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack

For almost a month now, Citrix Application Delivery Controllers (ADC) and Citrix Gateways have been vulnerable to a critical path traversal flaw (CVE-2019-1978). The flaw allows an unauthenticated entity to perform arbitrary code execution on vulnerable servers.

It affects all versions of the software, including:

Citrix ADC and Citrix Gateway version 13.0 all supported builds

Citrix ADC and NetScaler Gateway version 12.1 all supported builds

Citrix ADC and NetScaler Gateway version 12.0 all supported builds

Citrix ADC and NetScaler Gateway version 11.1 all supported builds

Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Citrix’s announcement of the flaw did not initially provide any software patches; however, they did offer mitigation steps.

Thankfully, Citrix has now begun to release its first batch of updates, which provides permanent patches for ADC versions “11.1 and 12.0 that also apply to ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).”

Get more information here

Critical WordPress Bug Leaves 320,000 Sites Open to Attack

According to researchers from WebArx, two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from a new vulnerability. Both plugins contain a flaw that allows an attacker to access a site’s backend with no password. According to a WebArc blog post, an attacker only needs the admin username to access the site’s backend.

Both plugins were created to allow users to authenticate to numerous WordPress installations from one central server. According to the WordPress plugin library, 300,000 websites are running a vulnerable version of the InfiniteWP Client plugin, and 20,000 are running a vulnerable version of the WP Time Capsule plugin.

The proof-of-concept attack on InfiniteWP Client “requires a payload encoded with JSON, then Base64. Next, it is sent raw to the targeted site in a POST request,” and the WP Time Capsule Bug “only needs to contain a certain string in the body of the raw POST request.”

To mitigate the vulnerability, researchers recommend updating both software versions of the plugins.

Read more here

Bot List With Telnet Credentials for More Than 500,000 Servers and IoT Devices Leaked Online

A cybercriminal has recently dumped an extensive list of Telnet credentials for over 510,000 servers and smart devices. According to SecurityAffairs, this is the largest leak of Telnet passwords ever reported.

The list was first posted on a popular hacking forum under the operator of a DDoS booter service and includes IP addresses as well as the usernames and passwords of the Telnet service for each device.

A quick look at the list reveals that many of the device’s login information contains default, or easy-to-guess, credentials.

The top five credentials in the list were:

root:[blank]—782

admin:admin—634

root:root—320

admin:default—21

Default:[blank]—18

Security researcher Victor Gevers analyzed the list and found that more than 8,200 IP addresses were unique, and around 2,174 were accessible via Telnet by using the leaked credentials.

Read more here