Vulnerability Recap 5/6/24 – Aruba, Dropbox, GitLab Bugs

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

This past week, Aruba Networks patched multiple vulnerabilities in its operating system software. We also saw spyware, GitLab issues, and a Dropbox attack that exposed customer data. Some Android apps have recently-discovered file-sharing bugs; additionally, mobile hardware provider Xiaomi’s Android app versions have 20 vulnerabilities. Microsoft also recently patched a vulnerability in its Graph API.

As always, keep close watch over your hardware and software providers’ security bulletins, and patch products immediately when you learn about a problem.

April 30, 2024

Aruba Networks Patches Buffer Overflow & DoS Vulnerabilities

Type of vulnerability: Unauthenticated buffer overflow vulnerability and denial-of-service vulnerability. 

The problem: Aruba Networks recently patched eight vulnerabilities in its ArubaOS software. The four buffer overflow vulnerabilities could lead to remote code execution within the operating system; the four denial-of-service vulnerabilities could lead to compromise of normal service operations. The buffer overflow vulnerabilities have a critical CVSS rating.

The vulnerabilities affect Mobility Conductor (formerly Mobility Master), Mobility Controllers, and the WLAN Gateways and SD-WAN Gateways managed by Aruba Central. They affect the following ArubaOS software versions:

  • ArubaOS 10.5.x.x: 10.5.1.0 and below
  • ArubaOS 10.4.x.x: 10.4.1.0 and below
  • ArubaOS 8.11.x.x: 8.11.2.1 and below
  • ArubaOS 8.10.x.x: 8.10.0.10 and below

They also affect the following software, which are end of maintenance and don’t have a patch:

  • ArubaOS 10.3.x.x: all
  • ArubaOS 8.9.x.x: all
  • ArubaOS 8.8.x.x: all
  • ArubaOS 8.7.x.x: all
  • ArubaOS 8.6.x.x: all
  • ArubaOS 6.5.4.x: all
  • SD-WAN 8.7.0.0-2.3.0.x: all
  • SD-WAN 8.6.0.4-2.2.x.x: all

The fix: Aruba provides some workarounds for the vulnerabilities but also notes that not every workaround applies to certain versions. For full coverage, upgrade to the patched versions of ArubaOS so you don’t run into any of the vulnerabilities:

  • ArubaOS 10.6.x.x: 10.6.0.0 and above
  • ArubaOS 10.5.x.x: 10.5.1.1 and above
  • ArubaOS 10.4.x.x: 10.4.1.1 and above
  • ArubaOS 8.11.x.x: 8.11.2.2 and above
  • ArubaOS 8.10.x.x: 8.10.0.11 and above

If you’re interested in regularly checking your IT infrastructure for bugs or flaws, check out our picks for the best vulnerability scanners.

Cuckoo Spyware Threatens macOS Devices

Type of attack: Information stealing, persistence, and privilege escalation.

The problem: Researchers recently discovered that spyware is stealing data from devices running macOS. Mobile device management provider Kandji calls the malicious software “Cuckoo.” It found a ​​Mach-O binary that behaved partly like spyware and partly like an info-stealing program. The first discovered file had an application name that Kandji tracked to dumpmedia[.]com, which offers media file conversions to MP3 formats.

Kandji downloaded the application and let it run, finding that it started gathering data from the host. The malware also demonstrated persistence behavior characteristic of spyware and attempted to escalate its privileges.

Other websites with similar malicious files include tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, which all have music services like dumpmedia[.]com’s.

The fix: There is currently no published fix for already-compromised macOS devices.

May 1, 2024

GitLab Issue Allows Attackers to Reset Account Passwords

Type of vulnerability: Improper access vulnerability.

The problem: A bug in GitLab Enterprise Edition and Community Edition allows unverified email addresses to receive account password reset emails for users’ GitLab accounts. The owners of the unverified addresses can then reset GitLab account passwords and potentially take over the account and gain improper application access. The vulnerability, tracked as CVE-2023-7028, has a CVSS rating of 10.

The vulnerability affects the following versions of GitLab:

  • 16.1 prior to 16.1.6
  • 16.2 prior to 16.2.9
  • 16.3 prior to 16.3.7
  • 16.4 prior to 16.4.5
  • 16.5 prior to 16.5.6
  • 16.6 prior to 16.6.4
  • 16.7 prior to 16.7.2

The fix: GitLab’s release guide contains patch recommendations for the vulnerability, as well as some other noncritical vulnerabilities. The updated versions are 16.7.2, 16.6.4, and 16.5.6.

Multiple Android Apps Vulnerable to File-Sharing Issues

Type of vulnerability: Path traversal-affiliated vulnerability.

The problem: Microsoft researchers recently found a pattern in multiple Android apps that could allow malicious apps to overwrite another app’s files. This could lead to arbitrary code execution and token theft. The vulnerability is known as a “dirty stream” attack because the file sharing path isn’t properly secured.

The main issue is faulty implementation of data-sharing capabilities, where the specific Android application doesn’t validate the data it receives from another app. This allows threat actors to send malicious content to another app without being required to validate the content.

While Microsoft noticed some vulnerable applications in the Google Play store that represent around 4 billion instances of the software, it suspects other applications are vulnerable as well.

The fix: Microsoft gives recommendations to developers for handling cached files and files sent to applications. Microsoft also suggests that end users update mobile software to the most recent versions using the Google Play Store.

Dropbox Vulnerability Leads to Compromised User Data

Type of attack: Unauthorized access.

The problem: On April 24, the week before Dropbox released its security bulletin, it discovered a threat actor had gained unauthorized access to the Dropbox Sign production environment. The threat actor had also accessed customer data, including email addresses and hashed passwords. API keys and OAuth tokens were exposed too.

Dropbox reset customer passwords and logged users out of the devices they’d connected to Dropbox Sign. It’s also begun coordinating the rotation of API keys and OAuth tokens. Dropbox provided an FAQ in its security bulletin for customers as well.

The fix: Dropbox has already handled password resets, and it provides instructions for setting a new API key for API users.

May 2, 2024

Xiaomi Devices See 20 Vulnerabilities

Type of vulnerability: Multiple, including data disclosure and access to arbitrary services.

The problem: Xiaomi devices running an Android operating system have multiple vulnerabilities in a variety of applications, including Settings and Phone Services. Security firm Oversecured discovered all 20 vulnerabilities and resolved them. Oversecured also reported the vulnerabilities to Xiaomi.

Xiaomi has modified some of the Android Open Source Project’s legitimate device services, like Settings, on its devices, which caused some vulnerabilities.

The fix: Xiaomi doesn’t appear to offer a security bulletin with patch information. We recommend upgrading to the most recent operating system version of your specific device and looking at other research on the vulnerabilities, like Oversecured’s blog with detailed coverage of the issues.

Symantec Brings Microsoft Graph API Issues to Light

Type of attack: API exploitation to access Microsoft cloud services.

The problem: Threat actors have been exploiting Microsoft Graph API, often to communicate with technology resources hosted on Microsoft’s cloud. Developers use Graph API to access cloud resources like email and files. Multiple threat actor groups, including nation-state attackers, have used Graph over the past three years. Targets include foreign affairs offices in the Americas and in Southeast Asia, so the Graph exploits are global and large-scale.

Symantec recently reported on this issue, noting that one of the most recent exploits was against an organization in Ukraine. The dynamic link library (DLL) in the malware exploiting the API had the same file name as a legitimate link library. The malware exploited Microsoft OneDrive through the API so it could download files from OneDrive.

The fix: Symantec offered a list of IOC files that its endpoint security product could block, but it didn’t have patching or fix information available for the API.

Read next:

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Jenna Phipps Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.




Top Cybersecurity Companies

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis