Critical RCE Alarm in jsonwebtoken (JWT) Library
A critical vulnerability has been identified in the open source jsonwebtoken (JWT) library that could allow threat actors to execute code on the affected server remotely. JsonWebToken is an open-source JavaScript package that allows validation of JWTs used for authorization and authentication purposes. The package developed by Auth0 has more than 9 million weekly downloads and over 20,000 dependencies and plays a significant role in authentication/authorization functionality for many applications.
The vulnerability, tracked as CVE-2022-23529, affects earlier versions of JsonWebToken 9.0.0. The vulnerability allows threat actors to bypass authentication mechanisms, execute code on the vulnerable system, gain access to sensitive information, and hijack or alter data.
In JsonWebToken version 9.0.0, the code snippet with the vulnerability has been removed, and the vulnerability has been fixed. It is recommended that users using the affected library versions immediately apply the update that fixes the vulnerability.
Maximum Severity Vulnerability on Synology VPN Plus Server
A critical security vulnerability has been identified in Synology VPN Plus servers, which were developed to transform Synology Router solutions into an advanced VPN (virtual private network) server, that could cause threat actors to execute code remotely in affected versions.
The security vulnerability tracked as CVE-2022-43931 is due to a boundary error in Remote Desktop Functionality and affects Synology VPN Plus Server versions before 1.4.3-0534 and 1.4.4-0635. The vulnerability could allow remote threat actors to execute code on the vulnerable system.
Synology Released Patch for Synology VPN Immediately
Synology fixed the vulnerability immediately after being discovered by Synology Incident Response Team (PSIRT). It had a maximum severity score of 10 out of 10.
To avoid being the target of attacks that can be carried out using vulnerabilities, it is recommended to upgrade to Synology VPN Plus Server 1.4.3-0534 or 1.4.4-0635 versions.
Critical 0-Day Alarm Affecting Windows ALPC
As part of the January 2023 updates, Microsoft has released updates that fix 98 security vulnerabilities, including a 0-day vulnerability, Windows ALPC.
The details of the detected 0-day security vulnerability are as follows;
- The vulnerability tracked as CVE-2023-21674 is a critical Privilege Escalation vulnerability that affects Windows’s ALPC (Advanced Local Procedure Call) component. The vulnerability due to the boundary fault could allow threat actors to execute code with SYSTEM privileges on the affected system. Advanced Local Procedure Call is a message-forwarding mechanism used in Windows systems.
It is known that threat actors actively exploit this vulnerability. Microsoft has released security updates that fix other vulnerabilities, including this one. In this context, it is recommended to immediately apply the published updates to vulnerable products and versions in order not to be the target of attacks that can be carried out using vulnerabilities.