Also, Microsoft hasn’t yet developed a fix for Windows 11 downgrade attacks, which were first announced this summer at the Black Hat conference. If your business runs Windows operating systems (as most do), check system files for strange activity and any downgrades to older, more vulnerable OS versions.

October 26, 2024

Windows 11 Downgrade Vulnerability Is Still Wide Open

Type of vulnerability: Admin code execution privileges leading to operating system downgrades.

The problem: This summer, researcher Alon Leviev revealed a downgrade attack vulnerability in Windows, the exploit for which he named Downdate. The Windows update process could be overtaken, and a threat actor could execute undetectable and irreversible downgrades to Windows system components, Leviev said. He demonstrated the downgrade at Black Hat 2024, reverting fully patched Windows machines back to previous vulnerable states.

Leviev recently published an update to the summer’s information, showing that Microsoft’s decision not to fix an Administrator privilege makes Windows 11 still vulnerable. Because an admin gaining kernel code execution privileges isn’t considered breaking an official security boundary or vulnerability, Microsoft has opted not to fix it. Microsoft has recently reported it’s actively working on a fix, though it hasn’t provided a deadline or specific details.

The fix: Monitor your Windows operating system behavior, including log files, and look for any downgrade procedures. Microsoft has no published fix for the threat yet, since it doesn’t consider it an official vulnerability. 

I also recommend scanning regularly for vulnerabilities, on an automated basis if possible. Check out our top vulnerability scanning tools for some ideas if your security team needs more consistent monitoring.

October 30, 2024

Sysdig Report Reveals Major Theft of Cloud Credentials

Type of vulnerability: Misconfigured cloud services and exposed Git files.

The problem: Sysdig reported a widespread credential theft operation that preys on exposed Git configuration files. Sysdig refers to the global attack as EMERALDWHALE. EMERALDWHALE uses private software tools to abuse misconfigured web services, which helps threat actors steal cloud credentials from cloud services’ source code. Threat actors can also clone private Git repositories.

The threat actors then stash any stolen data in a previous victim’s S3 bucket. They’ve stolen over 10,000 cloud credentials thus far, Sysdig reports.

Sysdig discovered the threat when it found in its cloud honeypot a strange bucket using a compromised account. “While investigating this bucket, we discovered malicious tools and over a terabyte of data, which included compromised credentials and logging data,” Sysdig said. Through the bucket, Sysdig uncovered an extensive scanning campaign exploiting Git configurations.

Two of the major tools that attackers use to exploit the Git config files are MZR V2 and Seyzo-v2, which require a list of targets like IP addresses or previously scanned domains. The tools are found on underground marketplaces.

The fix: Use encryption for all your Git configuration; avoid committing sensitive data, including credentials; and set strict access requirements for your repositories.

October 31, 2024

CISA Flags Mitsubishi Vulnerabilities in Halloween Notice

Type of vulnerability: Missing authentication for critical function and unsafe reflection.

The problem: CVE-2023-6943, a Mitsubishi vulnerability that was publicized in January, has been updated and highlighted through the CISA. The vulnerability has a critical score of 9.8 and affects components like EZSocket, MELSOFT Navigator, and MT Works2.

On Halloween, the CISA released a set of advisories for three of the Mitsubishi vulnerabilities and the Rockwell Automation bug listed below. The advisories are considered to be a broad industrial control warning. These flaws could particularly affect smart devices in manufacturing and supply chain environments.

“Successful exploitation of these vulnerabilities could allow an attacker to disclose, tamper with, destroy or delete information in the products, or cause a denial-of-service (DoS) condition on the products,” the CISA said regarding CVE-2023-6943, the critical Mitsubishi vulnerability. A remote unauthenticated threat actor could execute code using paths to a malicious library when it’s connected to any of the Mitsubishi products listed above.

The CISA listed the affected versions of each product:

• EZSocket: Versions 3.0 and later
• GT Designer3 Version1(GOT1000): All versions
• GT Designer3 Version1(GOT2000): All versions
• GX Works2: Versions 1.11M and later
• GX Works3: Versions 1.106L and prior
• MELSOFT Navigator: Versions 1.04E and later
• MT Works2: All versions
• MX Component: Versions 4.00A and later
• MX OPC Server DA/UA (Software packaged with MC Works64): All versions

The fix: For GX Works3, Mitsubishi Electric advises customers to upgrade to version 1.110Q or later.

Rockwell Automation Bug Also Gets CISA Warning

Type of vulnerability: Missing authentication for critical function and out-of-bounds read.

The problem: A critical Rockwell Automation bug allows an attacker with network access to send specially crafted messages to the Rockwell device. This could potentially lead to database manipulation. The vulnerability is tracked as CVE-2024-10386 and specifically affects Rockwell FactoryTalk ThinManager.

The CISA released a notice for the vulnerability and warns that potential messages sent to the Rockwell device could also lead to a denial-of-service (DoS) attack.

The vulnerability affects the following software versions:

• ThinManager: Versions 11.2.0 to 11.2.9
• ThinManager: Versions 12.0.0 to 12.0.7
• ThinManager: Versions 12.1.0 to 12.1.8
• ThinManager: Versions 13.0.0 to 13.0.5
• ThinManager: Versions 13.1.0 to 13.1.3
• ThinManager: Versions 13.2.0 to 13.2.2
• ThinManager: Version 14.0.0

The fix: Rockwell has provided fixes for ThinManager; download the most recent version available for your environment.

November 1, 2024

qBittorrent Solves 14-Year-Old SSL Certificate Issue

Type of vulnerability: Insufficient SSL certificate validation, potentially leading to remote code execution.

The problem: qBittorrent has a recently discovered and patched vulnerability that went unidentified for 14 years. Versions 3.2.1 through 5.0.0 of the software, a torrent client that helps with sequential downloading, are susceptible to a severe security issue. If exploited, the vulnerability allows threat actors to run remote code on computer systems with an affected version installed.

The flaw existed in qBittorrent’s DownloadManager class. It didn’t deal with SSL certificate validation errors, which leaves website connections vulnerable.

The fix: Version 5.0.1 of qBittorrent fixes the issue, and all vulnerable versions should be upgraded.

Google’s Big Sleep Framework Identifies Vulnerability Early

Type of vulnerability: Stack buffer overflow.

The problem: Google Project Zero recently announced that Big Sleep, a vulnerability research project supported by large language models, discovered its first vulnerability. The flaw lies within SQLite, a database engine, and is a stack buffer overflow vulnerability that Google reported to SQLite’s developers, who fixed it that day. Because the devs fixed the issue before it was announced, it didn’t impact SQLite users.

This is an exciting discovery for Google Project Zero because it heralds the future of identifying vulnerabilities before they’re even publicly available to exploit within software. This significantly reduces threat actors’ opportunities to attack.

The fix: Upgrade SQLite to the most recent version.

Read next:

• Vulnerability Recap 10/28/24 – Phishing, DoS, RCE & a Zero-Day
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 11/4/24 – Fourteen-Year Bug Finally Gets Patched appeared first on eSecurity Planet.

We’ll also look at increased phishing attacks, a couple of different Cisco flaws, and a Fortinet vulnerability that took some time to get its own CVE. As always, set a patching cadence for your organization so fixes aren’t pushed to the back burner, and make sure your newer security personnel understand the importance of immediate patching.

October 21, 2024

VMware Re-Patches September Vulnerability

Type of vulnerability: Heap overflow and privilege escalation.

The problem: VMware released patches for its vCenter Server software, which manages vSphere virtual computing environments. One of the patches is for a vulnerability that I mentioned in a recap last month, a critical heap overflow issue. The flaw wasn’t completely solved in the first patching round and must be addressed further. The bug could lead to RCE if exploited through a specially crafted packet.

This vulnerability is tracked as CVE-2024-38812 and has a base score of 9.8.

The related vCenter flaw, CVE-2024-38813, allows a threat actor to escalate their privileges to root using a specially created network packet. Broadcom also mentioned the patches for this vulnerability in its security bulletin and recommended patching. Broadcom also released patches for the 8.0 U2 line of vSphere for customers who already use that version.

The fix: Download the appropriate fixed version, based on your existing version of vCenter Server, from Broadcom’s list of patched software. 

October 22, 2024

Samsung Zero-Day Could Allow Privilege Escalation

Type of vulnerability: Use-after-free.

The problem: A zero-day use-after-free vulnerability in Samsung Mobile Processor’s m2m scaler driver could lead to privilege escalation. Google researchers Xingyu Jin and Clement Lecigene recently provided exploit information on the bug as part of Google’s Project Zero.  According to NIST, the vulnerability also affects Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920.

The flaw is tracked as CVE-2024-44068.

The fix: Samsung patched the vulnerability earlier in October. Upgrade your Samsung device to the most recent fixed version to prevent exploitation.

SharePoint Flaw Added to CISA KEV Catalog

Type of vulnerability: Deserialization.

The problem: A Microsoft SharePoint vulnerability initially made public in July was just added to the CISA’s Known Exploitable Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch agencies must fix it by November 12. Proofs of concept for the exploit are also available, increasing the danger of an attack.

The attacker must be authenticated and have Site Owner permissions to conduct the attack, but with those, they could inject and execute arbitrary code in SharePoint Server contexts.

The flaw is tracked as CVE-2024-38094 and has a 7.2 base score.

The fix: Download one of Microsoft’s provided security updates. 

Feeling overwhelmed by all the bugs you have to keep track of? Consider using a vulnerability scanning tool to identify issues your team might not know about.

October 23, 2024

Cisco Patches Flaw That Could Lead to DoS Attacks

Type of vulnerability: Resource exhaustion, potentially resulting in denial of service.

The problem: Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) both have a vulnerability in their Remote Access VPN service. The vulnerability is a resource exhaustion issue that could lead to a denial-of-service (DoS) attack when a threat actor sends excess VPN authentication requests to the service. Remote, unauthenticated threat actors can exploit the flaw.

The vulnerability is tracked as CVE-2024-20481 and has a base score of 5.8. In its security advisory for the issue, Cisco has provided indicators of compromise that customers can use to look for a potential attack. 

The fix: All users should consult Cisco’s Security Advisories page to determine which recent software version they should upgrade their product.

More Cisco News, This Time for a Critical Flaw

Type of vulnerability: Command injection.

The problem: The same day Cisco published the advisory for CVE-2024-20481, it also notified about a critical flaw in the Cisco Secure Firewall Management Center. The software’s web-based management interface has a vulnerability that could allow a remote threat actor to execute arbitrary code as root on the operating system.

The vulnerability stems from flawed input validation for HTTP requests. If a threat actor specifically creates an HTTP request targeted at a certain device, they could then perform RCE.

Valid user credentials are required to exploit a read-only Security Analyst role. It’s also possible that a threat actor could execute remote code on Cisco Firepower Threat Defense devices.

The fix: Download the appropriate fixed version from Cisco’s Security Advisories page. 

Netskope Reports Increase in Webflow Phishing Pages

Type of attack: Phishing and subsequent credential theft.

The problem: Netskope has reported a significant uptick in traffic to Webflow-based phishing web pages. Netskope Threat Labs observed this increase from April to September 2024 and found that the main targets are crypto wallets like Coinbase and credentials to webmail platforms like Microsoft 365.

“Attackers abuse Webflow in two ways: Creating standalone phishing pages and using Webflow pages to redirect victims to phishing pages hosted elsewhere,” said Jan Michael Alcantara, one of Netskope’s researchers and the post’s author.

Custom subdomains, one of Webflow’s features, can be exploited to falsify login pages, and the threat actors use Webflow’s legitimate link or form blocks to steal credentials once they’re entered. Some attackers could build a phishing page and steal credentials without writing any code.

Alcantara and his colleagues used a Webflow free account to test how easy it was to create a phishing page and were able to make one within five minutes.

“If the situation requires, Webflow also provides the means to redirect stolen credentials to a separate attacker-controlled website,” Alcantara said. “Webform will forward the filled-up form using the URL added to the submit button action field.” 

The fix: Check URLs for the malicious domain *.webflow.io, which indicates a phishing site. Additionally, Netskope recommends that organizations inspect all HTTP and HTTPS traffic and use remote browser isolation technology to avoid malicious websites.

Mysterious Fortinet Vulnerability Finally Receives a CVE

Type of vulnerability: Missing authentication leading to RCE.

The problem: Security researcher Kevin Beaumont learned that a formerly undisclosed Fortinet vulnerability, with no CVE, affected the FortiGate to FortiManager protocol. He waited for some time to post his public blog about the flaw, trying to give Fortinet time to manage the threat before it was widely known. Beaumont dubbed the vulnerability FortiJump and noted it’s supposedly been used by nation-state actors. 

On October 23, Fortinet released a security notice for the vulnerability and labeled it CVE-2024-47575. The issue is a missing authentication for critical function vulnerability. It could allow an unauthenticated threat actor to execute remote code using crafted requests if exploited.

The fix: Fortinet provides the following table of affected software versions and their appropriate upgrades:

Read next:

• Vulnerability Recap 10/21/24 – Immediate Patching is Critical
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 10/28/24 – Phishing, DoS, RCE & a Zero-Day appeared first on eSecurity Planet.

October 10, 2024

GitHub Flaw Allows Authentication Bypass

Type of vulnerability: Improper verification of cryptographic signature.

The problem: GitHub published a security update for Enterprise Server due to a high-severity vulnerability that allows an attacker to bypass SSO authentication. The flaw results from improper verification of a cryptographic signature, and without SSO authentication required, a threat actor could gain access to the server instance and provision other users.

The threat actor would need direct network access and a signed SAML response or metadata document to exploit the flaw. They’d also need the encryption assertions feature to be enabled before an exploit, according to NIST’s National Vulnerability Database. The flaw is tracked as CVE-2024-9487. It affects all GitHub Enterprise Server versions before 3.15.

GitHub fixed the issue in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. Other flaws fixed in 3.14.2 include a vulnerability in the management console, which exposed sensitive data in HTML forms, and a medium-severity information disclosure flaw involving malicious URLs.

The fix: Upgrade to one of the fixed versions immediately.

Does your business need a more streamlined version of identifying vulnerabilities? Are you trying to find them manually? We recommend using a vulnerability scanning tool to simplify this process. Check out our guide to the best vulnerability scanners next.

October 15, 2024

Previously-Patched Roundcube Webmail Flaw Has Been Exploited

Type of vulnerability: Cross-site scripting.

The problem: Russian-based Positive Technologies discovered and announced an attempted exploit of a patched vulnerability in Roundcube Webmail. Roundcube Webmail is an open-source email solution written in PHP. The vulnerability, CVE-2024-37383, is a stored cross-site scripting vulnerability that permits a threat actor to run JavaScript code on a victim’s web page. It was fixed in May 2024 after CrowdStrike researchers identified it.

Positive Technologies has since noticed exploit attempts through an email with tags that decode and run JavaScript. The email was sent to a governmental organization within a Commonwealth of Independent States (CIS) member nation. Positive Technologies hasn’t been able to link the threat to a specific threat actor group. Still, it’s noticed that government agencies are a major target since they tend to use Roundcube Webmail.

Roundcube client versions earlier than 1.5.6 or 1.6 to 1.6.6 are vulnerable to the Roundcube flaw if not yet patched.

The fix: Update any affected versions of Roundcube Webmail immediately. 

Positive Technologies provides a couple of network indicators to look for if you’re concerned about a potential exploit.

Proxmox-Developed Kubernetes Images Are Vulnerable to Attack

Type of vulnerability: Enabled default credentials.

The problem: A vulnerability in Kubernetes Image Builder enables default credentials during the image build process. According to Joel Smith, virtual machine images that use Proxmox, an open-source option for image building, don’t have disabled default credentials. Threat actors could then exploit the Kubernetes nodes that use those images and potentially gain root access if they used the default credentials.

The flaw only affects Kubernetes clusters that host VMs created with Image Builder when Proxmox is the virtualization provider.

The vulnerability has a severity rating of 9.8 and is tracked as CVE-2024-9486. It affects Kubernetes Image Builder versions v0.1.37 and earlier.

The fix: Upgrade Kubernetes Image Builder to version 0.1.38.

October 17, 2024

Grafana Releases Patches for Critical SQL Vulnerability

Type of vulnerability: SQL expression, potentially leading to command injection and local file inclusion.

The problem: Grafana released patches for version 11.0.x, 11.1.x, and 11.2.x due to a critical SQL expression vulnerability.

“The vulnerability was in an experimental feature named SQL Expressions that allows for data source query output to be post-processed by executing one or more SQL queries,” Grafana said. It passes the query and data to the DuckDB CLI, which executes the SQL against the DataFrame data.

Because the SQL queries weren’t sanitized, Grafana said, a command injection and local file inclusion vulnerability resulted.

Because of an incorrect implementation of feature flags, this experimental feature is enabled by default for the API. However, to be exploitable, the DuckDB binary must be accessible through the PATH of the Grafana process environment.

Feature flags, which allow users to enable and disable software, aren’t implemented correctly, so SQL Expressions is enabled by default for the API. However, Grafana’s process environment must have the DuckDB binary accessible through PATH for a threat actor to exploit this vulnerability. Your system won’t be vulnerable without DuckDB, Grafana explained.

An attacker could use this vulnerability to access any file on Grafana’s host machine, which includes passwords stored in the files without encryption. Viewer permissions, or any higher permissions, are sufficient for the attack; it’s not restricted to admins. The flaw is tracked as CVE-2024-9264.

The fix: Download one of Grafana’s security fixes based on the product you use. Grafana also mentions removing the DuckDB binary from PATH or your entire environment; it’s unnecessary for any other Grafana feature. 

ClickFix Campaign Uses Google Meet as Attack Vector

Type of vulnerability: Phishing and malware installation.

The problem: Security provider Sekoia published a blog detailing its findings on the ClickFix campaign, which uses falsified Google Meet pages to install infostealers on Windows and Mac computers. ClickFix performs social engineering to impersonate popular websites like Google Chrome to get users to click on fake sites.

“By pivoting on the text elements in ClickFix messages displayed to users, such as the phrase “Press the key combination” or “CTRL+V”, we discovered several websites masquerading as the homepage of a Google Meet video conference,” Sekoia researcher Quentin Bourgue said. According to Bourgue, the fake sites showed pop-ups falsely indicating that the microphone and headset had issues, encouraging victims to click buttons to resolve the issue.

Sekoia provides the following examples of domain names, as well as an IP address that they attribute to the ClickFix cluster using fake Google Meet sessions:

The fix: No specific fix is available.

October 18, 2024

Apple Fixes Flaw Reported by Microsoft in New Sequoia Release

Type of vulnerability: Authorization bypass.

The problem: Microsoft’s Threat Intelligence team discovered a vulnerability within macOS related to its Transparency, Consent, and Control (TCC) technology. The flaw could allow a threat actor to bypass TCC and access the victim’s data. Microsoft dubbed the vulnerability HM Surf and reported it to Apple. Apple has since fixed the flaw in Sequoia 15. 

The new macOS update fixes issues within other Apple features, including Kernel, Sandbox, and Shortcuts. The TCC flaw is tracked as CVE-2024-44133. Microsoft has already noticed behaviors from Defender for Endpoint that suggest Adload, a macOS threat family, is exploiting the vulnerability.

The fix: Upgrade your Mac devices to macOS Sequoia 15.

Read next:

• Vulnerability Recap 10/15/24 – Patch Tuesday Posts 117 Vulnerabilities
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 10/21/24 – Immediate Patching Is Critical appeared first on eSecurity Planet.

October 1, 2024

CISA Releases Notice About Optigo Switch Vulnerability

Type of vulnerability: Improper filename control and weak authentication.

The problem: The Cybersecurity and Infrastructure Security Agency (CISA) is recommending mitigation actions for Optigo Networks customers regarding the ONS-S8 – Spectra Aggregation Switch. The switch’s vulnerabilities include improper filename control for include/require statements in the PHP program (or PHP Remote File Inclusion) and weak authentication.

The vulnerability has a critical CVSS score of 9.3. It affects versions 1.3.7 and earlier of the switch.

The fix: In the absence of a patch or dedicated fix, CISA lists Optigo Networks’ suggested mitigations for the vulnerabilities:

• “Use a dedicated NIC on the BMS computer and exclusively this computer for connecting to OneView to manage your OT network configuration.
• Set up a router firewall with a white list for the devices permitted to access OneView.
• Connect to OneView via secure VPN.”

Watch for any potential future notifications from Optigo Networks about a dedicated fix in case it develops one. 

October 8, 2024

Patch Tuesday Clocks a Whopping 117 Vulnerabilities

Type of vulnerability: Multiple, including elevation of privilege and remote code execution.

The problem: For this month’s patch Tuesday, Microsoft announced 117 vulnerabilities. Only two had a CVSS score of 9.0 or above — a Windows Netlogon EoP flaw, CVE-2024-38124, and a Microsoft Configuration Manager RCE vulnerability, CVE-2024-43468. Other products addressed in October’s Patch Tuesday include Microsoft Hyper-V, Windows Kernel, Azure Monitor, Microsoft Office SharePoint, and Excel.

The fix: Check Microsoft’s Patch Tuesday rundown for any products your business uses and follow any mitigation or patch instructions.

If your security team is overwhelmed by manual vulnerability tracking, consider using one of the top vulnerability scanning tools, Tenable, Invicti, and Wiz.

October 9, 2024

GitLab Updates Vulnerable Community & Enterprise Versions

Type of vulnerability: Multiple, including running pipelines and template disclosure.

The problem: GitLab released updated versions of GitLab Community and Enterprise to fix eight vulnerabilities. The one critical flaw allows attackers to run pipelines on arbitrary project branches. It exists in versions 12.5 before 17.2.9, starting from 17.3, before 17.3.5, and starting from 17.4 before 17.4.2.

There are four high-severity flaws, two medium, and one low. Check GitLab’s security notice for the specific versions where these vulnerabilities exist.

The fix: GitLab has released versions 17.4.2, 17.3.5, and 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). 

Time to Upgrade Mozilla Firefox

Type of vulnerability: Use-after-free.

The problem: Mozilla has fixed a critical vulnerability in Firefox versions Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1. Damien Schaeffer of ESET reported the vulnerability to Mozilla.

“An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines,” Mozilla said in its security advisory. The vendor has received reports of active exploitation.

The fix: Upgrade Firefox to the most recent version available.

October 10, 2024

Ransomware is Actively Exploiting Critical Veeam Flaw

Type of attack: Ransomware exploit.

The problem: A critical vulnerability I mentioned in a recap a few weeks ago is now being exploited. CVE-2024-40711, a flaw in Veeam Backup and Recovery, has seen Akira and Fog ransomware attacks, according to Sophos. Sophos X-Ops, the vendor’s MDR and incident response service, has been tracking exploits of the Veeam vulnerability over the past few weeks.

Sophos found that the attackers initially used compromised VPN gateways to access their targets in each studied case of a ransomware attack.

“Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe,” Sophos X-Ops said on Mastodon. “The exploit creates a local account, “point,” adding it to the local Administrators and Remote Desktop Users groups.”

The fix: Upgrade Veeam Backup and Replication to version 12.2.0.334, which fixes the flaw.

October 11, 2024

Fortinet Updates Critical February Vulnerability

Type of vulnerability: Format string vulnerability.

The problem: A Fortinet bug from February was updated in October due to potential wild exploitation cases. The flaw is an externally controlled format string bug in fgfmd that could lead to remote code execution if an attacker made specially crafted requests. The flaw is tracked as CVE-2024-23113 and has a critical severity rating.

According to FortiGuard Labs’ Advisories list, the flaw affects the following software versions:

• FortiOS 7.4.2, 7.4.1, 7.4.0, 7.2.6, 7.2.5
• FortiPAM 1.2.0, 1.1.2, 1.1.1, 1.1.0, 1.0.3
• FortiProxy 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7
• FortiWeb 7.4.2, 7.4.1, 7.4.0  

The fix: Upgrade to the most recent version of the affected software.

Ivanti CSA Vulnerabilities Have Already Been Exploited

Type of vulnerability: Multiple, including path traversal and command injection.

The problem: Fortinet’s FortiGuard Labs has found that threat actors — suspected nation—state attackers—exploit a previously discovered vulnerability in Ivanti Cloud Services Appliance, an authenticated access flaw. The exploits affect versions 4.6 and prior of the software. FortiGuard Labs was called to investigate when a customer’s network was communicating a malicious IP address, and FortiGuard tracked the issue to Ivanti CSA.

The vulnerability, CVE-2024-8190, came to light in September, and Fortinet has seen threat actors use it in conjunction with two other CSA flaws, a path traversal and a command injection vulnerability. Neither of the two additional flaws is publicly known. They affect the PHP front-end of CSA.

Fortinet says the exploits are an example of threat actors chaining zero-days together.

The fix: If you haven’t yet done so, upgrade Ivanti Cloud Services Appliance to version 5.0.

Read next:

• Vulnerability Recap 10/8/24 – Thousands of Routers & Servers at Risk
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 10/15/24 – Patch Tuesday Posts 117 Vulnerabilities appeared first on eSecurity Planet.

October 2, 2024

Zimbra Email Servers Could See RCE Attacks

Type of attack: Remote code execution.

The problem: In late September, researchers from Proofpoint uncovered attempted exploits of Zimbra email servers. Using Zimbra Collaboration’s post-journal service, an unauthenticated threat actor could execute commands remotely on the email server.

Affected versions include:

• Joule: version 8.8.15
• Kepler: version 9.0.0
• Daffodil: versions 10.0.x before 10.0.9
• Daffodil: version 10.1.0

The vulnerability is already being exploited, and download and exploit instructions are already available on GitHub, so you should immediately patch your Zimbra installation before threat actors can follow proofs of concept.

This flaw is tracked as CVE-2024-45519 and has a critical base score of 9.8.

The fix: Apply the most recent patch that’s available for your version of Zimbra as soon as you can.

If your security team needs a more consistent method of tracking vulnerabilities, check out our guide to the best vulnerability scanning tools next.

New LiteSpeed Cache Vulnerability Allows Privilege Escalation

Type of vulnerability: Cross-site scripting.

The problem: Months after a LiteSpeed Cache flaw that could be used to escalate privileges, researcher TaiYou found a new vulnerability in the popular WordPress plugin. The flaw is an unauthenticated stored cross-site scripting vulnerability.  The researcher reported it to Patchstack’s bug bounty program and worked with Patchstack on an article covering the vulnerability. 

“It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request,” said Patchstack.

It occurs “because the code that handles the view of the queue doesn’t implement sanitization and output escaping,” according to Patchstack.

The fix: Update your version of the LiteSpeed Cache plugin to 6.5.1 or higher.

Thousands of DrayTek Routers Vulnerable to Attack

Type of vulnerability: Multiple, including OS command injection and stack-based buffer overflow.

The problem: DrayTek routers have several vulnerabilities that researchers just discovered, including two flaws with critical scores. The fourteen vulnerabilities together expose more than 704,000 DrayTek routers in 168 countries, say researchers from Vedere Labs, the research arm of cyber risk management provider Forescout Technologies.

The researchers released a report on the vulnerabilities named Dray: Break. While most of the risk affects the United Kingdom and European Union, Asia, the Middle East, Australia, New Zealand, and North and Latin America are also at risk. 

The two critical flaws include CVE-2024-41585, which could lead to OS command execution, and CVE-2024-41592, which is vulnerable to buffer overflow and could lead to RCE. 

The fix: Each vulnerability has a patch available from DrayTek, so your security team should apply those immediately. Additionally, Forescout recommends disabling remote access on the routers and enabling access control lists to reduce potential exposure.

October 3, 2024

Apple Flaws Fixed in New iOS & iPadOS Versions

Type of vulnerability: Audio capture and password exposure.

The problem: Apple recently patched a vulnerability in its iOS and iPadOS software. If exploited, the iOS vulnerability could allow audio messages to capture seconds of audio input prior to activation of the microphone indicator. This vulnerability is tracked as CVE-2024-44207 and has a base CVSS score of 4.3.

In iPadOS, the flaw allowed VoiceOver to read a user’s saved passwords out loud. Apple addressed the flaw, which was reportedly a logic issue, by improving validation.

This issue is tracked as CVE-2024-44204 and has a base score of 5.5.

The fix: Apple has released version 18.0.1 for both operating systems, which fixes the issue.

Perfectl Malware Threatens Thousands of Linux Servers

Type of attack: Malware.

The problem: Aqua Security researchers posted on their blog about attempted Linux server exploits through a type of malware dubbed perfctl. The malware has been active for the last few years, and the researchers warn that it’s possible every Linux server could be at risk.

According to the report, perfctl malware uses rootkits to avoid discovery and remains dormant while a user is active on the server. Aqua Security’s researchers observed that attackers used the perfctl malware to run a cryptominer and, occasionally, proxy-jacking software. The malware’s name could look legitimate if found running on a system because it combines perf, a Linux monitoring tool, with ctl, a common CLI command for control.

“After exploiting a vulnerability (as in our case) or a misconfiguration, the main payload is downloaded from an HTTP server controlled by the attacker,” researchers Assaf Morag and Idan Revivo said. 

The fix: While this malware has no patch, the researchers provide multiple indicators of compromise (IOCs) at the end of their report that you can use to identify a potential exploit. 

Ivanti Vulnerability from This Spring Is Being Actively Exploited

Type of vulnerability: SQL injection. 

The problem: In a June vulnerability recap, I addressed a critical vulnerability in Ivanti Endpoint Manager that would allow unauthenticated attackers to execute commands on the software. Now, the vulnerability is being actively exploited, and the Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities catalog. 

The vulnerability is tracked as CVE-2024-29824 and has a critical base score of 9.8. 

“The specific flaw exists within the implementation of the RecordGoodApp method,” said a May security notice from the Zero Day Initiative. “The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries.”

The fix: If you haven’t yet patched your instance of Ivanti EPM, immediately upgrade it to the most recent product version. 

October 4, 2024

Okta Urges Users to Review System Logs for Unexpected Authentication

Type of vulnerability: Configuration bypass.

The problem: Okta recently notified customers of a potential vulnerability affecting instances of Okta Classic as of July 17, 2024. Certain configurations of Okta could allow a threat actor with valid user credentials to bypass configurations for specific applications’ sign-on policies, Okta said.

The vendor resolved the issue on October 4 in its production environment.

The fix: Okta published the following recommendation:

“Customers who were on Okta Classic as of July 17, 2024, and who meet the above conditions are advised to review the Okta System Log for unexpected authentications from user-agents evaluated by Okta as “unknown” between July 17, 2024 and October 4, 2024 using the following query: outcome.result eq “SUCCESS” and (client.device eq “Unknown” OR client.device eq “unknown”) and eventType eq “user.authentication.sso”.”

Okta also suggested that customers watch applications with default policy rules that can’t be configured and check for deviant user behavior like strange geolocation data or IP addresses. 

Read next:

• Vulnerability Recap 10/1/24 — NVIDIA, Ivanti & Newcomer KIA See Issues
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 10/8/24 – Thousands of Routers & Servers at Risk appeared first on eSecurity Planet.

Continue to maintain consistent patching and vulnerability scanning processes throughout your business’s infrastructure. And while you’re watching for application and system vulnerabilities, you might want to keep an eye on your smart vehicles as well. 

September 24, 2024

Upgrade WhatsApp Gold to Fix Six New Flaws

Type of vulnerability: Not yet specified.

The problem: Researchers recently discovered six vulnerabilities in WhatsApp Gold, a network performance and monitoring solution, that exist in versions below 24.0.1. The flaws range in severity from 8.8 to 9.8. Progress Software, which owns WhatsApp Gold, released a security bulletin advising customers to upgrade their WhatsApp Gold instances to version 24.0.1. 

Researchers Sina Kheirkhah and Andy Niu, as well as researchers at Tenable, discovered the vulnerabilities. The six CVEs include:

• CVE-2024-46908
• CVE-2024-46907
• CVE-2024-46906
• CVE-2024-46905
• CVE-2024-46909
• CVE-2024-8785

Progress Software hasn’t yet revealed specific details about the vulnerabilities.

The fix: Upgrade to version 24.0.1 of WhatsApp Gold.

To automate vulnerability tracking and patching, consider a vulnerability scanning tool, which examines your infrastructure for known vulnerabilities that need to be updated.

One of Ivanti’s August Vulnerabilities Added to KEV

Type of vulnerability: Authentication bypass.

The problem: A vulnerability in Ivanti Virtual Traffic Manager was recently added to the CISA’s known exploitable vulnerabilities (KEV) catalog. I previously highlighted this flaw in an August vulnerability recap when Ivanti had already fixed it. An incorrect implementation of vTM’s authentication algorithm could allow a remote threat actor to gain access to the admin panel without authenticating themselves.

Versions 22.2R1 and 22.7R2 are free from this vulnerability, but all other versions of vTM are affected. The vulnerability is tracked as CVE-2024-7593 and has a severity rating of 9.8.

While this vulnerability was one of an unfortunate string of sequential flaws in Ivanti’s products over the last few months, it’s good to see the vendor continue to patch and update users on issues consistently. Ivanti has demonstrated its commitment to improving its security posture, and it’s by no means the only vendor navigating major vulnerabilities just because it’s been so prevalent in headlines.

The fix: If you haven’t updated your instance of Virtual Traffic Manager yet, upgrade now to versions 22.2R1, 22.3R3, 22.5R2, 22.6R2, or 22.7R2.

September 25, 2024

NVIDIA Flaw Exploited Through Container Images

Type of vulnerability: Time-of-check/time of use and file creation.

The problem: Computing provider NVIDIA recently updated its Container Toolkit and GPU Operator due to vulnerabilities that could lead to data tampering, code execution, or privilege escalation.

Version 1.16.1 and earlier versions of Container Toolkit have a time-of-check/time-of-use (TOCTOU) vulnerability. If the installations use default software configuration, a threat actor could use a specifically crafted container image to access the host file system. This vulnerability is tracked as CVE-2024-0132.

The other Container Toolkit vulnerability allows a threat actor to use the container image to create empty files on the host file system. This vulnerability is tracked as CVE-2024-0133.

The security bulletin is unclear as to which vulnerability affects NVIDIA GPU Operator, stating different things in different sections of the bulletin. Still, it’s safe to assume that GPU Operator versions 24.6.1 and earlier could be affected by CVE-2024-0133. 

The fix: Use the NVIDIA Container Toolkit installation guide and the GPU Operator documentation to install the appropriate software version.

September 26, 2024

Linux CUPS Flaw Permits Command Execution

Type of vulnerability: Malicious URL injection, potentially leading to RCE.

The problem: Vulnerabilities in Linux systems’ OpenPrinting Common Unix Printing Systems could allow a threat actor to perform remote command execution. CUPS is an open-source Linux and Unix system that allows computers to act as print servers and assign jobs to printers.

“A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer),” wrote Simone Margaritelli, the researcher who published a blog on the vulnerability.

According to Margaritelli, the entry point for an exploit would be port 631 via a UDP packet on the wide area network or public internet. On a LAN, the threat actor would use spoofed zeroconf / mDNS / DNS-SD ads.

“The vulnerability stems from inadequate validation of network data, allowing attackers to get the vulnerable system to install a malicious printer driver, and then send a print job to that driver triggering execution of the malicious code,” said security firm Ontinue. “The malicious code is executed with the privileges of the lp user – not the superuser ‘root’.” According to Ontinue, this is an example of chaining a set of flaws together to produce the hypothetical exploit.

Researchers don’t expect the vulnerability to be widely exploited. The four individual flaws include:

• CVE-2024-47176
• CVE-2024-47076
• CVE-2024-47175
• CVE-2024-47177

The fix: Until patches are available, disable UDP port 631. The port must be enabled for a threat actor to exploit the vulnerability.

Microsoft Doesn’t Consider Privilege Escalation Flaw a Vulnerability

Type of vulnerability: DLL hijacking leading to privilege escalation.

The problem: Drive remapping and cache poisoning could lead to DLL hijacking of Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022. The attack could allow an unauthenticated threat actor to escalate a medium integrity process to a high integrity one.

The attack wouldn’t involve intervention from a user account control (UAC) prompt, according to Fortra. It would require the attacker to have medium integrity privileges within the system already. 

The vulnerability is tracked as CVE-2024-6769 and has a base score of 6.7. While Microsoft didn’t classify it as a vulnerability when Fortra first reported it to them, Fortra identified it as a privilege escalation opportunity for attackers. 

The fix: Neither Fortra nor NIST gives mitigation instructions in their bulletins, and Microsoft doesn’t view the flaw as a vulnerability. It only applies to administrators, so if you’re an admin on those Windows systems, pay close attention to their activity. 

RCE Could Have Affected Millions of… Kia Vehicles?

Type of vulnerability: Remote command execution.

The problem: For two years, security researchers Sam Curry, Justin Rhinehart, Neiko Rivera, and Ian Carroll have been studying vulnerabilities in connected vehicles. Last week, Curry published a writeup of their discoveries specific to Kia vehicles. A vulnerability in the Kia owner’s website and mobile app allowed users to execute internet-to-vehicle commands. 

The researchers could also generate a valid access token for the Kia dealership website and authenticate themselves to use the dealer portal. The HTTP requests they discovered allowed an attacker to access a victim’s vehicle using only the car’s license plate number.

“From the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified,” Curry said. “An attacker could resolve someone’s license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk.”

The researchers immediately reported the issue to Kia once they saw how it all worked. They also created a proof-of-concept dashboard to show the impact of the exploit more clearly. According to Curry’s timeline in the report, Kia remediated the vulnerability in August and had begun to test it. Curry disclosed the flaw publicly last week.

The fix: Kia has reportedly fixed their dealer portal API.

Read next:

• Vulnerability Recap 9/23/24 – Remote Code Execution Steals the Show
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 10/01/24 – NVIDIA, Ivanti & Newcomer Kia See Issues appeared first on eSecurity Planet.

This week, RCE is in our (unwanted) starring role, with multiple opportunities for threat actors to execute malicious code. As always, keep up to date on all your vendors’ security updates and patches as soon as possible. The danger of security bulletins and proofs of concept is how quickly a threat actor can utilize them for an exploit.

September 12, 2024

Researcher Updates Info on Old macOS Vulnerability

Type of vulnerability: Arbitrary file write and potential remote code execution.

The problem: Security researcher Mikko Kenttala recently reported on a zero-click RCE flaw in macOS that didn’t receive much publicity when it was first discovered. According to Kenttala, an attacker could send malicious file attachments via calendar invites to victims, where the filename attachments aren’t sanitized.

“The attacker can exploit this to conduct a successful directory traversal attack by setting an arbitrary path to a file in the ATTACH section with: “FILENAME=../../../PoC.txt,” Kenttala said. “This will cause the file to be added to ~/Library/Calendar/PoC.txt instead of ~/Library/Calendar/[CalendarID]/Attachments/[eventid]/ .”

This is an arbitrary file write vulnerability. Additionally, Kenttala also found that the vulnerability could be exploited to execute code remotely using macOS Calendar’s Open File functionality. If an attacker uses this exploit chain successfully, they could compromise other macOS applications, not just Calendar. Kenttala found he could steal users’ iCloud Photos by sending malicious calendar invites to them — no user interaction required.

Kenttala’s report from a couple of weeks ago updates the timeline of events for these issues, adding that there’s still no bounty issued for the original vulnerability.

The fix: Both vulnerabilities, CVE-2022–46723 and CVE-2023–40434, have been fixed by Apple in previous years. macOS Monterey 12.6.1 and Ventura 13 fix the original vulnerability. macOS Ventura 13.3 fixed the code execution issue.

If your business needs to automate tracking vulnerabilities, check out our picks for the best vulnerability scanning tools for organizations.

September 17, 2024

ServiceNow Misconfigurations Leave Over 1,000 KBs Vulnerable

Type of vulnerability: Misconfigured access controls.

The problem: Research conducted by Aaron Costello, chief of SaaS security research at AppOmni, revealed data exposure on over one thousand instances of knowledge bases hosted by ServiceNow. Costello was studying the platform to discover potential routes for data exfiltration, and his research led to some new security developments for ServiceNow’s solution. But it also unearthed a history of exposed data.

Costello found that often, businesses with multiple instances of ServiceNow had at least one with misconfigured access controls. ServiceNow developed a major security mechanism to protect hosted knowledge bases, but it isn’t enabled by default for all the older instances of the solution.

“The main guardrail, a security property that denies access by default to KBs without User Criteria, is enabled by default for instances created since the Orlando release,” Costello said. “Most enterprise instances have been around for far longer, causing them to still retain the previously insecure ‘allow public access by default’ value.” He cited several other reasons for continued exposure, including multiple criteria allowing access by unauthenticated users.

Costello also provided a proof of concept for the vulnerability. 

The fix: Check your access control configurations on each instance of ServiceNow and ensure they’re correctly set. Costello provides a chart for ServiceNow users to follow if they want to set further guardrails, as he puts it, for the solution.

September 19, 2024

Ivanti’s Cloud Service Appliance Runs Into Issues

Type of vulnerability: Unauthenticated access to the appliance.

The problem: According to the vendor, Ivanti’s Cloud Service Appliance version 4.6 has been exploited. The flaw would “allow remote unauthenticated attackers to access restricted functionality,” the security bulletin said, though it didn’t specify what restricted functions could be affected.

Ivanti didn’t realize it then, but the vulnerability was addressed in the vendor’s Patch 519 earlier in September. Shortly after, Ivanti discovered the flaw through researching another recently disclosed vulnerability. The flaw is tracked as CVE-2024-8963 and has a severity rating of 9.4 out of 10.

Ivanti also noted that if the vulnerability is used alongside CVE-2024-8190, a threat actor could bypass administrative authentication requirements and execute commands on Cloud Service Appliance.

Ivanti CSA 4.6 and any earlier versions are end-of-life products, so they won’t be patched —the only patched and supported software version is CSA 5.0.

The Cybersecurity and Infrastructure Security Agency (CISA) listed the vulnerability in its Known Exploited Vulnerabilities catalog and set a due date of October 10 for all federal agencies to fix it.

The fix: Upgrade any instances of Cloud Service Appliance to version 5.0.

Enterprise Veeam Solution Susceptible to RCE

Type of vulnerability: Unauthenticated remote code execution.

The problem: A critical RCE vulnerability affects instances of Veeam’s Backup and Replication product running version 12.1.2.172 or lower. Florian Hauser of Code White Gmbh discovered and reported the vulnerability. The flaw allows threat actors to execute code remotely on the enterprise backup solution. It’s tracked as CVE-2024-40711, mentioned briefly in our vulnerability recap from September 9.

According to researchers at Watchtower Labs, the vulnerability is more complicated than it first appeared — and potentially more dangerous than Veeam initially revealed. Veeam’s latest release, which fixed the bug, also fixed multiple other CVEs, so it was hard for the researchers to determine which were associated with CVE-2024-40711.

They finally found that version 12.1.0.2131 initially contained the unauthenticated RCE issue, and the version implemented to fix it, 12.1.2.172, upgraded the flaw to an authenticated-only vulnerability. Version 12.2.0.334 of the Veeam software implemented the true patch, so technically Veeam patched twice before the issue was solved.

The fix: Upgrade any Veeam Backup and Replication instances to version 12.2.0.334.

Microchip ASF Vulnerability Could Lead to RCE

Type of vulnerability: Stack-based overflow.

The problem: Microchip’s Advanced Software Framework (ASF) has a stack-based overflow vulnerability in its implementation of tinydhcp servers. The implementation fails its input validation, which results in the stack-based overflow issue. According to Carnegie Mellon Software Engineering Institute’s CERT Coordination Center, Microchip no longer supports the software. This means no official fixes or patches.

The flaw is tracked as CVE-2024-7490 and could lead to remote code execution if exploited. It could potentially affect IoT devices where the microchips are installed.

The fix: The Institute doesn’t know of a solution to the vulnerability besides using a different service than tinydhcp.

September 20, 2024

Two Flaws Fixed in VMware Products

Type of vulnerability: Heap overflow and privilege escalation.

The problem: Two vulnerabilities affecting VMware vCenter Server were reported to the vendor, also impacting VMware Cloud Foundation. The first flaw, a heap overflow vulnerability, is tracked CVE-2024-38812 and has a critical severity rating of 9.8. 

“A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution,” the security bulletin said.

The second, a privilege escalation vulnerability, is tracked as CVE-2024-38813 and has a base score of 7.5. A threat actor that has network access to vCenter Server could send a specific network packet that allows them to escalate their privileges to root, according to VMware. 

The fix: Install the updates listed in the Fixed Version column in VMware’s notice, which solve both flaws. 

September 21, 2024

Arc Browser Vulnerability Was Fixed in August

Type of vulnerability: Malicious payloads added to customizable web pages.

The problem: Web browser Arc, which allows its users to customize website viewing based on their preferences, recently saw a security threat to this customization feature, called “Boosts.”

The Browser Company, which created Arc, uses Firebase’s database backend to support Boosts and allow users to sync their website customizations between their devices. To do this, the browser relies on the creator’s ID. According to Engadget, a threat actor could have created a new Boost with a legitimate ID, including Boosts with malicious payloads. Ultimately, the unsuspecting victim could have downloaded malware by simply going to that website.

A security researcher known as xyzeva notified the Browser Company of this vulnerability in late August, and the vendor reportedly fixed it on August 26 before anyone exploited the issue.

The fix: Update your instance of Arc to the latest version.

Read next:

• Vulnerability Recap 9/16/24 – Critical Endpoint Flaws Emerged
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 9/23/24 – Remote Code Execution Steals the Show appeared first on eSecurity Planet.

Ivanti and Zyxel also fixed their software vulnerabilities, while WhatsUp Gold users encountered vulnerabilities invulnerable to SQL injection attacks. Apple’s Vision Pro headset was also tested for gaze-based keystroke interference. To protect your devices, update and patch your software frequently, use strong passwords, install intrusion detection systems, and watch for any suspicious activity.

September 9, 2024

RAMBO Attack Exploits Radio Signals to Steal Sensitive Data

Type of vulnerability: Side-channel attack.

The problem: RAMBO, a unique side-channel attack, leverages electromagnetic emissions from a device’s RAM to exfiltrate sensitive data in air-gap networks. Attackers use malware to modify RAM, generating radio signals that can be intercepted remotely. The tool can transmit files, keystrokes, and encryption keys, providing a significant danger of data theft.

The fix: To protect against RAMBO attacks, use “red-black” zone limits for information transfer, intrusion detection systems to monitor memory access, radio jammers, and Faraday cages to isolate vital systems. These approaches disable hidden radio signals in RAM, avoiding data leakage from air-gapped situations.

Progress Software Fixes Flaws in LoadMaster & Multi-Tenant Hypervisor

Type of vulnerability: Command injection.

The problem: Progress Software has published fixes to solve CVE-2024-7591, a significant incorrect input validation flaw in LoadMaster and Multi-Tenant Hypervisor rated CVSS 10.0. The vulnerability enables remote, unauthenticated attackers to execute arbitrary operating system instructions by sending a crafted HTTP request to the administration interface. There’s no indication of exploitation in the wild.

The fix: Progress Software addressed the vulnerability by sanitizing user input to prevent OS command injection. Users should immediately update to the most recent versions by going to System Configuration > System Administration > Update Software. It’s strongly advised that you follow the company’s security hardening requirements to protect your systems further.

September 10, 2024

Microsoft Releases Patches for Actively Exploited Zero-Day Flaws

Type of vulnerability: Multiple, including privilege escalation, security feature bypass, remote code execution, and spoofing.

The problem: Microsoft’s September 2024 Patch Tuesday fixed 79 vulnerabilities, four of which were actively exploited zero days: CVE-2024-38014 (Windows Installer Privilege Escalation), CVE-2024-38217 (MotW Security Bypass), CVE-2024-38226 (Publisher Security Bypass), CVE-2024-43461, and more. Attackers use these weaknesses to run arbitrary instructions, circumvent security measures, and install malware like the Atlantida stealer.

The fix: To address these issues, users must apply the servicing stack update (KB5043936) and cumulative update for Windows 10 Version 1507 (KB5043083). Microsoft mitigated CVE-2024-43461 by interrupting the attack chain associated with CVE-2024-38112. Updates should be installed as soon as possible to avoid exploitation, and security hardening techniques should be followed.

Ivanti & Zyxel Address Critical Security Vulnerabilities

Type of vulnerability: Multiple, including remote code execution, SQL injection, and command injection.

The problem: Ivanti has issued patches for Endpoint Manager (EPM), which address ten serious vulnerabilities. CVE-2024-29847 enables remote unauthenticated code execution through the deserialization of untrusted data. Nine SQL injection vulnerabilities (CVE-2024-32840 to 32848, CVE-2024-34779, 34783, 34785) allow remote attackers with admin privileges to execute code. These affect EPM versions 2024, 2022 SU5, and prior.

Meanwhile, Zyxel fixed a command injection vulnerability (CVE-2024-6342) in NAS devices that might allow attackers to execute OS commands using crafted HTTP requests.

The fix: To mitigate the risks, users must upgrade to EPM 2024 SU1 or 2022 SU6. Ivanti has improved its vulnerability identification and disclosure methods. Additionally,  Zyxel also patched CVE-2024-6342, a major command injection vulnerability in NAS devices, with new hotfix updates.

Compare the different endpoint protection solutions to know the most ideal tool to secure yourself and your devices against various cyber threats.

September 11, 2024

Hackers Exploit Flaws in WhatsUp Gold to Deploy Remote Access Tools

Type of vulnerability: Multiple, including RCE and SQL injection.

The problem: Attackers use two serious SQL injection flaws (CVE-2024-6670, CVE-2024-6671) in Progress Software’s WhatsUp Gold to retrieve encrypted credentials without authentication. Despite the release of patches on August 16, many organizations have yet to update. Hackers are deploying remote access tools (RATs) using PowerShell scripts, putting the system at risk of additional exploitation and persistent compromise.

The fix: Progress Software published a security update on August 16. To identify potential breaches and avoid continued exploitation, organizations should update WhatsUp Gold immediately and follow the detection measures outlined in the security alert.

September 12, 2024

GitLab Patches Critical Vulnerability Allowing Arbitrary Pipeline Job Execution

Type of vulnerability: Privilege escalation.

The problem: GitLab has disclosed a major vulnerability (CVE-2024-6678, CVSS score: 9.9) that affects versions 8.14 to 17.3. This issue allows attackers to launch pipeline jobs as arbitrary users, which poses serious security implications. The vulnerability and three high-severity and 13 medium- and low-severity problems required immediate upgrades to prevent exploitation.

The fix: GitLab fixed the problems in versions 17.3.2, 17.2.5, and 17.1.7 for Community and Enterprise Editions. Users should update to these versions right away to avoid potential exploitation.

September 13, 2024

Hadooken Malware Campaign Targets Linux & Oracle WebLogic Servers

Type of vulnerability: Botnet deployment.

The problem: A new malware campaign using Hadooken malware to target Linux environments, notably Oracle WebLogic servers, has emerged. This campaign spreads Tsunami malware for botnet operations and illegal bitcoin mining. Using known vulnerabilities and weak credentials, attackers use Python and shell script payloads to disseminate Hadooken and establish persistence.

The fix: To secure themselves against this malicious campaign, administrators should quickly safeguard the systems by updating and patching vulnerabilities, strengthening credentials, and monitoring for suspicious activity. Regularly examine and secure cron jobs and other scheduled operations to prevent malware persistence and to ensure your network defenses are strong against unauthorized lateral movements.

Apple Addresses GAZEploit Vulnerability in Vision Pro Headset

Type of vulnerability: Keystroke interference. 

The problem: A recently disclosed issue in Apple’s Vision Pro headset, CVE-2024-40865, allows attackers to deduce text input on the virtual keyboard by studying the virtual avatar’s eye movements. This exploit, GAZEploit, violates user privacy by recreating keystrokes from gaze data.

The fix: Apple resolved the GAZEploit issue in visionOS 1.3 by suspending the Persona component when the virtual keyboard was engaged. This upgrade reduces the risk of gaze-based keyboard inference and improves privacy by avoiding unwanted data extraction using virtual avatars. Update to the most recent version of visionOS to protect your devices.

Read next:

• Vulnerability Recap 9/9/24: Exploited Vulnerabilities Persist
• What is Patch Management? Vulnerability Protection Done Right

The post Vulnerability Recap 9/16/24 – Critical Endpoint Flaws Emerged appeared first on eSecurity Planet.

Zyxel routers and Cisco’s Smart Licensing Utility also faced privilege escalation and command injection issues. RansomHub used multiple vulnerabilities to launch ransomware attacks, emphasizing the critical need for updates and strong security measures. Organizations and end users need prompt patching and thorough security policies to protect systems and data from high-risk vulnerabilities.

September 2, 2024

RansomHub Exploits Multiple Vulnerabilities to Attack Critical Sectors

Type of vulnerability: Multiple security flaws from major organizations.

The problem: RansomHub, a ransomware-as-a-service group, targeted security vulnerabilities in Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence (CVE-2023-22515), Citrix ADC (CVE-2023-3519), and Fortinet devices (CVE-2023-27997). The attackers encrypted and stole data from 210 victims in major businesses, threatening data leaks if ransoms weren’t paid.

The fix: Prevent these attacks by rapidly upgrading and patching all impacted software. Companies should improve security by deploying endpoint detection and response (EDR), limiting remote access, and utilizing multi-factor authentication. To avoid further exploitation, impacted organizations should implement incident response policies and consult with cybersecurity specialists.

Manage your organization’s endpoint security through EDR solutions. Explore our review of the top products, their features, pros, and cons.

September 3, 2024

D-Link Vulnerability Enables Remote Code Execution

Type of vulnerability: Stack-based buffer overflow.

The problem: D-Link’s DAP-2310 Wireless Access Point vulnerability known as “BouncyPufferfish” allows for unauthenticated remote code execution. It has been identified as a stack-based buffer overflow (CVE pending) that exploits PHP HTTP queries to the Apache HTTP Server, allowing attackers to execute arbitrary instructions via a specially crafted HTTP GET request.

The fix: D-Link recommends its retirement and replacement due to the DAP-2310’s End-of-Life (EOL) status. Sevco’s CSO Brian Contos states, “6% of all IT assets have reached EOL, and known but unpatched vulnerabilities are a favorite target for attackers.” To reduce risks, replace unsupported equipment, apply available firmware updates, and keep an accurate IT asset inventory.

Zyxel Fixes Critical Vulnerability in Business Routers

Type of vulnerability: OS command injection.

The problem: CVE-2024-7261 affects Zyxel routers, including those from the NWA and WAC series. The bug enables remote attackers to execute arbitrary OS commands via forged cookies by leveraging an input validation issue in the CGI program’s “host” argument. The vulnerability affects all versions before 7.00, with a CVSS v3 score of 9.8 (critical).

The fix: Zyxel has published security upgrades, and end users must immediately upgrade impacted devices to the most recent firmware releases. All impacted models must be updated to version 7.00 or later to fix the vulnerability. Zyxel further suggests enabling automated updates to ensure protection against future threats.

September 4, 2024

Google Patches Actively Exploited Android Vulnerabilities

Type of vulnerability: Multiple, including elevation of privilege and more.

The problem: Google’s September 2024 Android security update fixes 34 vulnerabilities, including CVE-2024-32896, an elevation of privilege problem used in targeted attacks that allow attackers to bypass defenses via a logic error without requiring additional permissions.

The update also addresses CVE-2024-33042 and CVE-2024-33052 — memory corruption problems in Qualcomm’s WLAN subcomponent that might be exploited locally. These critical vulnerabilities affect Android versions 12, 12L, 13, and 14. Two new critical Pixel device vulnerabilities, CVE-2024-44092 and CVE-2024-44093, grant elevated privileges within the Local Control Subsystem and Low-level Device Firmware, increasing risk if left unpatched.

The fix: Google’s September 2024 updates address vulnerabilities in Android versions 12 to 14. All users should upgrade their systems to protect against this and other vulnerabilities. Pixel users should’ve received added safety fixes, which address significant elevation of privilege problems. Update through Settings > System > Software updates.

Cisco Addresses Critical Smart Licensing Utility Vulnerabilities

Type of vulnerability: Privilege escalation.

The problem: Cisco recently resolved two significant issues in its Smart Licensing Utility: CVE-2024-20439, which used undocumented, static admin credentials that allowed attackers to log in remotely, and CVE-2024-20440, which was caused by verbose debug logs that could be accessed via crafted HTTP requests. 

Both vulnerabilities have a CVSS score of 9.8, allowing attackers to gain elevated access or retrieve sensitive credentials. Cisco also patched a different command injection flaw, CVE-2024-20469, which affected the Cisco Identity Services Engine (ISE) and allowed local privilege escalation.

The fix: Cisco has released Smart Licensing Utility patches that address CVE-2024-20439 and CVE-2024-20440, advising customers to upgrade to version 2.3.0. Updates for ISE users are now available to address CVE-2024-20469, reducing the risk of privilege escalation attacks. Ensure systems are regularly updated via Cisco’s official website to avoid exploitation.

September 5, 2024

Apache Fixes RCE Vulnerability in OFBiz

Type of vulnerability: Remote code execution.

The problem: Apache resolved CVE-2024-45195 in OFBiz, a remote code execution vulnerability caused by a forced browsing issue that allowed unauthenticated attackers to exploit missing authorization checks and execute arbitrary code. Rapid7’s Ryan Emmons discovered the weakness, which exposes limited pathways to direct request attacks. 

This vulnerability circumvents prior updates for CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, affecting both Linux and Windows servers.

The fix: Apache fixed CVE-2024-45195 in OFBiz version 18.12.16 by implementing the necessary authorization checks. Users should upgrade to this or a later version to prevent potential attacks. This update resolves a vulnerability in previous security patches and helps prevent unauthorized code execution by increasing access constraints.

Veeam Releases Updates to Address Vulnerabilities Across Their Products

Type of vulnerability: Multiple, including remote code execution (RCE), sensitive data exposure, authentication bypass, and more.

The problem: Veeam’s September 2024 security bulletin addresses its products’ 18 high and critical severity vulnerabilities. Particular issues include CVE-2024-40711, a severe RCE vulnerability in Veeam Backup & Replication (VBR) versions 12.1.2.172 and earlier that allows unauthenticated attackers to compromise systems. 

Other significant problems include RCE, credential theft, and MFA bypass. Additionally, Veeam Service Provider Console and ONE contain severe vulnerabilities such as CVE-2024-38650 and CVE-2024-39714, which allow low-privileged attackers to read sensitive data and execute arbitrary files.

The fix: To address these issues, users should upgrade to Veeam Backup & Replication 12.2.0.334, Veeam ONE 12.2.0.4093, and Veeam Service Provider Console 8.1.0.21377. These updates address vulnerabilities and reduce the risk of exploitation.

LiteSpeed Publishes Upgrades vs Account Takeover Vulnerability

Type of vulnerability: Unauthenticated account takeover.

The problem: CVE-2024-44000 is a vulnerability in the LiteSpeed Cache plugin. Over 6 million WordPress sites utilize the plugin. The debug logging feature writes session cookies to a file. Attackers who gain access to ‘/wp-content/debug.log’ can steal these cookies and take control of admin accounts. The issue affects sites where debug logging was enabled, possibly revealing old session cookies.

The fix: LiteSpeed Technologies published version 6.5.0.1 to address the problem. The upgrade moves logs to a secure directory, randomizes filenames, disables cookie logging, and includes a dummy index file. To prevent unwanted access, users should remove old ‘debug.log’ files and set up .htaccess rules.

Learn more about cookie theft and explore our guide on preventing it.

September 6, 2024

SonicWall Urges Immediate Update vs Critical Access Control Flaw

Type of vulnerability: Multiple, including access control and denial-of-service.

The problem: CVE-2024-40766 is a serious access control vulnerability that affects SonicWall Firewall Gen 5, Gen 6, and Gen 7 devices (CVSS v3 score: 9.3). It permits unauthorized access to resources and can cause the firewall to crash, undermining network security. The vulnerability affects both SonicOS administration access and SSLVPN functionalities.

The fix: To address CVE-2024-40766, deploy the most recent patches immediately. Update SonicOS versions 5.9.2.14-13o or 6.5.4.15-116n for Gen 5 and Gen 6 devices, respectively. Limit firewall administration to trusted sources, disable unneeded services, and enable multi-factor authentication (MFA) for SSLVPN customers.

Read next:

• Vulnerability Recap 9/2/24: Big Companies Upgrade vs Risks 
• 6 Best Vulnerability Management Software & Systems

The post Vulnerability Recap 9/9/24 – Exploited Vulnerabilities Persist appeared first on eSecurity Planet.

Microsoft addressed an ASCII smuggling issue in 365 Copilot, and Google and Fortra issued critical security patches for actively exploited vulnerabilities in Chrome and FileCatalyst Workflow, respectively. To reduce the potential risks, update all impacted software to the most recent version and evaluate your system processes for potential modifications and security enhancements.

August 26, 2024

SonicWall Identifies Access Control Vulnerability

Type of vulnerability: Improper access control.

The problem: CVE-2024-40766, a critical access control vulnerability with a 9.3 severity level, was discovered in SonicOS on SonicWall systems. This flaw has the potential to bring down the firewall or grant unauthorized access to resources. Devices running SonicWall Firewall Gen5, Gen6, and Gen 7 are vulnerable to network-based threats that require no user interaction or authentication.

The fix: Upgrade to SonicWall’s firmware updates for Gen 5 (to version 5.9.2.14-13o), Gen 6 (to version 6.5.4.15.116n), and Gen 7 (to any version above 7.0.1-5035). Disable WAN management access or limit firewall management access to reliable sources if instant updates aren’t possible.

Traccar Fixes Path Traversal Vulnerabilities

Type of vulnerability: Path traversal.

The problem: Two major vulnerabilities, CVE-2024-24809 (CVSS score: 8.5) and CVE-2024-31214 (CVSS score: 9.7), were discovered in the Traccar GPS tracking system and affect versions 5.1 to 5.12. These path traversal weaknesses may allow unauthenticated attackers to drop malicious files. This can result in remote code execution under particular conditions, especially when you’ve permitted guest registration.

The fix: Traccar resolved these vulnerabilities in version 6, released in April 2024. It blocks self-registration by default, reducing the attack surface. Users should upgrade to Traccar 6 or higher to reduce the hazards. If you can’t update immediately, disable guest registration and unnecessary write access to prevent exploitation.

Versa Networks Patches File Upload Vulnerability

Type of vulnerability: Unrestricted file upload.

The problem: Versa Networks recently fixed a zero-day vulnerability, CVE-2024-39717, in Versa Director, a platform for controlling SD-WAN. This vulnerability, which existed in the “Change Favicon” feature, enabled threat actors with administrative capabilities to deliver malicious files disguised as PNG images. An APT attacker exploited this vulnerability which affected clients who failed to comply with system hardening and firewall standards.

The fix: This zero-day has been added to CISA’s Catalog of Known Exploited Vulnerabilities. Versa Networks advises clients to update their Versa Director installations to the most recent version to mitigate CVE-2024-39717. Furthermore, users should evaluate and follow the suggested system hardening and firewall rules. To check for exploitation, look for suspicious files in the /var/versa/vnms/web/custom_logo/ folder.

Explore how to prepare for zero-day threats. See how it works and the best practices for organizations to mitigate these attacks.

August 27, 2024

Apache Encounters Incorrect Authorization Vulnerability in OFBiz ERP

Type of vulnerability: Incorrect authorization.

The problem: Apache OFBiz, an open-source enterprise resource planning (ERP) system, contains a critical security weakness (CVE-2024-38856) with a CVSS score of 9.8, which allows unauthenticated attackers to execute remote code via a Groovy payload. This vulnerability, now actively exploited in the wild, affects systems used by big corporations worldwide, possibly compromising their sensitive operations.

The fix: To mitigate CVE-2024-38856, update Apache OFBiz to version 18.12.15. Federal agencies must roll out the revisions by September 17, 2024.

In his expert commentary regarding the issue, Greg Fitzgerald, co-founder of Sevco Security, warns that “even when patches are applied, a more insidious threat exists if companies have lost track of vulnerable instances.” Fitzgerald emphasizes an accurate IT asset inventory, citing that many assets remain uncovered by enterprise patch management and vulnerability management systems.

Microsoft Resolves ASCII Smuggling Vulnerability in 365 Copilot

Type of vulnerability: ASCII smuggling.

The problem: A recently patched vulnerability in Microsoft 365 Copilot allowed attackers to obtain sensitive user information via ASCII smuggling. Attackers could employ invisible Unicode characters to conceal harmful material in hyperlinks and exfiltrate data such as MFA codes. The exploit chain featured prompt injection and automatic tool invocation to find sensitive documents.

The fix: Microsoft rectified the vulnerability after disclosure in January 2024. Enterprises should activate data loss prevention and other security controls to limit hazards in AI technologies such as Copilot. Assess your risk tolerance to avoid data breaches from Copilots and safeguard bots with authentication measures.

Google Reveals Actively Exploited Chrome Flaw in V8 Engine

Type of vulnerability: Inappropriate implementation bug.

The problem: Google addressed an actively exploited security flaw in its Chrome browser, known as CVE-2024-7965. The vulnerability occurs from an incorrect implementation error in the V8 JavaScript and WebAssembly engines, which allows remote attackers to exploit heap corruption using crafted HTML pages. 

The bug was found by a security researcher named TheDog. Google hasn’t provided precise data about the assaults, but it has confirmed that the vulnerability is being actively exploited in the wild.

The fix: Google recommends updating Chrome to versions 128.0.6613.84/.85 for Windows and macOS, and 128.0.6613.84 for Linux. This update handles the actively exploited CVE-2024-7965 vulnerability in the V8 engine, preventing heap corruption attacks using manipulated HTML pages.

August 28, 2024

Fortra Patches Critical Access Flaw in FileCatalyst Workflow

Type of vulnerability: Credential exposure.

The problem: Fortra fixed a major vulnerability in FileCatalyst Workflow (CVE-2024-6633) with a CVSS score of 9.8. The vulnerability stems from a static password used for the HSQL database, which allows remote attackers to acquire administrative privileges. This default credential vulnerability jeopardizes program security, integrity, and availability. The issue was made public on July 2, 2024.

The fix: Fortra has published a patch for FileCatalyst Workflow 5.1.7 and later, which addresses the static password issue. Update to this version to mitigate CVE-2024-6633 and fix the high-severity SQL injection bug (CVE-2024-6632) in the setup process.

Cookie theft is another method attackers use to expose your credentials. Reduce this risk, learn how to prevent unauthorized access to your browser, and discover some ways to identify and recover from stolen credential attacks.

August 29, 2024

AVTECH IP Cameras Exploited via Old Command Injection Flaw

Type of vulnerability: Command injection.

The problem: CVE-2024-7029 (CVSS score: 8.7) is a command injection vulnerability in AVTECH IP cameras that permits remote code execution (RCE) using the brightness feature. Threat actors exploited this weakness to incorporate devices into botnets, affecting devices running firmware versions up to FullImg-1023-1007-1011-1009. It was publicly published in August 2024.

The fix: Currently, no patch is available for this issue. Users must examine their camera firmware and seek alternative or extra security steps to reduce risk.

August 30, 2024

Threat Actors Leverage Atlassian Confluence Flaw for Crypto Mining

Type of vulnerability: Remote code execution.

The problem: CVE-2023-22527, a severe RCE vulnerability in Atlassian Confluence Data Center and Server, enables unauthenticated remote code execution. Threat actors use this vulnerability to deploy XMRig miners, target SSH endpoints, and sustain persistence via cron jobs. Exploitation attempts increased significantly between June and July 2024.

The fix: To fix CVE-2023-22527, immediately update the Atlassian Confluence Data Center and Server to the newest versions. This patch addresses the major vulnerability and prevents future exploitation, protecting you against unauthorized remote code execution and illegal cryptocurrency mining.

Exploited Chrome Flaw Triggers Rootkit Deployment

Type of vulnerability: Type confusion.

The problem: CVE-2024-7971 is a high-severity type confusion vulnerability in Chrome’s V8 engine that North Korean actors exploited to execute code remotely. This resulted in the deployment of the FudModule rootkit. Victims of social engineering risked compromised systems and probable data theft.

The fix: Google addressed this flaw, eliminating the risk of remote code execution. To respond to CVE-2024-7971, update Chrome and other Chromium-based browsers to the latest version. Update Windows to solve associated vulnerabilities such as CVE-2024-38106 to avoid further exploitation and rootkit installation.

Read next:

• Vulnerability Recap 8/27/24: SolarWinds, Chrome, AWS
• Vulnerability Management: Definition, Process & Tools

The post Vulnerability Recap 9/2/24 – Big Companies Upgrade vs Risks appeared first on eSecurity Planet.