Patch Tuesday April 2024 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday:
- Critical Remote Code Execution Vulnerability in Microsoft Defender for IoT (CVE-2024-29053 and CVE-2024-21323)
- Several Remote Code Execution Vulnerabilities in Microsoft OLE DB Driver for SQL Server
- Microsoft Excel Remote Code Execution Vulnerability (CVE-2024-26257)
- Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2024-20678)
- Third-party application vulnerabilities:
Microsoft Vulnerabilities
This Patch Tuesday, Microsoft has announced fixes for 151 vulnerabilities, marking a significant increase from the previous month’s tally. Among these, only three are classified as critical, and notably, all pertain to Microsoft Defender for IoT. In an interesting development, similar to the last March Patch Tuesday release, there are no zero-days or publicly disclosed proofs of concept (PoCs) associated with this month’s updates. Here’s a closer look at the critical updates that stand out in this batch.
Critical Remote Code Execution Vulnerability in Microsoft Defender for IoT
Two critical vulnerabilities, CVE-2024-29053 and CVE-2024-21323, have been identified in Microsoft Defender for IoT, underscoring significant risks to organizations’ Internet of Things (IoT) security frameworks. Revealed on April 9, 2024, these vulnerabilities have been critically rated for their potential impact on the confidentiality, integrity, and availability of the systems they afflict. Stemming from an absolute path traversal flaw, as categorized by the Common Weakness Enumeration (CWE-36), these vulnerabilities expose a pathway for attackers to access and manipulate directories and files located beyond the web root folder.
The exploitation of such vulnerabilities could empower an attacker to remotely execute arbitrary code on a victim’s system. The implications of this are profound, ranging from full system control, service disruptions, sensitive data leakage, to further network propagation.
With a CVSS v3.1 score of 8.8, the severity of CVE-2024-29053 and CVE-2024-21323 is highlighted by their wide-reaching implications. The exploitation process requires minimal complexity, indicating that attackers could leverage these vulnerabilities with basic user privileges and without any user interaction. The exploit code maturity for these vulnerabilities is currently “Unproven”, suggesting that, although their existence is verified, exploit codes may not yet be prevalent in the wild.
As of the advisory’s release, there has been no public disclosure or reports of active exploitation regarding these vulnerabilities. Specifically, CVE-2024-29053 could be targeted through the system’s file upload capability. An attacker could engineer a malicious file, utilizing absolute path traversal patterns for its upload, thus positioning the file within unauthorized directories and potentially facilitating remote code execution.
In response, Microsoft has developed and disseminated a corrective update to mitigate these vulnerabilities. Users and administrators are urged to implement this update promptly to fortify their systems against possible exploitation, safeguarding their operational integrity and sensitive data.
Several Remote Code Execution Vulnerabilities in Microsoft OLE DB Driver for SQL Server
A series of critical remote code execution (RCE) vulnerabilities have been identified in the Microsoft OLE DB Driver for SQL Server, an essential data access technology that facilitates rapid SQL Server data access across diverse applications. These vulnerabilities span several driver versions and are collectively deemed “Important” in terms of severity.
On April 9, 2024, Microsoft announced the discovery through the release of 25 CVE identifiers, including CVE-2024-28906, CVE-2024-28908-15, CVE-2024-28926 through CVE-2024-28927, CVE-2024-28939 through CVE-2024-28945, and CVE-2024-29044-48, extending to CVE-2024-29982-85. Classified under CWE-122: Heap-based Buffer Overflows, these vulnerabilities emerge from improper input handling by the application, leading to buffer overflow, memory overwrite, and ultimately, undefined behavior that can trigger an RCE.
With a high CVSS v3.1 base score of 8.8, the implications of these vulnerabilities are significant. Successful exploitation could allow attackers to remotely execute malicious code, compromising system integrity, confidentiality, and availability, and potentially broadening their access within the target network. As of the advisory date, there has been no public disclosure or known exploitation of these vulnerabilities.
The attack vector involves enticing an authenticated user to connect to a rogue SQL server utilizing the compromised driver, which then sends crafted packets to exploit the heap-based buffer overflow vulnerabilities, facilitating RCE on the client side.
To mitigate these risks, SQL Server users are advised to apply the latest updates, including specific driver fixes. Applications should transition to using Microsoft OLE DB drivers versions 18 or 19, ensuring these are the patched versions. For third-party application users, it is critical to confirm compatibility with Microsoft OLE DB Driver versions 18 or 19 before applying the updates.
Updates should be chosen based on the SQL Server version in use, considering whether General Distribution Release (GDR) or Cumulative Update (CU) updates are applicable. SQL Server instances running on Windows Azure Infrastructure as a Service (IaaS) have the option to receive updates automatically via Microsoft Update or to apply security updates manually.
Given the critical nature of these vulnerabilities, especially in environments where SQL Server is extensively utilized, prioritizing these remediation efforts is crucial to maintaining system security and integrity.
Microsoft Excel Remote Code Execution Vulnerability
A critical flaw, identified as CVE-2024-26257, has emerged within Microsoft Excel, the extensively utilized spreadsheet application by Microsoft. Highlighted in an advisory dated April 9, 2024, and rated as “Important” in severity, this vulnerability harbors the potential to enable attackers to execute arbitrary code remotely on a victim’s system under specific scenarios.
This issue falls under CWE-415: Double Free, a condition where the same memory location is erroneously freed twice via system function calls. Such a mishap can trigger a spectrum of unpredictable behaviors from program crashes and memory corruption to potentially allowing the execution of arbitrary code.
With a CVSS v3.1 base score of 7.8, the vulnerability indicates a considerable risk to the confidentiality, integrity, and availability of affected systems. Key risk metrics associated with CVE-2024-26257 include:
- Attack Vector (AV): Local, necessitating access to the local system
- Attack Complexity (AC): Low
- Privileges Required (PR): None
- User Interaction (UI): Required
- Scope (S): Unchanged
Despite the “Less Likely” rating for exploitation likelihood, the exploit code maturity is considered “High”. This suggests that while there have been no instances of exploitation or public disclosure at the time of the advisory, the conditions for potential exploitation exist and warrant caution.
The exploitation process involves user interaction, specifically, the victim being duped into opening a malicious Excel file by an attacker. Users are thus urged to exercise caution and refrain from opening files from unknown or untrustworthy sources.
Though the attack vector is classified locally, indicating that the malicious code must be executed on the victim’s computer, the “Remote Code Execution” descriptor signifies the attacker’s capability to initiate the attack remotely through a malicious file that the victim needs to open.
Particularly, users of Microsoft Office 2021 for Mac should note that a security update is forthcoming, with Microsoft committed to releasing this update promptly. Users will be informed through a revision to the CVE details when the update is available.
Microsoft has provided an “official fix” to address this vulnerability. Users are strongly encouraged to implement this solution to safeguard against potential exploits. For versions yet to receive a security update, such as Office 2021 for Mac, it is crucial to stay vigilant, adhere to safe computing practices, and update systems immediately once updates are issued.
Remote Procedure Call Runtime Remote Code Execution Vulnerability
The identification of CVE-2024-20678 unveils a critical vulnerability within the Remote Procedure Call (RPC) runtime, disclosed on April 9, 2024. This security flaw represents a substantial threat, potentially enabling attackers with elevated privileges to carry out remote code execution. Assigned a severity level of “Important” by Microsoft, the CVE Numbering Authority (CNA) responsible for its disclosure, this issue demands urgent attention.
Classified under CWE-843, Access of Resource Using Incompatible Type, or “Type Confusion”, this vulnerability arises from improper resource access using a type not aligned with the intended secure type. Such mismatches can lead to outcomes ranging from data corruption to the execution of arbitrary code.
With a CVSS v3.1 score of 8.8, the vulnerability signals a significant risk, posing a severe threat to the system’s confidentiality, integrity, and availability. Key risk metrics include:
- The vulnerability is exploitable remotely over a network.
- The exploitation complexity is low, indicating ease of execution.
- It can be exploited by an authenticated user without elevated privileges.
- No user interaction is required for exploitation.
- The exploit’s impact remains within the same privilege level as the compromised component.
- There have been no reports of active exploitation at the time of disclosure.
- The details of the vulnerability have not been publicly disclosed.
The “low” privilege requirement suggests that an attacker with basic user-level access could potentially exploit this flaw, broadening the scope of potential attackers by enabling more users to act as vectors for an attack.
The RPC runtime, a critical mechanism for executing code on a server from a device in a different network or geographic location, is at the heart of this vulnerability. An attacker exploiting this vulnerability would initiate a specially crafted RPC call to a susceptible host, potentially enabling remote code execution on the target server under the same privileges as the RPC service, which may extend to system-level privileges.
Despite the exploit code maturity being rated as “Unproven”, indicating the absence of functional exploits in the wild, the potential for exploitation underscores the importance of timely security updates. Organizations utilizing RPC communication must promptly apply the recommended updates to mitigate the risk of remote, unprivileged attacks that could exploit this vulnerability. Given RPC’s integral role in numerous computing operations, the implications of such a vulnerability are extensive, warranting immediate and comprehensive remedial actions.
Google Chrome
Google recently issued an update for its Chrome browser, incorporating fixes for two zero-day vulnerabilities among a total of seven security issues addressed. The first zero-day, identified as CVE-2024-2887, represents a critical type confusion flaw within WebAssembly (Wasm). This vulnerability was showcased by researcher Manfred Paul during the Pwn2Own competition’s opening day, employing a specially crafted HTML page to execute a remote code execution (RCE) exploit against both Chrome and Edge browsers.
The second zero-day, documented as CVE-2024-2886, emerged from research conducted by a member of the KAIST Hacking Lab on the subsequent day of the CanSecWest Pwn2Own event. This bug, a use-after-free (UAF) vulnerability within the WebCodecs API, enables attackers to carry out arbitrary read/write operations through manipulated HTML pages. Furthermore, this vulnerability was exploited to achieve remote code execution on both Google Chrome and Microsoft Edge.
These issues have been addressed with the rollout of Google Chrome version 123.0.6312.86/.87 for Windows and Mac, and version 123.0.6312.86 for Linux, ensuring users are protected against these vulnerabilities.
Mozilla Firefox
Mozilla has addressed two significant vulnerabilities in Firefox, rewarding Manfred Pohl with a $100,000 prize and 10 Master of Pwn points for their disclosure. The first vulnerability, CVE-2024-29943, concerns an out-of-bounds (OOB) write that could lead to remote code execution. It allows attackers to interact with a JavaScript object beyond its intended boundaries due to the removal of scope-based bounds checking on affected systems. Consequently, this flaw could enable the reading or writing of JavaScript objects outside their allocated space by exploiting the lack of range-based bounds checking.
The second vulnerability, CVE-2024-29944, involves a sandbox escape technique in Mozilla Firefox, facilitated by the misuse of an untrusted function. It is characterized by the potential for privileged JavaScript execution through event handlers, potentially allowing attackers to run arbitrary code in the parent process of the Firefox desktop web browser.
To mitigate these risks, Mozilla has rolled out updates in Firefox 124.0.1 and Firefox ESR 115.9.1, effectively sealing off avenues for potential remote code execution attacks on browsers that have not been updated.
HTTP 2.0
A critical flaw discovered in the HTTP/2 protocol, known as the HTTP/2 CONTINUATION Flood, has been brought to light by researcher Bartek Nowotarski. This vulnerability poses a significant risk by enabling attackers to execute powerful Denial of Service (DoS) attacks. The mechanism of attack involves sending a relentless stream of header frames to a server, exploiting the CONTINUATION frame functionality of HTTP/2, which is designed to piece together fragmented packets into a single coherent stream. The attack is facilitated by the omission of the END_HEADERS flag, which should normally signal the conclusion of a message stream, leading to server memory overflow and subsequent failure.
Nowotarski’s findings unveiled a total of nine critical vulnerabilities within the HTTP/2 protocol that interlink to enable such an exploit. He reported these issues to CERT/CC on January 25, 2024, which subsequently confirmed on April 3 that numerous implementations of HTTP/2 fail to properly handle extensive sequences of CONTINUATION frames within a single stream. The abuse of CONTINUATION frames, which should carry segments of header blocks concluded by an END_HEADERS flag, becomes possible when an attacker initiates a new HTTP/2 stream and sends HEADERS along with CONTINUATION frames without the concluding END_HEADERS flag. This results in an unending header stream that overwhelms server resources.
The CONTINUATION Flood threat is deemed more severe than the Rapid Reset attack identified in October 2023. Nowotarski highlighted that even a single machine, in some scenarios, could be sufficient to compromise server availability through the meticulous use of TCP connections or frame sequences. One of the insidious aspects of this attack is its invisibility in HTTP access logs, complicating detection efforts. Depending on the specific implementation, the impact can vary from immediate server failure upon receiving a handful of HTTP/2 frames to prolonged server downtime caused by memory depletion or CPU overload.
A wide array of popular software projects are affected by this vulnerability, including but not limited to amphp/http, Apache HTTP Server, Apache Tomcat, Apache Traffic Server, Envoy proxy, Golang, the h2 Rust crate, nghttp2, Node.js, and Tempesta FW. The respective vendors have responded by releasing updates to mitigate the issue. As an interim measure, disabling HTTP/2 support on servers is recommended to safeguard against potential attacks.
Flowmon
Progress Software, the developers behind the MoveIT application, has rolled out a critical update for Flowmon, a key component in their suite of network monitoring and security solutions. This patch addresses a significant security flaw, CVE-2024-2389, which if exploited, could allow remote attackers to gain unauthorized access to a system. With a CVSS score of 10 out of 10, this vulnerability is particularly severe. It involves an OS command injection issue that permits unauthenticated individuals to execute arbitrary system commands via Flowmon’s web interface, all without needing authentication.
Flowmon stands as a vital tool for administrators, offering the capability to visualize network traffic and fend off cyber threats efficiently. The vulnerability identified, CVE-2024-2389, could enable attackers to siphon off sensitive data, such as network configurations, potentially paving the way for more invasive attacks on the network infrastructure.
The issue impacts Flowmon versions 11.x and 12.x. However, Progress has been proactive in mitigating the risk by releasing updates for these versions, specifically Flowmon 11.1.14 and 12.3.5, to close off this vulnerability. While there have been no reported incidents of this vulnerability being exploited in the wild, the potential risk it poses is significant. Given the critical nature of CVE-2024-2389 and the reality that cybercriminals are always on the lookout for such vulnerabilities, it’s highly recommended for users of affected versions to update their systems promptly to protect against potential exploits.
Ivanti
Ivanti’s journey continues as it rolls out crucial patches to address a new critical remote code execution (RCE) vulnerability in Standalone Sentry, designated as CVE-2023-41724 with a high CVSS score of 9.6, as reported by the NATO Cybersecurity Center. This flaw allows unauthenticated attackers to execute arbitrary commands on devices within the same physical or logical network, posing a significant threat due to its low complexity of exploitation. The vulnerability impacts all supported and older versions of Standalone Sentry, specifically versions 9.17.0, 9.18.0, and 9.19.0, with the corrective patches available in versions 9.17.1, 9.18.1, and 9.19.1.
Additionally, Ivanti has remedied another critical issue, CVE-2023-46808, affecting its Neurons for ITSM solution. This vulnerability could enable remote attackers with low-privilege accounts to execute commands as a web application user. While patches have been applied to Ivanti Neurons for ITSM cloud services, on-premises deployments remain at risk until updated.
Despite no reported instances of these vulnerabilities being exploited in the wild, Ivanti emphasizes the importance of applying these patches without delay. CVE-2023-41724, in particular, requires a valid TLS client certificate registered through EPMM for direct online exploitation, adding a layer of protection for those who have not yet applied the fix.
In light of a CISA directive advising against the use of Ivanti solutions pending fixes, the ongoing cycle of vulnerabilities and patches appears endless for Ivanti users. This cycle extends to urgent updates addressing multiple vulnerabilities in Connect Secure and Policy Secure gateways. Among these, CVE-2024-21894 stands out with a CVSS rating of 8.2, allowing for potential RCE and DoS by unauthenticated attackers through a heap overflow in the IPSec component, albeit under certain conditions not specified by Ivanti.
Three additional vulnerabilities, leading to potential DoS attacks, have been patched, including CVE-2024-22052 and CVE-2024-22053—stemming from null pointer dereferencing and heap overflow issues in the IPSec component—and CVE-2024-22023, resulting from an XEE vulnerability in the SAML component.
Given the significant number of Ivanti Connect VPN gateways exposed online, the risks associated with these vulnerabilities cannot be understated. Despite the absence of reported exploits, the track record suggests a cautious approach, emphasizing the urgency of applying these updates to mitigate potential cyber threats.
Linux
A sophisticated supply chain attack targeting the open-source ecosystem has been revealed, characterized by the introduction of a backdoor into the XZ Utils toolkit, a component widely integrated into numerous Linux distributions. This orchestrated effort, initiated two years prior, unfolded through a series of calculated moves including social engineering tactics, the displacement of the original maintainer, and the insertion of compromised code by ostensibly legitimate developers. This meticulously planned operation enabled adversaries to implant malicious code within versions 5.6.0 and 5.6.1 of the XZ Utils suite, released on February 24 and March 9, respectively. Given XZ Utils’ extensive use across most major Linux distributions and various Linux and MacOS applications, the corrupted code was incorporated into several March releases of these operating systems.
The embedded backdoor, identified as CVE-2024-3094 with the highest severity score of CVSS 10, facilitates the execution of arbitrary code under specific conditions, all while evading detection in sshd logs. This is achieved by manipulating IFUNC calls related to architecture extension checks, allowing for the injection and execution of malicious code. The tampered versions, namely 5.6.0 and 5.6.1, have impacted a slew of prominent Linux distributions including Alpine, Debian (testing), Fedora Rawhide, Kali Linux, and openSUSE Tumbleweed among others, though it’s noted that some distributions like Arch Linux and Fedora 40 are inherently immune to this backdoor due to their unique compilation and linking processes.
Distribution users are advised to independently verify the integrity of their XZ Utils installations. Despite the absence of reported active exploits, the recommendation is to revert to earlier, untainted versions of XZ Utils and undertake comprehensive incident response measures. The complexity and execution timeline of this backdoor hint at a highly sophisticated and resourceful attacker, underscoring a critical vulnerability within the open-source model: the reliance on community-driven development without adequate oversight.
In a separate disclosure, another longstanding vulnerability has been identified in the Wall utility, part of the util-linux package, persisting for over a decade. CVE-2024-28085 exposes a method for attackers to manipulate terminal escape sequences to deceive other users into divulging their administrative passwords. Originating from a failure to filter escape sequences in version 2.24, this vulnerability could enable the crafting of fraudulent SUDO prompts on the terminals of logged-on users under specific conditions. Detected in Ubuntu 22.04 LTS and Debian 12.5, but not affecting CentOS, this issue has been demonstrated by researcher Skyler Ferrante through a proof of concept and scripts. The described attack vector involves monitoring system processes to opportunistically prompt users for their password, potentially compromising it.
This series of vulnerabilities underscores the persistent and evolving threats facing open-source software and the critical need for rigorous security practices within the development and maintenance of such widely used tools and utilities.
Splunk
Splunk has proactively addressed a series of critical vulnerabilities across its enterprise products, marking a significant step in bolstering the security of its offerings. Among these, the company has highlighted two high-severity vulnerabilities within Splunk Enterprise, each accompanied by dedicated advisories.
The first vulnerability, identified as CVE-2024-29946, targets the Splunk Dashboard Studio. It poses a risk by allowing attackers, armed with high-privilege user rights, to circumvent SPL protections against high-risk commands. This could potentially be exploited through phishing tactics, coaxing an unsuspecting user to execute a malicious request via their browser.
Concurrently, CVE-2024-29945 represents a second significant threat, concerning the inadvertent exposure of authentication tokens. This vulnerability comes to the fore in scenarios where Splunk Enterprise is run in debug mode, or when JsonWebToken’s logging level is set to DEBUG, potentially disclosing sensitive token information during the verification process. Exploitation here is contingent upon the attacker gaining either local access to log files or administrator privileges over internal indexes.
Splunk has moved swiftly to mitigate these risks, releasing patches, fixes, and recommended workarounds to address each vulnerability. Additionally, the company has undertaken measures to secure Splunk Enterprise and the Splunk Universal Forwarder against vulnerabilities stemming from the integration of third-party packages, including Curl, OpenSSL, Go, PyWin32, Apache Hive, and Jackson from FasterXML. While the vulnerabilities impacting the Universal Forwarder are classified as low severity, those identified in Splunk Enterprise range from high to moderate, underscoring the importance of prompt updates and security practices to protect against potential cyber threats.
Anyscale Ray AI
Oligo has unveiled details of a significant breach impacting hundreds of Anyscale Ray artificial intelligence systems clusters, attributing the breach to a critical vulnerability that Anyscale opted not to rectify, deeming it a consequence of a design decision rather than a flaw. In November 2023, Anyscale acknowledged the discovery of five vulnerabilities within the Ray framework, promptly addressing four: CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023. However, it chose not to patch the fifth vulnerability, CVE-2023-48022, categorizing it as a critical remote code execution (RCE) bug. Anyscale’s stance was that the platform was inherently not designed for internet-facing deployments and therefore didn’t necessitate authentication, suggesting that exploitation would only occur in instances where deployment practices diverged from the recommended secure network environments.
Hackers, identifying the unpatched vulnerability timely, initiated the ShadowRay campaign by September 5, 2023, exploiting the loophole to hijack computing resources for cryptocurrency mining and exfiltrate sensitive data from an extensive array of companies. CVE-2023-48022, bearing a CVSS score of 9.8, provided attackers with the capability to access critical data across the clusters, including credentials. The breach led to the compromise of numerous Ray clusters, with attackers harvesting a significant volume of sensitive information, such as AI workload specifics, database credentials, password hashes, SSH keys, and tokens for OpenAI, HuggingFace, and Stripe services. Furthermore, the attackers gained root access to pivotal cloud services through many of these clusters, potentially compromising customer data and accessing Kubernetes APIs and Slack tokens. The majority of the infiltrated clusters were found to be infected with cryptominers like Java-based XMRig, NBMiner, and Zephyr, alongside reverse shells to establish persistent access.
Oligo’s investigation into the scope and sophistication of the ShadowRay campaign suggests the involvement of a highly skilled group of hackers, adept at evading detection through the use of Interactsh for connection requests and exploiting the disorganized nature of the response to the controversial CVE. Additionally, a base64-encoded payload was uncovered, designed to escalate privileges on compromised machines via open-source scripts, remarkably evading detection across all VirusTotal antivirus engines.
Given Ray’s widespread adoption, evidenced by over 30,500 stars on GitHub and its utilization by prominent organizations like Amazon, Spotify, LinkedIn, Instacart, Netflix, Uber, and OpenAI, the long-term repercussions of the ShadowRay campaign could be significant and far-reaching.
Apple
Apple has recently deployed updates for iOS 17.4.1 and macOS Sonoma 14.4.1, targeting a critical remote code execution (RCE) vulnerability identified as CVE-2024-1580. This vulnerability, caused by an integer overflow leading to out-of-range writes, impacts both CoreMedia and WebRTC components on iOS and macOS. It is related to the cross-platform AV1 decoder, dav1d, and was resolved in the dav1d version 1.4.0 released on February 1. The flaw arises during video decoding with large frame sizes in the dav1d AV1 decoder, leading to memory corruption. Apple’s solution enhances input validation to prevent exploitation.
This patch is part of broader updates across Apple’s ecosystem, including iOS, iPadOS, VisionOS, macOS, and Safari, to safeguard users against potential exploitation. The vulnerability, though rated with moderate severity, is notable for its potential for network exploitation with minimal privileges and without user interaction. Highlighted by Google Project Zero’s Nick Gallowham through detailed analysis and a demonstration, Apple’s prompt response underscores the importance of these updates, especially in the absence of reported real-world exploits.
In addition, a new side-channel vulnerability named GoFetch has been identified, affecting Apple’s M1, M2, and M3 processors. This vulnerability exposes cryptographic keys through a technique that exploits the Data Memory-Dependent Prefetchers (DMP) within these processors. GoFetch specifically targets the prefetching behavior that anticipates data needs, thereby enhancing performance but also creating an attack vector for extracting cryptographic keys from the CPU cache.
The discovery, made by a collective of U.S. researchers, has been communicated to Apple, highlighting a particular concern for Apple’s implementation of DMP. Unlike Intel’s Raptor Lake processors, Apple’s design presents a vulnerability that cannot be fully mitigated on existing M1 and M2 processors without potential performance impacts. The suggested countermeasures, such as input hiding and DMP activation masking, offer some defense but highlight a crucial hardware-based vulnerability.
The GoFetch attack, detailed in a forthcoming white paper and proof of concept, emphasizes the potential for remote exploitation via malware, presenting a significant security consideration for developers and users alike. Apple’s stance, advocating for adherence to mitigation strategies, reflects the complex nature of addressing hardware vulnerabilities within existing devices.
Overall, these updates and discoveries accentuate the ongoing challenges in cybersecurity, from software vulnerabilities to hardware-induced risks, reinforcing the critical role of continuous vigilance and proactive security measures in the digital landscape.
GLPI
During a penetration test, researchers from Quarkslab uncovered new SSRF and SQL injection vulnerabilities within GLPI, a widely used asset management and IT software suite. Their investigation began upon identifying a GLPI server, version 10.0.10, on the internal network they were assessing. Initially, this version was not associated with any CVEs. However, the discovery of CVE-2023-43813, affecting the version in use, marked the beginning of a deeper exploration into GLPI’s security posture. This particular CVE revealed that from versions 10.0.0 through 10.0.11, it was possible to exploit the saved search functionality for SQL injection.
Without a publicly available Proof of Concept (PoC), the researchers relied on details from NIST to analyze the patch, uncovering that despite additional checks, vulnerabilities remained. Within 24 hours, Quarkslab identified two significant vulnerabilities: an SQL injection vulnerability (CVE-2024-27096, rated CVSS 8.5) exploitable via the search engine, and an SSRF vulnerability (CVE-2024-27098, rated CVSS 5.1) through the misuse of arbitrary object instances.
The SQL injection vulnerability stemmed from inadequate sanitization of user inputs in the search engine, enabling remote attackers to execute arbitrary SQL commands on the database. This vulnerability granted attackers complete control over the application. The SSRF vulnerability, on the other hand, allowed attackers to access sensitive data on the local network or send malicious requests to other servers via the compromised system.
These discoveries were promptly communicated to the GLPI vendor in January 2024. The vendor acknowledged the issues, assigned CVEs in February, and released patches in March with the GLPI 10.0.13 update, which also addressed other vulnerabilities. Given the severity and lack of available mitigations for these vulnerabilities, users are strongly advised to upgrade their GLPI installations to ensure protection against potential exploits.
Fortinet
Fortinet has recently addressed several critical remote code execution (RCE) vulnerabilities across a range of its products, including FortiOS, FortiProxy, and FortiClientEMS, underscoring the importance of maintaining robust security measures.
Among these, CVE-2023-42789, an out-of-bounds write vulnerability discovered in both FortiOS and FortiProxy, enables attackers to run arbitrary code or commands via specially crafted HTTP requests. This vulnerability was rectified alongside CVE-2023-42790, a stack-based buffer overflow issue, also leading to RCE. The resolution for these vulnerabilities has been incorporated into multiple versions of FortiOS and FortiProxy.
Another significant vulnerability, CVE-2023-48788, identified in FortiClientEMS, involves a SQL injection flaw that permits unauthenticated attackers to execute arbitrary code or commands through crafted queries. Fixes for this issue have been issued in FortiClientEMS versions 7.2.3 and 7.0.11. Both CVE-2023-42789 and CVE-2023-48788 have been assigned a CVSS score of 9.3 by Fortinet, though the NIST NVD has rated them slightly higher at 9.8.
In addition to these critical fixes, Fortinet has also rolled out patches for other high-severity vulnerabilities across its suite of products, including issues leading to information disclosure, unauthorized command execution, and additional instances of RCE.
Despite the absence of specific reports from Fortinet regarding the active exploitation of these vulnerabilities, the cybersecurity community widely acknowledges the likelihood of such events occurring. This is especially relevant given the detailed technical information and Proof of Concept (PoC) for CVE-2023-48788 published by Horizon3 researchers, which was followed by reports of active exploitation in the wild, as confirmed by Fortinet. Although the Horizon3 PoC does not facilitate remote code execution without modifications, it serves as a crucial demonstration of system vulnerability. Subsequent reports suggest that attackers have begun to exploit these vulnerabilities, particularly targeting FortiClient Enterprise Management Servers, with more than 440 such servers reportedly accessible online according to Shodan.
This series of patches and the subsequent discovery of active exploitation highlight the critical need for immediate updates to affected Fortinet products, emphasizing the ongoing battle between cybersecurity defenses and the persistent threat posed by hackers.
Atlassian
Atlassian has issued patches for a significant number of vulnerabilities across its product suite, including Bamboo, Bitbucket, Confluence, and Jira, spotlighting a particularly critical flaw in Bamboo Data Center and Server. This flaw, identified as CVE-2024-1597 with a top severity CVSS score of 10, constitutes an SQL injection vulnerability within the org.postgresql:postgresql dependency. Unauthenticated attackers could leverage this vulnerability to access and potentially exploit assets within the environment, posing a considerable threat to the confidentiality, integrity, and availability of the system.
The impacted versions of Bamboo Data Center and Server span from 8.2.1 to 9.5.0, with the issue being rectified in the release of versions 9.6.0 (LTS), 9.5.2, 9.4.4, and 9.2.12 (LTS). Alongside this critical update, Atlassian has also addressed a serious denial of service (DoS) vulnerability, CVE-2024-21634 with a CVSS score of 7.5, affecting both Bamboo and Bitbucket Data Center and Server.
In addition to these patches, Atlassian has resolved a severe path traversal issue in Confluence Data Center and Server and patched a DoS vulnerability in one of its third-party dependencies. The updated Confluence versions, including 8.8.1, 8.5.7 LTS, and 7.19.20 LTS, cover these fixes.
For Jira Software Data Center and Server, the security updates encompass 20 high-severity vulnerabilities, which include 16 DoS, 3 remote code execution (RCE), and 1 server-side request forgery (SSRF) issues. The versions 9.14.1, 9.14.0, 9.12.5 LTS, and 9.4.18 LTS of Jira Software Data Center and Server have been enhanced to address multiple vulnerabilities within third-party dependencies, safeguarding against unauthenticated exploitation.
Atlassian encourages users to update their installations to the latest versions promptly. Although there have been no reported instances of these vulnerabilities being exploited in real-world settings, the potential impact underscores the importance of swift action to maintain the security and resilience of Atlassian’s widely used software development and collaboration tools.
Fortra
Fortra recently addressed a critical vulnerability in its FileCatalyst enterprise managed file transfer (MFT) solution, marking a significant step in bolstering the security of its platforms. This vulnerability, cataloged as CVE-2024-25153, carries a high CVSS score of 9.8, highlighting its severity. The flaw originates from a directory traversal issue in the FileCatalyst Workflow Portal’s ftpservlet, which permits the uploading of files outside the designated uploadtemp directory through specially crafted POST requests. This vulnerability becomes particularly exploitable when a file is uploaded to the DocumentRoot of the web portal, enabling attackers to execute arbitrary code or deploy web shells via crafted JSP files.
LRQA Nettitude initially reported this vulnerability on August 9, 2023, and Fortra promptly responded with a patch in FileCatalyst Workflow version 5.1.6 build 114 two days later, although the CVE identifier was not assigned until December 2023.
Furthermore, the researchers provided a Proof of Concept (PoC) demonstrating the potential for exploiting this vulnerability to upload a web shell and execute system commands, thereby underscoring the critical nature of this security gap.
In a proactive move to secure its ecosystem, Fortra also released patches in January 2024 for additional vulnerabilities in FileCatalyst Direct—CVE-2024-25154 and CVE-2024-25155—that could potentially allow for information disclosure and code execution. Moreover, GoAnywhere MFT received an update in version 7.4.2 to rectify moderate information disclosure vulnerabilities. This action reflects a cautious approach, especially considering past incidents where vulnerabilities in Fortra’s GoAnywhere MFT were exploited by the Cl0p ransomware group.
Given the stark reminder of the potential for exploitation by attackers, particularly with the availability of PoCs, Fortra urges users to diligently apply the updates. This is a crucial step to safeguard against the possibility of attackers leveraging the detailed PoC as a blueprint for launching targeted attacks on systems that remain vulnerable.
Cisco
Cisco has recently announced the release of patches for a series of vulnerabilities in its IOS RX platform, spotlighting three high-severity issues that posed risks of DoS (Denial of Service) and privilege escalation. Among these, CVE-2024-20320 emerges as the most critical, targeting the SSH feature within IOS RX. This vulnerability enabled attackers to achieve super-user privileges by dispatching specific SSH commands to the CLI. Primarily impacting the 8000 Series routers along with the 540 and 5700 Series NCS systems, the flaw has been rectified in the IOS RX version 7.10.2. Users operating on older versions of the software are urged to update to this patched release to mitigate risk.
Another high-severity flaw, identified as CVE-2024-20318, is found in line cards that have Level 2 services activated. Here, attackers could disrupt the network processor on the line card by sending specially crafted Ethernet frames through the device, potentially leading to repeated resets and a consequent DoS state. To address this, Cisco has rolled out fixes in IOS RX versions 7.9.2 and 7.10.1, along with Software Maintenance Updates (SMUs) specifically targeting this vulnerability.
Furthermore, CVE-2024-20327 represents a significant DoS vulnerability within the PPP over Ethernet (PPPoE) termination feature found in ASR 9000 Series routers. Malformed PPPoE packets could trigger a failure in the ppp_ma process, disrupting PPPoE traffic. Routers utilizing the BNG feature for PPPoE termination on Lightspeed-based or Lightspeed-Plus-based line cards are affected. The resolution has been included in IOS RX releases 7.9.21, 7.10.1, and 7.11.1.
Additionally, Cisco has patched several moderate vulnerabilities in IOS XR, which could potentially enable attackers to circumvent security measures, induce a DoS state, or install unverified software images.
These corrections are part of Cisco’s biannual IOS RX security update, encompassing eight advisories. As of the announcement, there have been no reports of these vulnerabilities being exploited in the real world, underscoring the preventive nature of these updates. Users of the affected systems are recommended to apply the patches promptly to ensure their networks remain secure against potential exploitation.
Kubernetes
Akamai researchers have recently shed light on a new high-severity vulnerability within Kubernetes, presenting a remote code execution threat with system privileges on Windows endpoints within a cluster. This vulnerability, catalogued as CVE-2023-5528, impacts standard Kubernetes installations and bears similarities to CVE-2023-3676, which involved a failure to clear the subPath parameter in YAML files. CVE-2023-5528 arises from Kubernetes’ handling of YAML files, particularly when creating a module with a local volume that permits the mounting of disk partitions. In this process, the kubelet service generates a symbolic link between the volume’s node location and its module location, leveraging a cmd call that allows for command grouping within the Windows command line. This flaw enables attackers to execute arbitrary commands with kubelet privileges by controlling a single parameter during the cmd execution.
The vulnerability specifically manifests when defining or creating a persistVolume—a memory resource administrators use for preallocating memory beyond the module’s lifespan. Attackers can exploit this by altering the local.path parameter within the persistVolume YAML file to insert a malicious command that executes during the mounting process. Kubernetes has addressed this vulnerability by eliminating the cmd call in favor of a built-in Go function that solely conducts the symbolic link operation, mitigating the risk of arbitrary command execution.
Vulnerable to this issue are all Kubernetes deployments up to version 1.28.3 that include Windows nodes within the cluster. The resolved version is 1.28.4. Given that this vulnerability originates from the Kubernetes source code and affects a broad range of deployments, the potential for exploitation is significant, urging a swift patching process. Akamai emphasizes the importance of updating Kubernetes clusters to version 1.28.4, advising that this precaution should be taken even in clusters without Windows nodes, to mitigate any potential threats effectively.
Processors
A groundbreaking type of attack, named GhostRace, has been unveiled by researchers from IBM and VU Amsterdam, signaling a broad threat across major processor brands such as Intel, AMD, Arm, and IBM, as well as affecting a wide array of critical software applications. GhostRace capitalizes on a speculative SRC race to leak data, posing a potential risk for the extraction of sensitive information from memory, including passwords and encryption keys. Despite the substantial threat, executing such an attack generally demands physical or elevated access to the target system and presents complex challenges for practical implementation. The attack leverages race conditions—scenarios where concurrent threads vie for access to a shared resource, which could lead to vulnerabilities exploitable for various malicious objectives, including remote code execution (RCE), defense circumvention, and unauthorized data access.
The cornerstone of operating system security, synchronization primitives, intended to prevent race conditions, have been found vulnerable when combined with speculative execution—a technique at the heart of numerous processor attacks in recent years. This analysis reveals that all common synchronization primitives that utilize conditional branches could be microarchitecturally bypassed in speculative paths by inducing SRC conditions via the Spectre-v1 attack, leading to potential data leakage. A novel technique, termed inter-process interrupt interrupting (IPI) storming, facilitates this by timing the interruption of the victim process’s execution precisely, allowing speculative concurrency upon the release of the SCUAF. This method uncovered nearly 1,300 potentially vulnerable points within the Linux kernel, with the researchers successfully demonstrating a kernel memory leak at a rate of 12Kbps through a SCUAF disclosure attack.
While the research predominantly concentrated on x86 architectures and the Linux operating system, the implication is that all major hardware platforms and any software employing synchronization primitives through conditional branches without serialization instructions are susceptible. Notifications were sent to Intel, AMD, Arm, and IBM in late 2023, who then alerted relevant operating system and hypervisor vendors about the GhostRace threat.
In response, AMD has referenced previous guidance on mitigating Spectre attacks as a measure against GhostRace. Meanwhile, the Xen hypervisor team has confirmed the absence of GhostRace vulnerabilities within their project. The Linux team has introduced an IPI rate-limiting feature, though no further actions are planned due to concerns over potential performance degradation. The vulnerabilities have been cataloged as CVE-2024-2193 (GhostRace) and CVE-2024-26602 (IPI Storming), accompanied by the publication of a proof of concept (PoC).
Additionally, the researchers have provided tools for scanning the Linux kernel for SCUAF gadgets, alongside a catalog of discovered gadgets, contributing valuable resources for the cybersecurity community to identify and address potential vulnerabilities within their systems.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.
