Patch Tuesday August 2024 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
Microsoft Vulnerabilities
This Patch Tuesday, Microsoft has addressed 87 vulnerabilities, a decrease from last month, including seven critical ones. Notably, this update fixes six zero-days, setting a record for the year in the number of zero-days addressed in a single update. Additionally, two vulnerabilities have been publicly disclosed. Here are the details of the most significant critical updates.
Scripting Engine Memory Corruption Vulnerability (CVE-2024-38178)
CVE-2024-38178 is a critical zero-day vulnerability in the Microsoft Scripting Engine, specifically affecting its operation in Edge’s Internet Explorer (IE) Mode. This vulnerability is classified as CWE-843: Access of Resource Using Incompatible Type (‘Type Confusion’). Type confusion occurs in scripting engines when a program accesses a resource using an incorrect type, leading to memory corruption that attackers can exploit to execute arbitrary code.
Details:
-
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The essence of CVE-2024-38178 lies in the flawed handling of type constraints within the Microsoft Scripting Engine under Edge’s IE Mode. Due to type confusion, the engine may improperly grant access to or manipulation of memory locations designated for different data types. This defect can result in unpredictable behavior, including memory corruption. A specially crafted payload could manipulate this flaw to achieve remote code execution.
Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute arbitrary code in the context of the current user. If a user with administrative privileges is compromised, the attacker could potentially gain full control of the system. An attacker would need to craft a malicious URL embedding a payload targeting the type confusion, then persuade the user to click the link, typically via social engineering or phishing. When clicked, the payload activates the vulnerability, leading to remote code execution under the user’s privileges.
Further risks may include the combination of this exploit with other browser vulnerabilities to bypass security mechanisms or secure additional network footholds.
Given a CVSS score of 7.5, this vulnerability is highly severe due to significant impacts on confidentiality, integrity, and availability. Although the high attack complexity suggests that exploitation is challenging, the necessity for user interaction lowers the barrier to a successful attack if social engineering tactics are employed effectively.
This vulnerability affects all Windows versions starting from Windows 10 and all Windows Server versions from 2012. Users are urged to apply the latest patches and updates from Microsoft promptly. If not necessary, disabling Internet Explorer mode in Edge can reduce exposure to this and potential future vulnerabilities linked with legacy compatibility. Additionally, employing advanced browser security settings can mitigate risks from the execution of untrusted scripts.
CVE-2024-38178 underscores the critical importance of robust type validation mechanisms within scripting engines and the broader software ecosystem. Type confusion vulnerabilities pose a particular threat because they allow adversaries to exploit underlying memory operations directly, often circumventing higher-level security controls.
Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-38106)
CVE-2024-38106 is the latest zero-day vulnerability we are examining today. It is an elevation of privilege (EoP) vulnerability in the Windows Kernel, classified under CWE-591: Sensitive Data Storage in Improperly Locked Memory. This vulnerability arises when sensitive data is stored in memory that lacks adequate protection, permitting a low-privileged attacker to manipulate the memory content and escalate their privileges to the SYSTEM level.
Details:
-
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The fundamental issue with CVE-2024-38106 stems from a race condition combined with improper memory handling within the Windows Kernel. Sensitive data, which should be secured in locked memory, is instead vulnerable in a region accessible and modifiable under specific conditions. The challenge in exploiting this vulnerability lies in the necessity to exploit the race condition with precise timing, aiming to gain control over the memory before it is securely locked or accessed.
Successful exploitation of this vulnerability allows an attacker with low privileges to escalate to SYSTEM level, granting full control over the system. This could result in:
-
- Confidentiality Impact: Unauthorized access to sensitive system and user data.
- Integrity Impact: Unauthorized modifications of system configurations, files, and other data.
- Availability Impact: Potential to disable critical system services or cause denial of service conditions.
An attacker, having already gained low-level local access, can manipulate the improperly protected memory. By exploiting the race condition with precise timing, the attacker can insert malicious instructions or redirect sensitive operations. Successful exploitation of this race condition leads to escalated privileges to the SYSTEM level.
Furthermore, an attacker might initially exploit another vulnerability to gain low-level access, then leverage this access to exploit CVE-2024-38106 and command SYSTEM level control. This vulnerability could also be chained with others, such as a remote initial access vulnerability, to bypass network barriers and achieve broader system compromise.
This vulnerability carries a CVSS score of 7.0, reflecting significant risk due to high impacts on confidentiality, integrity, and availability upon successful exploitation. The high attack complexity is due to the precise execution required to exploit the race condition, demanding sophisticated techniques and detailed system knowledge.
CVE-2024-38106 affects Windows OS starting from Windows 10 and Windows Server from 2012. It is imperative to deploy the latest patches and kernel updates provided by Microsoft as they become available.
Historically, kernel vulnerabilities leading to privilege escalation are not uncommon, and CVE-2024-38106 highlights the critical need for secure memory management and timely locking mechanisms within kernel operations. The complexity of exploiting race conditions underscores the importance of meticulous system monitoring and advanced safeguarding techniques. Ensuring that sensitive data is securely stored and that access to critical memory regions is tightly controlled is paramount in defending against such vulnerabilities.
Windows Power Dependency Coordinator Elevation of Privilege Vulnerability (CVE-2024-38107)
CVE-2024-38107 is a zero-day elevation of privilege (EoP) vulnerability affecting the Windows Power Dependency Coordinator, characterized by CWE-416: Use After Free. This type of vulnerability occurs when a program continues to use a pointer to memory after it has been freed, potentially leading to arbitrary code execution or system control.
Details:
-
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The vulnerability stems from a flaw in how the Windows Power Dependency Coordinator manages dynamic memory. Specifically, it attempts to access memory that has already been freed, leading to undefined behavior. An attacker can exploit this to overwrite memory with malicious data, thereby gaining control of the program’s execution flow and escalating privileges to the SYSTEM level.
An attacker with local access and low privileges can exploit this vulnerability to elevate their privileges to SYSTEM level, thus gaining complete control over the affected system. The impacts of successful exploitation are significant:
-
- Confidentiality Impact: Unauthorized access to sensitive and private data.
- Integrity Impact: The ability to modify or delete critical system files and configurations.
- Availability Impact: Potential disruption of system functions, leading to a denial of service.
The exploitation process involves an attacker identifying the use-after-free condition in the Windows Power Dependency Coordinator. The attacker then crafts a payload that triggers this condition, manipulating memory to take control over the program’s execution. Once exploited successfully, the attacker’s privileges are elevated to SYSTEM, providing full control over the system. It’s possible that an attacker could initially exploit a remote vulnerability to gain low-privilege access, then use CVE-2024-38107 to escalate to SYSTEM level, further solidifying control over the system. This elevated access could be used to disable security mechanisms, deploy additional malware, or facilitate lateral movement within the network.
Although no specific publicly available proof-of-concept (PoC) has been disclosed, the fact that this vulnerability has been exploited in the wild indicates that functional exploits exist and are actively used by attackers. CVE-2024-38107 affects Windows OS starting from Windows 10 and Windows Server from 2012 onwards.
This critical elevation of privilege vulnerability, with its significant potential impact, highlights the urgency for affected systems to be patched and secured. Despite its local attack vector, the low complexity and absence of required user interaction make CVE-2024-38107 a compelling target for attackers seeking SYSTEM privileges. The confirmed exploitation in the wild further underscores the practical danger posed by this vulnerability.
Microsoft Project Remote Code Execution Vulnerability (CVE-2024-38189)
CVE-2024-38189 is a remote code execution (RCE) vulnerability affecting Microsoft Project, arising from improper input validation as classified under CWE-20. This vulnerability enables attackers to create malicious Project files that can execute arbitrary code when opened.
Details:
-
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The core issue lies in Microsoft Project’s failure to adequately validate inputs within Project files. Attackers can exploit this by crafting a Project file with embedded executable code that bypasses security mechanisms. When a user opens such a file, the embedded code executes, leading to potential remote code execution on the victim’s system.
Impact of Successful Exploitation:
-
- Confidentiality Impact: Unauthorized access to sensitive data on the victim’s machine.
- Integrity Impact: Potential alteration or deletion of data and installation of malicious software.
- Availability Impact: Disruption of services, system inoperability, or conditions leading to denial of service.
Exploitation Techniques:
-
- An attacker may distribute a malicious Microsoft Project file via email, using social engineering to deceive the victim into opening the file. Upon opening, the embedded code executes, compromising the system.
- Alternatively, the attacker might host the malicious file on a website or upload it to a compromised site accepting user content. The victim could be enticed through phishing or other social engineering methods to download and open the file, leading to system compromise.
Additional Exploitation Context:
-
- Exploitation has been detected in the wild.
- While no public proof-of-concept (PoC) is available, the presence of active exploits confirms the threat.
- The vulnerability cannot be exploited via the Preview Pane in email clients; it requires the victim to fully open the file.
- Effective exploitation may depend on the victim’s system settings, such as disabled policies for blocking macros from running in Office files from the Internet or not having enabled VBA Macro Notification Settings.
Affected Versions:
-
- All Microsoft Project versions starting from 2016 are susceptible to this vulnerability.
CVE-2024-38189 represents a critical RCE vulnerability with a CVSS score of 8.8, signifying a substantial risk with high impacts on confidentiality, integrity, and availability. Given its low attack complexity and no requirement for privileges, the vulnerability poses a significant threat, particularly if attackers successfully entice users to open malicious Project files. The confirmed exploitation in the wild amplifies the urgency for administrators to enforce appropriate configurations and updates to mitigate this vulnerability. In addition, robust user education and stringent security policies are crucial to defend against these sophisticated social engineering attacks.
Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability (CVE-2024-38199)
CVE-2024-38199 is a critical remote code execution (RCE) vulnerability affecting the Windows Line Printer Daemon (LPD) service, identified by the underlying weakness CWE-416: Use After Free. This vulnerability occurs when the LPD service improperly handles memory references after freeing them, potentially allowing an attacker to execute arbitrary code remotely.
Details:
-
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The root cause of CVE-2024-38199 stems from inadequate memory management within the Windows LPD service. The service experiences a use-after-free condition when it accesses memory that has already been released. An attacker can exploit this by sending specially crafted print tasks to the LPD service. These tasks cause the system to access the freed memory and execute the malicious code embedded within.
Exploitation Process:
-
- An attacker identifies a vulnerable Windows LPD service running on a network.
- The attacker sends a malicious print task specifically designed to exploit the use-after-free condition.
- The malicious code within the print task is executed by the LPD service, granting the attacker control over the server.
- The attacker may utilize network scanning tools to find systems with LPD service enabled and leverage other network vulnerabilities to deliver the exploit payload.
Although no exploitation in the wild has been detected, and despite the public disclosure, there is currently no publicly available proof-of-concept (PoC) code. The likelihood of exploitation is considered lower due to the deprecated nature of the service.
The vulnerability carries a CVSS score of 9.8, highlighting its critical severity. This score reflects the substantial potential impact on confidentiality, integrity, and availability if exploited. The risks associated with this RCE vulnerability are significant, ranging from data theft to system compromise and denial-of-service attacks.
Despite these risks, the likelihood of exploitation is low because the LPD service is neither installed nor enabled by default on modern Windows systems. Since Microsoft deprecated the service starting with Windows Server 2012, its presence in contemporary network environments has diminished. Recommendations against enabling the LPD service in favor of more secure printing solutions further reduce the attack surface.
Impact if Exploited:
-
- Confidentiality: High. Unauthorized access to sensitive data could occur if an attacker gains remote execution capabilities.
- Integrity: High. An attacker could alter or delete data, causing significant disruption.
- Availability: High. Exploitation could lead to service disruptions or denial-of-service conditions, impacting business operations.
Given the deprecated status of the LPD service and proactive IT management practices, fewer servers are expected to be running it, serving as significant mitigating factors. Users are advised against enabling the LPD service.
CVE-2024-38199 represents a critical remote code execution vulnerability within the Windows LPD service due to improper memory management leading to a use-after-free condition. Although it has been publicly disclosed without active exploitation or a publicly available PoC, the high potential impact on confidentiality, integrity, and availability remains a significant concern for systems where the LPD service is still in use.
Windows Kernel
At the Black Hat 2024 conference, SafeBreach researcher Alon Leviev unveiled two zero-day vulnerabilities that facilitate attacks causing rollbacks of critical patches in Windows 10, Windows 11, and Windows Server. These attacks can force an updated system to revert to earlier software versions, re-exposing previously patched vulnerabilities that compromise system integrity. Furthermore, attackers can manipulate the Windows update process to downgrade critical operating system components, such as dynamic libraries (DLLs) and the NT kernel. When checked by the Windows Update Center, these downgraded components appear up-to-date, eluding detection.
Leviev also demonstrated methods to disable Windows virtualization-based security (VBS) features, including Credential Guard and Hypervisor-Protected Code Integrity (HVCI), despite UEFI locks—achieving, for the first time, bypass of UEFI VBS locks without physical access. This vulnerability turns a “fully patched” Windows machine susceptible to thousands of legacy vulnerabilities, rendering the term “fully patched” obsolete. The downgrade attack remains largely undetectable, as it bypasses Endpoint Detection and Response (EDR) solutions and leaves no trace, with the Windows Update Center reporting the system as fully up-to-date.
Since reporting the downgrade attack to Microsoft in February, the company has yet to issue a patch, providing only mitigation advisories for Windows Update Stack Elevation of Privilege and Windows Secure Kernel Mode Elevation of Privilege. Microsoft has acknowledged the CVE-2024-38202 privilege escalation vulnerability in Windows Backup, which allows attackers with basic user privileges to “undo” patches or bypass VBS features. Additionally, the CVE-2024-21302 vulnerability enables attackers with administrative privileges to replace system files with outdated, vulnerable versions.
Microsoft has stated that it is not currently aware of any real-world attempts to exploit this vulnerability and recommends that customers follow the guidelines provided in the two advisories released. The company has also addressed CVE-2024-21302 in the most recent Patch Tuesday and is actively working to patch CVE-2024-38202. This includes updates that override outdated, uncorrected VBS system files to mitigate the attack. The researcher believes the impact will be significant, not only for Microsoft Windows but also for other operating system vendors that may be vulnerable to downgrade attacks.
Windows SmartScreen
Hackers have been exploiting vulnerabilities in Windows Smart App Control and SmartScreen for over six years to bypass security warnings. Smart App Control, a reputation-based security feature in Windows, checks the integrity of Windows code and blocks untrustworthy or potentially dangerous binaries and applications. It serves as a successor to SmartScreen in Windows 11, which was designed in Windows 8 to protect against potentially malicious content. Both features are triggered when a user opens files marked with the Mark of the Web (MotW).
Researchers at Elastic Security Labs discovered a flaw in the handling of LNK files, termed “LNK stomping,” which allows attackers to bypass Smart App Control. This technique involves creating LNK files with non-standard destination paths or structures. When such a file is clicked, explorer.exe modifies the LNK file to implement canonical formatting, inadvertently removing the MotW label, thus bypassing security checks.
The vulnerability has been exploited for years, as indicated by several samples found on VirusTotal, with the oldest submission dating back more than six years. Elastic Security Labs also uncovered additional vulnerabilities that enable attackers to bypass Smart App Control and SmartScreen, including the use of code signing or Extended Validation (EV) signature certificates, as well as tactics involving reputation hijacking, formatting, and spoofing.
Despite reporting these findings to Microsoft’s Security Response Center, Elastic Security Labs has not received an adequate response. Although a future Windows update may address these issues, the current implementation of Smart App Control and SmartScreen inadvertently allows initial access without security warnings, requiring minimal user interaction.
Google Chrome
Google Chrome has recently updated its stable channel to version 127.0.6533.99/.100 across Windows, Mac, and Linux platforms. This release addresses multiple vulnerabilities that could potentially be exploited by malicious actors. This update includes five security fixes, reflecting the collaborative efforts in modern cybersecurity. Notable among these vulnerabilities are issues such as out-of-bounds memory access, use after free, type confusion, heap buffer overflow, and inappropriate implementation:
-
- CVE-2024-7532: Critical Severity – Out of Bounds Memory Access in ANGLE. This critical vulnerability occurs within ANGLE, a key component that translates OpenGL ES graphics to various backends like Direct3D and Vulkan. If exploited, it could allow attackers to execute arbitrary code, potentially compromising the system.
- CVE-2024-7533: Use After Free in Sharing. This vulnerability in Chrome’s sharing functionality could allow attackers to execute arbitrary code or escalate privileges within the browser.
- CVE-2024-7550: Type Confusion in V8. Found in the V8 JavaScript engine, this type confusion issue could lead to arbitrary code execution. It occurs when the engine incorrectly handles memory allocation for one type but accesses it as another.
- CVE-2024-7534: Heap Buffer Overflow in Layout. This vulnerability in the layout component can lead to arbitrary code execution or cause the browser to crash, stemming from memory manipulation.
- CVE-2024-7535: Inappropriate Implementation in V8. An inappropriate implementation in the V8 JavaScript engine could be exploited to perform unauthorized actions or crash the browser.
- CVE-2024-7536: Use After Free in WebAudio. This issue affects the WebAudio API and could allow arbitrary code execution, impacting audio processing within the browser.
Google utilizes advanced detection tools like AddressSanitizer, MemorySanitizer, and libFuzzer to identify and address vulnerabilities, underscoring their commitment to user security.
Mozilla Firefox
In Firefox 128, 20 security issues have been resolved, including eight vulnerabilities rated as critical. Six of these critical vulnerabilities arise from memory-related issues such as buffer overflows and accessing freed memory areas. Here are the top five most interesting vulnerabilities:
-
- CVE-2024-6605: Firefox Android Missed Activation Delay to Prevent Tapjacking. This vulnerability in the Android version of Firefox stems from the absence of an activation delay for permission prompts. Activation delays are vital security features that ensure users consciously grant permissions. Without this delay, malicious apps can overlay deceptive graphics over the real interface, tricking users into unintentionally interacting with permission prompts. The potential for attackers to gain permissions for camera, microphone, or location access poses a significant threat to user privacy and security.
- CVE-2024-6606: Out-of-bounds Clipboard Read Component. This issue arises from improper bounds checking within Firefox’s clipboard component, where the code fails to accurately verify indices when accessing an array, leading to an out-of-bounds read. This vulnerability can expose sensitive information stored in adjacent memory locations, which might include user data or session details, thereby risking a more extensive security breach.
- CVE-2024-6609: Memory Corruption in NSS. This vulnerability occurs when the system exhausts memory, leading to the incorrect release of an elliptic curve key that was never allocated, causing memory corruption. This error stems from inadequate memory management and improper response to low memory conditions within the Network Security Services (NSS) library. Such corruption can lead to unpredictable system behavior, crashes, or exploitable conditions that may allow attackers to run arbitrary code, potentially exposing cryptographic keys and sensitive data.
- CVE-2024-6600: Memory Corruption in WebGL API. Rooted in the WebGL API, specifically within Angle for GLSL shaders on MacOS, this bug surfaces during large allocation checks. When more than 8192 integers are allocated, lax checks can lead to out-of-bounds access, resulting in memory corruption. The consequences of this may include crashes and local denial of service. Moreover, the corrupted memory could potentially be manipulated to execute arbitrary code, thus compromising the system’s integrity and security.
- CVE-2024-6604: Memory Vulnerabilities in Firefox 128. This encompasses a range of memory safety issues potentially leading to memory corruption, likely from non-adherence to contemporary memory safety practices, including use-after-free and buffer overflows. These vulnerabilities, depending on their exploitation, can cause effects ranging from simple application crashes to full remote code execution.
Progress Software WhatsUp Gold
Hackers have historically targeted Progress products, and this time the focus was on WhatsUp Gold, a widely-used network monitoring solution. The vulnerability identified as CVE-2024-4885, involves a path traversal issue that allows attackers to execute arbitrary code on a server without requiring authentication, thereby compromising the security of networks and devices controlled by the software.
Progress WhatsUp Gold is crucial for organizations as it monitors the health and performance of applications, network devices, and servers both in the cloud and on local machines. It also facilitates the remote management of devices using stored credentials. The core of the vulnerability lies in the NmApi.exe process, which listens on ports 9642 and 9643 and utilizes WCF .NET services. The service configuration is inadequately secured, particularly lacking in security settings for basicHttpBinding, which enables attackers to interact with WCF services without authentication.
To exploit this vulnerability, an attacker sends specially crafted JSON to the server, allowing them to manipulate the reporting process and inject malicious code. For instance, a request could prompt a response from a remote server containing malicious code, enabling the attacker to create and execute files with arbitrary content on the server. Successful exploitation could give attackers full control over all devices connected to WhatsUp Gold, including servers, network devices, and workstations, potentially leading to data leaks, configuration changes, service shutdowns, and other severe disruptions.
In response, Progress swiftly issued an update to remedy this vulnerability. Users are strongly advised to update their WhatsUp Gold installations to the latest version as soon as possible. Additionally, it’s recommended to enhance WCF security settings and conduct regular scans for suspicious activity to further secure the system against potential attacks.
CVE-2024-4885 poses a significant threat to the security of networks and devices managed by WhatsUp Gold. Promptly updating and reinforcing security measures are crucial steps in protecting systems and safeguarding data. Details and proof of concepts (PoCs) have been available since early July.
1Password
AgileBits, the developer of the widely-used 1Password password manager, has addressed a critical vulnerability that could allow attackers to access password vault items and unlock keys for macOS user accounts. Identified as CVE-2024-42219 with a CVSS rating of 7.0, this vulnerability enables a malicious process running on a local device to circumvent macOS inter-process protection and exfiltrate vault items, account unlock keys, and SRP (Secure Remote Password) values from 1Password. SRP is a security level that facilitates access to the 1Password vault; however, it is just one component of 1Password’s multi-layered security architecture, which also includes a 128-bit secret key generated on the user’s device and unknown to anyone at AgileBits, including its employees.
The vulnerability was uncovered by the Robinhood Red Team, who had full control over a user’s device during their investigation. AgileBits has since released a patch in version 8.10.38 of 1Password and plans to share more details on their blog following the team’s presentation at the DEFCON conference. The company expressed gratitude to the Robinhood Red Team for their collaborative efforts.
CVE-2024-42219 impacts all users of 1Password version eight for macOS who have not updated to version 8.10.36 or later. For an attack to be successful, the attacker must persuade the user to run the malware on their computer. AgileBits has confirmed that, to their knowledge, no parties other than the Robinhood Red Team have discovered or exploited this vulnerability, and the company has not received any reports suggesting otherwise.
All users of 1Password for macOS are strongly encouraged to update their software to the latest version to protect against this vulnerability, which has been resolved as of version 8.10.36.
Browsers
Researchers at Oligo Security have uncovered a zero-day vulnerability that has been present since 2006, affecting all major browsers and allowing malicious websites to compromise local networks. This critical vulnerability arises from a fundamental flaw in how browsers handle network requests, potentially enabling attackers to access sensitive services on local devices. The vulnerability stems from inconsistent security implementations and a lack of standardization across browsers. This allows the use of an innocuous-looking IP address, 0.0.0.0.0, to exploit local services, leading to unauthorized access and remote code execution (RCE) outside the protected network.
This zero-day vulnerability impacts Google Chrome/Chromium, Mozilla Firefox, and Apple Safari, allowing external sites to interact with software running locally on macOS and Linux systems. However, it does not affect Windows, as Microsoft blocks this IP address at the operating system level.
Oligo Security discovered that public sites with .com domains could communicate with local network services, executing arbitrary code on a visitor’s machine using the address 0.0.0.0.0, bypassing the typical localhost (127.0.0.1) restrictions. This issue represents a Private Network Access (PNA) bypass, intended to prevent public websites from directly accessing endpoints on private networks. Applications running locally and accessible at the address 0.0.0.0.0 are particularly susceptible to RCE, demonstrated by vulnerabilities in local Selenium Grid instances, where a POST request to 0.0.0.0.0:4444 with a specially crafted payload could be exploited.
In response, browser developers are expected to block access to the 0.0.0.0.0 address, thus preventing direct access to private endpoints from public websites. Until these changes are implemented, attackers can exploit this vulnerability using public domains to target local services and achieve RCE with a single HTTP request.
Chrome developers have announced plans to prohibit public sites from connecting to local resources via the IP address 0.0.0.0.0, with the change set to take effect in Chrome version 133, slated for release next January. Previously, Google had already restricted access to local resources via well-known URLs like localhost and 127.0.0.1/8 but had initially overlooked the 0.0.0.0.0 URL, primarily affecting macOS and Linux users.
Mailcow and Roundcube
Administrators of the widely-used open-source email services Mailcow and Roundcube need to address newly disclosed vulnerabilities. Researcher Mare Patrick has released a Proof of Concept (PoC) for a Mailcow server vulnerability, designated as CVE-2024-41958 with a CVSS rating of 6.6. This vulnerability impacts the two-factor authentication (2FA) mechanism, allowing an authenticated attacker to bypass 2FA protection and gain unauthorized access to other accounts secured by 2FA.
To exploit this flaw, an attacker must initially compromise an account on the Mailcow system and possess the credentials of a target account that has 2FA enabled. This issue has been addressed in Mailcow’s 2024-07 release, and all users are encouraged to upgrade promptly. There are no known workarounds for this vulnerability.
Simultaneously, researchers from Sonarsource have identified two Cross-Site Scripting (XSS) vulnerabilities in Roundcube, identified as CVE-2024-42009 and CVE-2024-42008. These vulnerabilities allow an unauthenticated attacker to execute malicious JavaScript code within a user’s Roundcube mailbox. Specifically, CVE-2024-42009 can be exploited merely by a user viewing an attacker’s email, while CVE-2024-42008 requires just a single click from the victim, which the attacker can render invisible. These attacks can lead to the theft of emails, contacts, and unauthorized sending of emails from the victim’s account.
Roundcube administrators are urged to update to the patched versions 1.6.8 or 1.5.8 as soon as possible to mitigate these risks.
Android
Google has issued security updates for Android, addressing 46 vulnerabilities, one of which is a critical zero-day vulnerability currently being exploited in targeted attacks. This vulnerability, identified as CVE-2024-36971, involves a Use After Release (UAF) flaw in the Linux kernel’s network route management. It could alter the behavior of certain network connections and requires system execution privileges to exploit successfully. Google has confirmed that this zero-day is being used to execute arbitrary code on unpatched devices without any user interaction, indicating that the attacks may involve spyware, as suggested by the involvement of Google’s Threat Analysis Group (TAG) in the disclosure process.
Details about the exact nature of the exploitation and the identity of the perpetrators have not been disclosed. Google has rolled out two sets of patches in its August 2024 updates: versions 2024-08-01 and 2024-08-05. The source code fixes for these issues will be available in the Android Open Source Project (AOSP) repository within the next 48 hours. These updates rectify more than 40 other high-severity vulnerabilities.
The updates address nearly a dozen bugs in the framework component, including elevation of privilege (EoP), information disclosure, and denial of service (DoS) vulnerabilities, with additional fixes in the system component for an information disclosure issue. The patches also resolve vulnerabilities in hardware components from Arm, Imagination Technologies, and MediaTek.
The 2024-08-05 update includes all security patches from the first release and additional patches for third-party closed-source and kernel components, such as a critical vulnerability (CVE-2024-23350) in a Qualcomm component. It’s important to note that not all Android devices may need the vulnerabilities addressed in the 2024-08-05 patch level. Device manufacturers might prioritize the deployment of the first patch level to simplify the update process, although this is not mandatory.
VMware ESXi
Shadowserver has reported the discovery of over 20,000 VMware ESXi instances exposed on the Internet that are susceptible to an exploitable vulnerability. This vulnerability, cataloged as CVE-2024-37085 with a CVSS rating of 6.8, is a medium-severity authentication bypass that permits an attacker to gain full control of a vulnerable ESXi instance. Specifically, an attacker with adequate Active Directory (AD) privileges can gain complete access to an ESXi host configured to use AD for user management by manipulating a custom AD group (typically named “ESX Administrators”) after removing it from AD.
VMware released a patch for this vulnerability on July 24. Shortly thereafter, Microsoft identified several hacker groups that had already exploited this flaw in their attacks. Notable groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have utilized this vulnerability in multiple assaults, including deploying ransomware variants like Akira and Black Basta. In the documented incidents, attackers established an ESX Administrators group and added themselves as members, thereby obtaining full administrative rights over all VMware ESXi hypervisors that joined this group. The successful exploitation of this vulnerability resulted in complete administrative control over the ESXi hypervisors, ultimately enabling the attackers to encrypt the hypervisor’s file system.
The Shadowserver Foundation has added CVE-2024-37085 to its list of tracked CVEs and noted that as of July 30, over 20,000 Internet-accessible, vulnerable instances had been identified. While some of these instances might have implemented workarounds to mitigate exploitation risks, the existence of this moderate vulnerability and its active exploitation by multiple threat actors underscore the urgency for all organizations to apply the available patches.
Zoho
Zoho has issued two security updates for its ManageEngine software, addressing two SQL post-authentication vulnerabilities in Exchange Reporter Plus. These vulnerabilities are identified as CVE-2024-38871 and CVE-2024-38872, each with a CVSS score of 8.3. There are no reports of these vulnerabilities being exploited in the wild as of now.
These vulnerabilities could allow an authenticated adversary to execute custom queries and access entries in the database table via the affected request. Given the severity of these vulnerabilities, customers are strongly advised to update their Exchange Reporter Plus software to the latest build immediately.
Progress Software MOVEit
Progress has released a patch for a misauthentication vulnerability in the MOVEit Transfer’s SFTP module, identified as CVE-2024-6576 with a CVSS score of 7.3. This vulnerability could potentially lead to privilege escalation. Although there has been no reported exploitation, given MOVEit’s history, it is prudent to anticipate possible security issues.
The patch addressing this vulnerability was included in the latest software update on July 29, 2024. Users are advised to update their systems promptly to mitigate any risks associated with this vulnerability.
Apple
Apple has rolled out a comprehensive update package to address various security vulnerabilities across its platforms, including iOS, macOS, tvOS, visionOS, watchOS, and Safari, benefiting both older and newer devices.
The updates for iOS 17.6 and iPadOS 17.6 target the latest generation of iPhone and iPad devices, rectifying a total of 35 bugs. These vulnerabilities range from authentication and policy bypasses to unexpected application terminations, system shutdowns, information disclosure, Denial of Service (DoS), and memory leaks. Notably, some of these issues were found in third-party components integrated into Apple’s operating systems, such as the libtiff library and ANGLE. Many of these fixes have also been applied in the iOS 16.7.9 and iPadOS 16.7.9 updates for older devices.
Additionally, Apple has released macOS Sonoma 14.6, which resolves nearly 70 vulnerabilities, including those addressed in the iOS and iPadOS updates. macOS Ventura and macOS Monterey have also seen patches for another 40 vulnerabilities, with several fixes targeting issues in third-party components like Apache HTTP Server, curl, libtiff, OpenSSH, and the ANGLE graphics engine.
Safari 17.6 has been updated to correct nine bugs, eight of which impact the WebKit browser engine. Moreover, significant fixes for iOS and macOS vulnerabilities have been included in the updates for tvOS, visionOS, and watchOS.
While Apple has not indicated that any of these vulnerabilities are currently being exploited in the wild, it strongly advises users to update their devices promptly to safeguard against potential security risks.
Researcher Somyajit Das has uncovered a significant vulnerability in the latest version of WhatsApp for Windows, which permits Python and PHP attachments to be sent and executed without warnings upon being opened by the recipient. For a successful attack, Python must be installed on the recipient’s computer, thus likely limiting potential targets to software developers, researchers, and power users.
Das identified the issue by testing various file types that could be attached to WhatsApp messages to determine if the app failed to block any potentially risky ones. While WhatsApp restricts several file types including EXE, COM, SCR, BAT, Perl, DLL, HTA, and VBS, Das discovered that it does not block three specific types: PYZ (Python ZIP application), PYZW (PyInstaller program), and EVTX (Windows event log file). Further independent tests confirmed that WhatsApp does not prevent the execution of Python files, and similarly, PHP scripts can also be executed if opened. For all other file types, attempting to run them directly from the app by clicking “Open” results in an error; execution is only possible after saving the files to disk.
Das reported this issue to Meta on June 3. On July 15, he received a response indicating that the issue had already been identified by another researcher. Subsequently, Meta classified the issue as N/A and stated that there are no plans to address the vulnerability.
Acronis Cyber Protect
Acronis is urging customers to urgently patch a critical vulnerability in Acronis Cyber Protect (ACI), a unified, multi-tenant platform that integrates remote endpoint management, backup, and virtualization capabilities. This platform is essential for running disaster recovery workloads and securely storing corporate backups.
The vulnerability, identified as CVE-2023-45249, allows attackers to bypass authentication on vulnerable servers using default credentials. Over 20,000 service providers worldwide use ACI to protect more than 750,000 businesses across more than 150 countries.
CVE-2023-45249 can be exploited in low-complexity attacks that do not require user interaction, allowing unauthorized attackers to remotely execute code on unpatched ACI servers.
The vulnerability impacts several versions of the Acronis Cyber Infrastructure:
-
- Before 5.0.1-61, patched in ACI 5.0 1.4
- Before 5.1.1-71, patched in ACI 5.1 1 1.2
- Before 5.2.1-69, patched in ACI 5.2 1.3
- Before 5.3.1-53, patched in ACI 5.3 1.3
- Before 5.4.4-132, patched in ACI 5.4 4 4.2
Despite being patched nine months ago, Acronis has confirmed in a recent bulletin that this vulnerability is now being exploited in real-world attacks, emphasizing the importance of applying these updates immediately to protect against potential breaches.
Progress Software Telerik Report
Progress Software has issued an urgent advisory to patch a critical remote code execution (RCE) vulnerability in Telerik Report Server, a platform that serves as a centralized repository for creating, deploying, sharing, and managing reports across an organization.
The vulnerability, identified as CVE-2024-6327, stems from an untrusted data deserialization issue that allows attackers to execute code remotely on unpatched servers. This vulnerability affects Telerik Report Server versions up to 2024 Q2 (10.1.24.514). A fix has been implemented in the subsequent release, version 2024 Q2 (10.1.24.709), making updating the only complete resolution to this security risk. For those unable to update immediately, Progress has provided a workaround that involves changing the Report Server Application Pool user to one with limited privileges, among other steps.
While there have been no reported exploits of CVE-2024-6327 to date, other vulnerabilities in Telerik products have seen exploitation. One notable incident occurred in 2022, when a U.S. federal agency’s web server was compromised due to a vulnerability in the Progress Telerik user interface, CVE-2019-18935. More recently, researchers developed and deployed a proof of concept (PoC) for an RCE on Telerik Report servers by exploiting a critical authentication bypass vulnerability (CVE-2024-4358) in conjunction with a high-risk RCE (CVE-2024-1800). This history underscores the importance of promptly applying the latest security patches to prevent potential breaches.
Docker
Docker has released updates to address a critical vulnerability that has lingered unnoticed for five years in some versions of Docker Engine, allowing for the bypass of authorization plugins (AuthZ) under certain conditions.
This vulnerability, initially discovered and patched in Docker Engine v18.09.1 in January 2019, mysteriously reappeared in later versions due to the fix not being carried forward, leaving a significant oversight until its rediscovery in April 2024. It is now designated as CVE-2024-41110, with a critical severity rating (CVSS score: 10.0). The vulnerability involves a flaw where a specially crafted API request with a content-length of zero bypasses normal security checks. Typically, API requests include a body that carries data necessary for the request, and the authorization plugin uses this data to make access control decisions. However, when the content-length is set to zero, the request passes through the AuthZ plugin without a body, thus evading proper validation and potentially leading to unauthorized actions, including privilege escalation.
CVE-2024-41110 impacts Docker Engine versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, specifically affecting users who utilize authorization plugins to control access. Users of Mirantis Container Runtime, commercial Docker products, and those not using authorization plugins are not affected by this vulnerability, regardless of the version they are running.
For those affected, it is recommended to upgrade to the latest secured versions, particularly v23.0.14 and v27.1.0. Notably, the latest Docker Desktop version 4.32.0 also contains the vulnerable Docker Engine, but the risk is mitigated somewhat by the requirement of having access to the Docker API and any privilege escalation being confined to VMs. The forthcoming Docker Desktop v4.33.0 will fully address this issue. Users unable to upgrade immediately should consider disabling AuthZ plugins and restricting access to the Docker API as temporary measures.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.
