Patch Tuesday July 2024 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
Microsoft Vulnerabilities
This Patch Tuesday, Microsoft has dramatically ramped up its security efforts, addressing a record 142 vulnerabilities for the year—nearly triple last month’s count. Of these, only five are critical. Additionally, this month is notable for the presence of two zero-day vulnerabilities. Two other vulnerabilities have also been publicly disclosed. Below are the details of the most noteworthy critical updates.
Windows Hyper-V Elevation of Privilege Vulnerability (CVE-2024-38080)
CVE-2024-38080 is a zero-day vulnerability affecting Microsoft’s Hyper-V, specifically classified as an Elevation of Privilege flaw. It has been assigned a CVSS rating of 7.8, signaling a substantial risk to systems utilizing Hyper-V. The underlying technical issue is related to CWE-190: Integer Overflow or Wraparound, which presents a serious exploitation potential.
At its core, CVE-2024-38080 exploits an integer overflow issue within Hyper-V, Microsoft’s virtualization technology. Such vulnerabilities occur when an arithmetic operation exceeds the maximum value that can be represented by a fixed number of bits, particularly during hypercall handling or virtual machine (VM) setup processes that involve integer values for resource allocation, address mapping, or input validation. In Hyper-V, insufficient boundary checks during certain operations can lead to this overflow, where an integer value surpasses its maximum limit and wraps around to a much smaller value. This wraparound can alter program control flow or data integrity, potentially allowing an attacker to overwrite critical memory structures. Successful exploitation of this flaw could enable arbitrary code execution with elevated privileges, granting the attacker SYSTEM-level access.
Attack Vector:
Local: The exploit requires initial local access, typically via a compromised user account within a VM on the host.
Sophistication of Attack:
Low: The vulnerability is straightforward to exploit once local access is obtained.
Privilege Level Required:
Low: Users with minimal privileges can exploit this vulnerability.
Although the CVSS metrics suggest a low complexity attack that does not require user interaction, it necessitates local access, implying that the attacker must first achieve legitimate user access, potentially through a compromised low-privileged user account within a VM on the host. With this access, exploiting the integer overflow can lead to escalated privileges, allowing code execution at the hypervisor level.
The impact of CVE-2024-38080 on confidentiality, integrity, and availability is substantial:
- Confidentiality: Attackers with SYSTEM privileges could access sensitive data across all VMs on the compromised Hyper-V instance.
- Integrity: An attacker could alter critical system files and configurations or install malware with SYSTEM-level privileges, undermining the host system’s integrity.
- Availability: Malicious activities could disrupt services by crashing the host system or causing resource exhaustion, leading to a denial of service for all hosted VMs.
CVE-2024-38080 underscores the significant risks integer overflow vulnerabilities pose in virtualization environments like Hyper-V. It highlights a clear avenue for attackers to gain elevated privileges, jeopardizing the confidentiality, integrity, and availability of multiple virtualized systems. When combined with other vulnerabilities such as remote code execution flaws or initial access exploits such as phishing or exploit kits, the attack vector becomes more sophisticated and damaging.
Adopting a proactive security approach, including timely patching and strict adherence to robust security practices, is crucial for mitigating these risks effectively.
CVE-2024-38080 affects Windows 11 and Windows Server 2022 operating systems. It impacts Hyper-V-based virtualized environments, commonly used in data centers, enterprise IT infrastructure, and by cloud service providers. Given the widespread use of virtual machines in critical infrastructure and various industries, thousands of organizations worldwide could be affected. For instance, hospitals and medical research facilities often use virtualized environments to manage patient data and run critical applications. Financial institutions like banks, insurance companies, and trading platforms use VMs for secure transactions and data processing. Additionally, federal, state, and local government agencies rely on virtualized environments to process sensitive information securely and efficiently. Companies offering cloud services or software as a service (SaaS) deploy isolated VMs for different customers. Universities and research institutions also use Hyper-V for academic research and virtual labs.
Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-38112)
CVE-2024-38112 is a zero-day vulnerability identified in the Windows MSHTML platform, classified as a spoofing vulnerability with a significant CVSS rating of 7.5. It originates from CWE-668: Exposure of Resource to Wrong Sphere, indicating an issue where resources are inadvertently made accessible to unauthorized entities.
Technical Details:
This vulnerability resides in the MSHTML (Trident) rendering engine, which is pivotal for rendering web content in Internet Explorer and other applications via embedded web browser controls. The primary flaw stems from inadequate handling and exposure of resources, which could deceive users into believing that malicious content originates from a trusted source. This is due to insufficient validation and enforcement of resource access restrictions, leading to unauthorized exposure within the MSHTML library.
Impact on Security:
Confidentiality: Attackers could exploit this flaw to gain unauthorized access to sensitive information by presenting spoofed content as legitimate.
Integrity: This vulnerability permits attackers to alter or inject legitimate content, thereby tricking users into unintended actions.
Availability: It could indirectly lead to a denial of service if users are duped into downloading malware or other harmful software.
Exploitation Details:
-
- Attack Vector: Network-based, requiring the delivery of a malicious HTML file through methods like email or a compromised website.
- Attack Complexity: High, as successful exploitation necessitates specific preparatory actions by the attacker, such as creating a convincing impersonation setup.
- Privileges Required: None, meaning attackers do not need any pre-existing privileges to exploit this vulnerability.
- User Interaction: Essential, as the user must execute a malicious file or visit a crafted web page for successful exploitation.
Attackers could employ phishing tactics, sending emails with malicious attachments or links leading to spoofed websites. Upon interaction, malicious content could be rendered in a trusted context, misleading users to divulge sensitive information like login credentials or to install malware.
Complementary Attack Techniques:
-
- Social Engineering: Utilizing well-crafted emails to increase the likelihood of user interaction.
- Elevation of Privilege (EoP) Vulnerabilities: Post-deception, attackers could exploit EoP vulnerabilities to obtain higher privileges.
- Remote Code Execution (RCE) Vulnerabilities: After initial spoofing, further exploits could allow the injection of malicious code.
Historical Context:Spoofing vulnerabilities in web rendering engines like MSHTML are not unprecedented. Previous instances include:
-
- CVE-2021-40444: Exploited through malicious ActiveX controls in Microsoft Office documents.
- CVE-2021-26411: Attackers used malformed HTML content to execute arbitrary code.
- CVE-2020-0674: Exploited by malicious JavaScript in web pages or phishing emails.
Potential Risks:
Attackers can leverage CVE-2024-38112 for various malicious purposes, such as redirecting users to cloned banking or e-commerce sites to steal credentials and financial information, conducting corporate espionage, and causing widespread damage to the community.
Given the extensive use of MSHTML across numerous applications, the potential reach and impact of this vulnerability are substantial, affecting a broad user base. A proactive approach, including timely patching and adherence to robust security practices, is critical to effectively mitigate these risks.
Remote Code Execution Vulnerability in .NET and Visual Studio (CVE-2024-35264)
The Remote Code Execution (RCE) vulnerability in Microsoft’s .NET 8.0 and Visual Studio 2022, identified as CVE-2024-35264, represents a critical security flaw stemming from a “Use After Free” error (CWE-416). This occurs when a program continues to use memory after it has been freed, carrying a CVSS v3.1 score of 8.1, which underscores its severe impact on confidentiality, integrity, and availability.
The vulnerability arises due to a race condition during the processing of HTTP/3 streams, specifically when an HTTP/3 stream is prematurely closed while its request body is still being processed. This leads to the potential for freed memory to be accessed, creating an opportunity for attackers to execute arbitrary code on the targeted system. The core issue lies in the synchronization of HTTP/3 stream closures, where improper handling can allow brief access to already freed memory, causing undefined behavior and potential exploitation.
Key Details of the Exploitation:
-
- Attack Vector: Network
- Exploit Complexity: High – requires precise timing to exploit the race condition.
- Privileges Required: None
- User Interaction: None
- Impact: High across confidentiality, integrity, and availability
- Current Exploitation: No known exploitation in the wild
- Likelihood of Exploitation: Low, given the complexity of the required attack, but not impossible.
Exploitation of CVE-2024-35264 could allow an attacker to perform remote code execution without needing elevated privileges or user interaction, potentially allowing the execution of arbitrary commands, installation of malware, or complete control over the affected systems. When linked with other vulnerabilities, this RCE can become part of a larger, more devastating attack sequence, including:
-
- Privilege Escalation: Attackers could leverage initial access to exploit further vulnerabilities for higher system privileges.
- Persistence: Following code execution, attackers might install persistent backdoors.
- Lateral Movement: Control over the .NET or Visual Studio environment may enable attackers to move laterally within the network.
Historically, similar heap-based buffer overflow vulnerabilities like CVE-2019-0708 (“BlueKeep”) have demonstrated the potential for widespread damage through remote code execution in Windows RDP.
Given that Windows Server 2016 and newer versions are prevalent in various sectors, the breadth of potential impact is vast, starting from large organizations with extensive Windows server deployments face significant risks, and ending with smaller ones and public sector.
In conclusion, CVE-2024-38076 and CVE-2024-38077 represent paradigmatic critical remote code execution vulnerabilities. Although not yet exploited in the wild, the low complexity of the attack and the ease of network-based exploitation without requiring privileges make them a serious risk.
Remote Code Execution Vulnerabilities in Windows Remote Desktop Licensing Service
The Remote Code Execution (RCE) vulnerabilities in Windows Remote Desktop Licensing Service, specifically CVE-2024-38077 and CVE-2024-38076, are critical due to their nature as heap-based buffer overflows (CWE-122). Both vulnerabilities are critically rated with a CVSS severity score of 9.8 (base) and 8.5 (exploitability), affecting Windows Server 2016 and later versions.
These vulnerabilities occur when the Remote Desktop Licensing Service (RDLS) improperly validates packet size or content before copying data to a fixed-size heap buffer. This oversight allows attackers to overflow the buffer, potentially overwrite executable code, and execute arbitrary code on the targeted system.
Key Details:
-
- Impact: Remote Code Execution (RCE)
- Attack Vector: Network-based, allowing remote execution
- Attack Complexity: Low, simplifying the execution process for attackers
- Privileges Required: None, making it accessible to any network user
- User Interaction: Not required, increasing the vulnerability’s severity
- Confidentiality, Integrity, Availability Impact: High, posing serious threats across all three CIA triad components
Despite the high risk, exploitation is less likely at the moment, likely due to the absence of a published proof of concept (PoC) exploit. However, the potential for future exploitation remains high given the vulnerability’s critical nature and the potential rewards for attackers.
The implications of successful exploitation are severe:
-
- Data Breach: Unauthorized access could lead to significant confidentiality breaches.
- System Compromise: Integrity could be compromised, allowing data and process manipulation.
- Denial of Service: Disruptions could affect organizational operations, particularly those reliant on Windows servers for critical functions.
An attacker exploiting this vulnerability could send a specially crafted packet to the RDLS endpoint on a Windows server, initiating a buffer overflow and subsequent arbitrary code execution. This initial breach could serve as a gateway for further attacks, including:
-
- Lateral Movement: Exploiting additional vulnerabilities within the network to escalate privileges.
- Data Exfiltration and Ransomware Deployment: Leveraging the compromised server as a base for broader attacks.
Historically, similar heap-based buffer overflow vulnerabilities like CVE-2019-0708 (“BlueKeep”) have demonstrated the potential for widespread damage through remote code execution in Windows RDP.
Given that Windows Server 2016 and newer versions are prevalent in various sectors, the breadth of potential impact is vast, starting from large organizations with extensive Windows server deployments face significant risks, and ending with smaller ones and public sector.
In conclusion, CVE-2024-38076 and CVE-2024-38077 represent paradigmatic critical remote code execution vulnerabilities. Although not yet exploited in the wild, the low complexity of the attack and the ease of network-based exploitation without requiring privileges make them a serious risk.
Google Chrome
Google has rolled out a significant update to the stable channel of its Chrome browser, advancing the version to 126.0.6478.114/115 for Windows and Mac, and 126.0.6478.114 for Linux. This update includes six security fixes, four of which are particularly noteworthy:
-
- CVE-2024-6100: This high-impact Type Confusion vulnerability in V8, Chrome’s JavaScript engine, can lead to crashes, data corruption, and, most critically, remote code execution (RCE). Attackers can craft malicious JavaScript to exploit this type confusion, enabling them to take control of the affected machine, steal sensitive information, or deploy additional malware. The $20,000 bounty underscores the severity of this vulnerability.
- CVE-2024-6101: A high-impact flaw in WebAssembly’s implementation can allow attackers to run unauthorized code, potentially leading to RCE, unauthorized data access, or denial of service. This vulnerability stems from security measures being improperly enforced or bypassed entirely.
- CVE-2024-6102: An out-of-bounds memory access in Dawn, a graphics and computation API used in Chrome, poses a high risk. This issue can cause unexpected behaviors or crashes, and malicious actors could exploit it to manipulate memory, resulting in data leaks or the execution of malicious code.
- CVE-2024-6103: A Use After Free (UAF) vulnerability in Dawn with high impact involves a program using a pointer after it has been freed, potentially leading to crashes or code execution. Specific inputs crafted by attackers can trigger this condition, allowing them to execute arbitrary code or cause a denial of service.
Additionally, Google has released another stable channel update, version 126.0.6478.126/127, for Windows, Mac, and Linux, addressing five serious vulnerabilities:
-
- CVE-2024-6290: A UAF vulnerability in Dawn that could severely compromise graphics and computation tasks.
- CVE-2024-6291: Affects Swiftshader, a software-based 3D renderer, where the exploitation could corrupt the rendering process.
- CVE-2024-6292 and CVE-2024-6293: Additional UAF vulnerabilities in Dawn indicate a potential pattern of memory mismanagement.
Among these, CVE-2024-6290 in Dawn is notably perilous due to its critical role in web-based graphics and computation, potential for arbitrary code execution, and the broad impact on web applications. The recurrence of similar vulnerabilities, particularly reported by the same researcher, wgslfuzz, suggests systemic issues in Dawn’s memory management.
Most alarmingly, a new zero-day vulnerability, a Sandbox Escape RCE in Chrome, affects versions 126.0.6478.126 and 126.0.6478.127. This exploit, capable of executing arbitrary code on affected systems, is being sold on the darknet for $1,000,000 in Monero (XMR) or BTC equivalents, with transactions involving a guarantor. According to the seller, the vulnerability has been confirmed to work on Windows operating systems, specifically versions 21H1 and 21H2, with no available fix yet.
Mozilla Firefox
In Firefox 128, 20 security issues have been resolved, including eight vulnerabilities rated as critical. Six of these critical vulnerabilities arise from memory-related issues such as buffer overflows and accessing freed memory areas. Here are the top five most interesting vulnerabilities:
-
- CVE-2024-6605: Firefox Android Missed Activation Delay to Prevent Tapjacking. This vulnerability in the Android version of Firefox stems from the absence of an activation delay for permission prompts. Activation delays are vital security features that ensure users consciously grant permissions. Without this delay, malicious apps can overlay deceptive graphics over the real interface, tricking users into unintentionally interacting with permission prompts. The potential for attackers to gain permissions for camera, microphone, or location access poses a significant threat to user privacy and security.
- CVE-2024-6606: Out-of-bounds Clipboard Read Component. This issue arises from improper bounds checking within Firefox’s clipboard component, where the code fails to accurately verify indices when accessing an array, leading to an out-of-bounds read. This vulnerability can expose sensitive information stored in adjacent memory locations, which might include user data or session details, thereby risking a more extensive security breach.
- CVE-2024-6609: Memory Corruption in NSS. This vulnerability occurs when the system exhausts memory, leading to the incorrect release of an elliptic curve key that was never allocated, causing memory corruption. This error stems from inadequate memory management and improper response to low memory conditions within the Network Security Services (NSS) library. Such corruption can lead to unpredictable system behavior, crashes, or exploitable conditions that may allow attackers to run arbitrary code, potentially exposing cryptographic keys and sensitive data.
- CVE-2024-6600: Memory Corruption in WebGL API. Rooted in the WebGL API, specifically within Angle for GLSL shaders on MacOS, this bug surfaces during large allocation checks. When more than 8192 integers are allocated, lax checks can lead to out-of-bounds access, resulting in memory corruption. The consequences of this may include crashes and local denial of service. Moreover, the corrupted memory could potentially be manipulated to execute arbitrary code, thus compromising the system’s integrity and security.
- CVE-2024-6604: Memory Vulnerabilities in Firefox 128. This encompasses a range of memory safety issues potentially leading to memory corruption, likely from non-adherence to contemporary memory safety practices, including use-after-free and buffer overflows. These vulnerabilities, depending on their exploitation, can cause effects ranging from simple application crashes to full remote code execution.
Android
Google has released patches for 25 vulnerabilities in Android, with the most critical being a privilege escalation bug. This severe issue, identified as CVE-2024-31320, impacts Android versions 12 and 12L, specifically within the Framework component. According to Google, this vulnerability could lead to local privilege escalation without requiring additional execution privileges.
This particular bug was rectified in the security patch 2024-07-01, which also remedied seven other high-severity issues. These include three elevation of privilege (EoP) bugs in the Framework, three additional EoP bugs, and an information disclosure vulnerability in the System component.
The second segment of the July 2024 Android security update is designated as security patch level 2024-07-05 and addresses 17 vulnerabilities affecting components from Kernel, Arm, Imagination Technologies, MediaTek, and Qualcomm. Devices updated to security patch level 2024-07-05 will have all 25 vulnerabilities addressed. Users are encouraged to update their devices promptly as these patches become available.
While there were no new fixes introduced in this month’s Android Automotive security update, Google noted that it includes all the fixes contained in the security patch level 2024-07-05.
OpenSSH
Millions of OpenSSH servers are at risk of remote code execution without authentication due to a vulnerability known as regreSSHion. Tracked as CVE-2024-6387, this vulnerability has been assessed by Qualys researchers as critically severe, comparable to the notorious Log4Shell vulnerability from 2021.
The regreSSHion issue stems from a signal handler race condition in the OpenSSH server process “sshd,” which could allow unauthenticated remote attackers to execute code with root privileges. The vulnerability impacts glibc-based Linux systems, and its effects on Windows and MacOS are yet unclear.
The exploitation of this vulnerability results in complete system compromise, enabling attackers to execute code with the highest privileges, bypass security measures, steal data, and potentially maintain persistent access.
OpenSSH, a foundational tool for secure network communication in a client-server architecture, is extensively utilized by enterprises for remote server management and secure data transfer. A search by Qualys using Shodan and Censys indicates that over 14 million instances of OpenSSH might be vulnerable, with about 700,000 of these systems exposed directly to the internet.
The vulnerability, CVE-2024-6387, is a regression of the previously patched CVE-2006-5051 and reappeared with the release of OpenSSH 8.5p1 in October 2020. It affects versions 8.5p1 to 9.7p1, and up to 4.4p1 unless patched for CVE-2006-5051 and CVE-2008-4109. Notably, OpenBSD systems are not affected due to an existing security mechanism.
Initially identified and accidentally addressed in the OpenSSH 9.8p1 release, the vulnerability has garnered significant attention in the community due to the vast number of potentially vulnerable OpenSSH instances accessible via the internet.
Although Qualys released only technical details initially, subsequent proof of concept (PoC) exploits were demonstrated, primarily on 32-bit glibc-based Linux systems, with potential operation on 64-bit systems. Palo Alto tested some PoC code but did not achieve RCE, suggesting the vulnerability may not lead to widespread exploitation despite its criticality.
Qualys revealed that exploiting CVE-2024-6387 is challenging, requiring about 10,000 attempts to create the necessary race conditions, which could take from a few hours up to a week. The known exploits, considered statistical in nature, involve numerous challenges for attackers, with the quickest taking over four hours to execute. Researcher Raghav Rastogi noted an IP address that appears to have attempted exploitation of CVE-2024-6387.
Comparing CVE-2024-6387 with Log4Shell highlights critical similarities and differences. Both vulnerabilities allow unauthenticated RCE and affect globally prevalent software components—OpenSSH for secure remote access and Log4j for Java application logging. While both have the potential to affect millions of systems across various industries, the OpenSSH vulnerability’s complex nature makes it harder to exploit compared to the relatively straightforward Log4Shell. Log4Shell quickly became widespread due to its ease of exploitation and the ubiquity of Log4j, whereas the OpenSSH vulnerability, though potentially just as severe, has not seen comparable exploitation. This difference in exploitability underscores the urgent need for attention and patching to mitigate the significant risks posed by these vulnerabilities.
Splunk
Splunk has addressed 18 vulnerabilities in Splunk Enterprise and Cloud Platform, including critical remote code execution (RCE) bugs. Of these, three significant RCE vulnerabilities require authentication for successful exploitation:
-
- CVE-2024-36985 affects Splunk Enterprise versions 9.2.x, 9.1.x, and 9.0.x. It can be exploited by a user with low privileges through a search operation that interacts with the splunk_archiver application. To mitigate this issue, users can upgrade to Splunk Enterprise 9.2.2, 9.1.5, or 9.0.10, or alternatively, disable the splunk_archiver application.
- CVE-2024-36984 specifically impacts Splunk Enterprise for Windows. It allows an authenticated attacker to execute a specially crafted request that serializes untrusted data leading to RCE. This exploit involves the collect SPL command, which is used to write a file to the Splunk Enterprise installation. An attacker can leverage this file to send a serialized payload that could result in code execution.
- The third RCE vulnerability pertains to the PDF monitoring dashboard generation component in both Enterprise and Cloud Platform, due to the incorporation of a vulnerable version of the Python ReportLab Toolkit library (v3.6.1).
Additionally, Splunk has remedied a serious command injection vulnerability in both Enterprise and Cloud Platform. This flaw allows an authenticated user to execute an external search that invokes an outdated internal function, potentially leading to code injection into the Splunk Platform installation directory. This vulnerability stems from the deprecated runshellscript command used in scripted alert actions, enabling command execution in a privileged context from a Splunk Platform instance.
Other high-severity issues addressed include path traversal vulnerabilities in Splunk Enterprise on Windows and denial of service vulnerabilities in both the Enterprise and Cloud Platform products. As of now, Splunk has not reported any exploitation of these vulnerabilities in production environments.
Intel
Researchers at the University of California, San Diego have discovered a new, highly accurate branch target injection (BTI) side-channel attack named Indirector, which targets modern Intel processors, including the Raptor Lake and Alder Lake series. This attack exploits vulnerabilities in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) to manipulate speculative execution and extract sensitive data from CPUs.
The IBP is engineered to predict indirect branch target addresses using historical execution data, while the BTB predicts direct branch target addresses through an associative set cache structure. The researchers identified shortcomings in both systems’ indexing, labeling, and record-sharing mechanisms. They noted that these components are built on a predictable structure, enabling targeted, high-precision manipulations.
Indirector leverages three main mechanisms for its attacks:
-
- iBranch Locator: A customizable tool that employs preemptive techniques to determine the indices and tags of affected branches and locate specific IBP entries.
- IBP/BTB Injections: These perform targeted injections into the prediction structures, enabling the execution of speculative code.
- ASLR Bypass: This mechanism disrupts address space randomization (ASLR), pinpointing the exact locations of indirect branches and their targets, thereby simplifying the prediction and manipulation of the control flow in protected processes.
Beyond exploiting speculative execution through targeted injections, attackers can also utilize third-party cache channel techniques, such as timing the access to caches, to deduce the data being processed.
Intel was notified about the Indirector attack in February 2024, and both hardware and software vendors affected by this vulnerability have also been informed. To mitigate this indirect attack, researchers are considering two primary strategies: the more aggressive application of the Indirect Branch Predictor Barrier (IBPB) and the enhancement of the Branch Prediction Unit (BPU) with more sophisticated tagging, encryption, and randomization techniques. However, these measures could potentially degrade performance, particularly with the use of IBPB, necessitating careful calibration of the proposed mitigations.
The researchers have made the code and tools for testing branch injection attacks available on GitHub and are scheduled to present detailed findings at the upcoming USENIX Symposium in August 2024.
CocoaPods for Swift
EVA Information Security has revealed details of three significant vulnerabilities within CocoaPods, an open-source dependency manager for Swift and Objective-C Cocoa projects, which is used by over three million apps in the Apple ecosystem. These vulnerabilities potentially affected millions of macOS and iOS applications, highlighting the risks associated with software supply chain attacks:
-
- CVE-2024-38368, with a CVSS rating of 9.9, involves a scenario where attackers could hijack popular modules and replace their contents with malicious code. This vulnerability stems from when CocoaPods transitioned to a trunk server in 2014, becoming a central repository but losing authorship control over many modules, leaving 1,866 packages unmaintained. Attackers could claim ownership of these unclaimed modules and inject harmful code, potentially impacting prominent applications like Safari, AppleTV, Xcode, Microsoft Teams, TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and others.
- CVE-2024-38366, rated at 9.0, is a remote code execution (RCE) bug found in the authentication server for CocoaPods. It activates a shell command to verify the email domain during a developer’s registration as a module owner. This flaw could be exploited to execute commands on the backbone server, thereby obtaining root access to the server and its infrastructure.
- CVE-2024-38367, with a CVSS score of 8.0, relates to the authentication process. It allows an attacker to hijack the session of a module owner and take over their CocoaPods account. This issue arises because CocoaPods authenticates new devices by creating a session that only becomes valid after the owner clicks a link sent via email by the trunk server. Attackers could forge the X-Forwarded-Host (XFH) header used in this process, leading the server to generate a URL that redirects users to third-party sites capable of stealing session cookies.
These vulnerabilities illustrate a concerning potential for widespread impact on thousands of apps and millions of devices, underlining the critical need for security measures in the management of software dependencies.
Cisco
Cisco has issued a warning about a zero-day vulnerability in NX-OS, which was actively exploited in April to deliver previously unknown root malware to affected switches. The vulnerability, designated as CVE-2024-20399, was uncovered by researchers at Sygnia during an extensive investigation into the activities of a Chinese APT (Advanced Persistent Threat) group known as Velvet Ant. This group had long infiltrated an organization’s network by exploiting legacy F5 BIG-IP systems accessible over the Internet, employing various tools to relay command-and-control (C2) messages.
CVE-2024-20399 allows local attackers with administrative privileges to execute arbitrary root commands on the underlying operating system of vulnerable devices. The vulnerability stems from insufficient validation of arguments passed to certain CLI (Command Line Interface) configuration commands. Attackers could exploit this flaw by inputting specially crafted arguments into vulnerable CLI commands.
The list of devices impacted by this vulnerability includes several models running the compromised NX-OS software: MDS 9000, Nexus 3000, Nexus 5500, Nexus 5600, Nexus 6000, Nexus 7000, and Nexus 9000 in standalone NX-OS mode. A particularly concerning aspect of this vulnerability is that it allows commands to be executed without triggering system log messages, effectively hiding any signs of compromise on affected NX-OS devices.
In response, Cisco advises customers to diligently monitor and update network administrator and vdc-admin credentials. Additionally, customers can utilize the Cisco Software Checker page to assess whether devices on their network are susceptible to attacks exploiting the CVE-2024-20399 vulnerability. This proactive measure is critical for maintaining security and preventing further exploits by malicious actors such as the Velvet Ant group.
Juniper
The cybersecurity community is currently grappling with a critical vulnerability, identified as CVE-2024-2973, affecting Juniper Networks’ Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products. This flaw enables attackers to bypass authentication measures, potentially allowing them to seize complete control over the affected devices. Such control poses a significant threat to mission-critical infrastructures that depend on these network components.
Upon gaining access, attackers could manipulate routing protocols, disrupt connectivity, or intercept sensitive data being transmitted across the network. This breach can lead to severe operational disruptions and substantial financial losses. Additionally, controlling these network devices could enable attackers to monitor network traffic clandestinely and extract confidential information, potentially opening up further avenues for escalated attacks within the targeted organization’s infrastructure.
This vulnerability specifically impacts devices configured for high-availability (HA) redundant setups, which are commonly employed in environments requiring uninterrupted service and resilient network operations. Key sectors that utilize these configurations include large enterprises, data centers, telecommunications, e-commerce platforms, and government operations. The prevalent use of these routers across such critical areas significantly amplifies the potential consequences of this vulnerability.
Historical instances, such as vulnerabilities in Juniper’s EX switches and SRX firewalls, demonstrate that attackers frequently exploit such flaws shortly after their disclosure. This pattern underscores the importance of swift patch management to fend off active exploitation. The urgent response from agencies like CISA in similar situations highlights the acute need to secure core network infrastructures promptly.
Juniper Networks has responded quickly, releasing patches to address this vulnerability for SSR and WAN Assurance routers. It is imperative for network administrators to apply these updates promptly to safeguard their systems. The ability of Conductor nodes to disseminate the fix to connected routers aids in streamlining the update process. However, direct updates to routers are recommended to ensure comprehensive protection. While no workarounds are available, the patches are designed to be minimally disruptive, facilitating a smooth integration into existing operations without significantly impacting production traffic.
GitLab
GitLab has issued updates to rectify 14 vulnerabilities, which include one critical and three high-severity issues. The critical vulnerability, identified as CVE-2024-5655, affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions 15.8 to 16.11.4, 17.0.0 to 17.0.2, and 17.1.0. This vulnerability could enable exploitation under specific conditions to run pipelines on behalf of any user, posing a significant threat due to the critical role of pipelines in continuous integration/continuous deployment (CI/CD) processes.
This issue, rated 9.6 out of 10 in severity, has been addressed in the updated versions 17.1.1, 17.0.3, and 16.11.5. GitLab strongly advises all users with installations of the vulnerable versions to update immediately to mitigate any risks associated with this flaw.
With the update, GitLab has implemented two critical changes:
-
- Pipelines will no longer automatically initiate when a merge request is re-targeted after the merging of its previous target branch. Instead, users are required to manually start the pipeline to run CI on their changes.
- The CI_JOB_TOKEN is now disabled by default for GraphQL authentication starting with version 17.0.0. This change has been carried over to versions 17.0.3 and 16.11.5. Users needing to access the GraphQL API must configure one of the supported token types for authentication.
The update also addresses three high-severity vulnerabilities:
-
- CVE-2024-4901: An XSS vulnerability that allows scripts to be injected through malicious commit notes from imported projects, potentially leading to unauthorized actions and data disclosure.
- CVE-2024-4994: A CSRF vulnerability in the GraphQL API, which could enable attackers to make arbitrary GraphQL changes by deceiving authenticated users into making unintended requests, potentially resulting in data manipulation and unauthorized operations.
- CVE-2024-6323: An authorization flaw within GitLab’s global search feature, which allows attackers to view search results from private repositories in public projects, possibly leading to unauthorized access to sensitive data and information disclosure.
FileCatalyst
Fortra has issued a warning about a critical SQL injection (SQLi) vulnerability in its FileCatalyst Workflow solution, designated as CVE-2024-5276. This vulnerability, discovered by Tenable researchers on May 15, 2024, has a severity rating of 9.8 on the CVSS v3.1 scale. It allows an unauthenticated attacker to create an admin user and manipulate the application’s database, posing a significant risk to organizations that utilize this system to accelerate data transfer and collaboration in private cloud environments.
The vulnerability impacts FileCatalyst Workflow version 5.1.6 (build 135 and earlier). Patches to address this issue are included in FileCatalyst Workflow 5.1.6 (build 139). An important caveat is that the unauthenticated exploit requires anonymous access to be enabled on the target instance. If anonymous access is not enabled, exploitation of CVE-2024-5276 then requires authentication.
The issue was first reported to Fortra by Tenable on May 22, 2024. Alongside the report, Tenable provided a proof of concept (PoC) exploit, which was publicly released immediately following the security bulletin issued by Fortra. This PoC exploit demonstrates how an anonymous remote attacker can perform SQL injection through the jobID parameter at various URL endpoints of the Workflow Web application. The vulnerability arises because the findJob method processes the user-supplied jobID without sanitizing this input, using it to form a WHERE clause in an SQL query, thereby allowing the attacker to inject malicious SQL code.
The Tenable PoC script exploits this flaw by anonymously logging into the FileCatalyst workflow application and executing an SQL injection via the jobID parameter. This action adds a new admin user (operator) with a known password (password123). Subsequently, it obtains a token and uses the newly created administrator credentials to log into the affected endpoint.
Although there have been no reported active exploitations of this vulnerability to date, the availability of a working PoC makes it likely that this will change soon. It won’t come as a surprise if entities such as Clop operators are already examining this vulnerability for potential use.
Siemens
Researchers at SEC Consult have raised alarms about vulnerabilities in Siemens Sicam products that could potentially be exploited in real-world attacks targeting the power sector. In response, Siemens released updates in May for several products, including the Sicam A8000 remote terminal, Sicam EGS network sensors, and Sicam 8 power automation software, to address two high severity and one medium severity vulnerabilities:
-
- CVE-2024-31484 involves a buffer overflow issue that can be exploited to read sensitive data from memory. This vulnerability could potentially lead to remote code execution (RCE) within the context of a running process or cause a denial of service (DoS) condition.
- CVE-2024-31485 is a command injection flaw in the web interface of the affected products. This flaw allows an attacker to capture a username and password with elevated privileges and execute arbitrary code as the root user.
- CVE-2024-31486 pertains to inadequate password protection for MQTT clients, which could allow an attacker with physical or remote shell access to obtain sensitive credentials.
In a June announcement, Siemens expanded the scope of concern by informing customers that CVE-2024-31484 also affects additional devices, including SICAM AK3/TM/BC. These devices are integral to power grid solutions, providing crucial substation automation capabilities.
SEC Consult, credited with discovering these vulnerabilities, provided a detailed analysis on Wednesday. They outlined how attackers could exploit these vulnerabilities in a real attack scenario. To exploit these vulnerabilities, an attacker would need network-level access to ports 443 or 80 to communicate with the targeted systems. By exploiting CVE-2024-31484, an attacker could potentially extract information from the global memory segment, which might be leveraged to facilitate further attacks. Moreover, exploiting CVE-2024-31485 with access to a low-privilege SICAM-WEB account could enable an attacker to steal the administrator password. Once in possession of these credentials, an attacker could reconfigure the PLCs, potentially destabilizing the substation.
Given these risks, SEC Consult strongly advises that all passwords be changed after applying the necessary patches to ensure the security of the system, as the confidentiality of existing passwords could have been compromised.
Progress Software MOVEit Transfer
Researchers have observed active exploitation of a recently patched critical vulnerability, CVE-2024-5806, in MOVEit Transfer, a product by Progress Software. This vulnerability, along with another critical authentication bypass issue identified as CVE-2024-5805, involves incorrect authentication mechanisms within the SFTP module of MOVEit Transfer.
CVE-2024-5806 has been addressed in the newly released versions 2023.0.11, 2023.1.6, and 2024.0.2. CVE-2024-5805, which is exclusive to version 2024.0.0, is set to be rectified in the forthcoming version 2024.0.1. In its advisory for CVE-2024-5806, Progress Software also highlighted an additional risk stemming from a vulnerability in a third-party component, which escalates the threat posed by this CVE. The company has provided interim mitigations until a patch becomes available.
Further insights into CVE-2024-5806 were provided by WatchTowr, which published technical details on how the vulnerability could be exploited to gain unauthorized access to systems. Additionally, WatchTowr disclosed another vulnerability affecting the IPWorks SSH server library used by MOVEit Transfer. This library is prone to a forced authentication vulnerability that likely impacts all applications using it, potentially leading to full system compromises.
Following these disclosures, the Shadowserver Foundation reported attempts to exploit CVE-2024-5806. However, Rapid7 cautioned in its blog that while Shadowserver detected such attempts in its traps, trap activity does not necessarily reflect threat activity in actual production environments.
Critically, it appears that Progress Software’s applications may have originally harbored numerous vulnerabilities, potentially due to a lack of a robust Software Development Life Cycle (SDLC) from the outset. Although improvements are being noted, the frequency of critical vulnerabilities being discovered might continue.
For organizations aiming to avoid the predicaments faced by Progress Software, a comprehensive and secure development system is crucial. This includes the full automation of security testing methods such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and Application Security Orchestration and Correlation (ASOC). Additionally, running a bug bounty program and enhancing the security training of developers are imperative steps.
Progress Software currently operates a private bug bounty program on Bugcrowd.com, though details about its size and rewards are not public, making it difficult to assess its effectiveness. Despite these challenges, a significant shift away from Progress Software by major customers is not immediately expected due to the extensive time and financial investments involved in replacing such integral solutions. However, should the trend of critical vulnerabilities persist, a decline in customer trust and potential migration might occur.
According to Shadowserver, approximately 1,700 MOVEit Transfer instances are currently accessible online, predominantly in North America. Censys reports a slightly higher figure of 2,700, mostly in the U.S., followed by the U.K. and Germany. Intriguingly, these figures align with the number of victims in a previous Cl0p incident, raising questions about potential correlations.
VMware
VMware has issued patches for critical vulnerabilities in its Cloud Foundation, vCenter Server, and vSphere ESXi platforms, which could potentially be exploited for privilege escalation and remote code execution. The most severe vulnerabilities among them, CVE-2024-37079 and CVE-2024-37080, each carry a CVSS score of 9.8 and involve multiple heap overflow issues in the DCE/RPC protocol implementation. These vulnerabilities could allow an attacker with network access to a vCenter Server to execute remote code by sending specially crafted network packets.
The less severe vulnerability, CVE-2024-37081 with a CVSS score of 7.8, concerns elevation of privilege (EoP) within VMware vCenter due to an improper sudo configuration. This could allow an authenticated local user with non-administrative privileges to exploit the vulnerabilities and gain root access.
All three vulnerabilities impact vCenter Server versions 7.0 and 8.0. VMware has addressed these issues in the updated versions 7.0 U3r, 8.0 U1e, and 8.0 U2d. As of now, there have been no reports of active exploitation of these vulnerabilities.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.