While only a few major vulnerabilities emerged this week, Ivanti announced another notable set of flaws in both its Standalone Security and Neurons for ITSM products. We also saw a physical security issue in Saflok electronic locks, which affects hotels in over a hundred countries. Fortra, Apple, and Amazon Web Services had vulnerabilities, too.
IT teams should pay close attention to vulnerability news so they know when and how to patch their business systems. Vulnerability updates also play an important role in revealing vendor transparency or lack thereof.
March 13, 2024
Fortra Vulnerability Could Result in Remote Code Execution
Type of vulnerability: Directory traversal in Fortra’s FileCatalyst workflow, potentially leading to remote code execution.
The problem: FileCatalyst is a solution for transferring files across networks at greater speeds than other protocols, like File Transfer Protocol (FTP). According to Fortra, “A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request.”
If a threat actor manages to upload a file successfully to the DocumentRoot of the web portal, they could use specific JSP files to execute code like web shells, Fortra explained.
While the vulnerability was uncovered last August, Fortra updated its advisory last week, explaining that the CVE had been issued months later because the person who reported the vulnerability requested that it be issued. The directory traversal vulnerability is tracked as CVE-2024-25153 and has a critical rating of 9.8.
The fix: Fortra recommends upgrading to FileCatalyst 5.1.6 Build 114 or higher builds, which are the fixed versions of the software.
If your business doesn’t already have a consistent method of identifying vulnerabilities, we recommend investing in a vulnerability scanning solution. Check out our list of the best vulnerability scanners for recommendations and use cases.
March 18, 2024
Ivanti Adds Two More Vulnerabilities to Its Catalog
Type of vulnerability: Remote code execution; server file writes and potential code execution.
The problem: This isn’t Ivanti’s first rodeo in 2024 vulnerability news, and both of this week’s flaws have critical CVSS ratings. The first vulnerability appears in Ivanti Standalone Security and is tracked as KB-CVE-2023-41724, with a CVSS rating of 9.6. It allows unauthenticated threat actors to execute arbitrary commands on the relevant appliance’s operating system if they’re on the same network.
The Standalone Security vulnerability affects versions 9.17.0, 9.18.0, and 9.19.0, as well as older versions of the product.
The second vulnerability appears in Ivanti Neurons for IT Service Management and is tracked as CVE-2023-46808. Its CVSS rating is 9.9. The vulnerability allows authenticated remote users to perform file writes to the Ivanti Neurons for ITSM server.
Ivanti reported that it hadn’t seen active exploits of either vulnerability yet.
The fix: Users can patch supported releases of Standalone Sentry (9.17.1, 9.18.1 and 9.19.1) by going to the standard download portal, where the software patch is available.
For Ivanti Neurons for ITSM, Ivanti reported that all cloud environments have received the product hotfix already. On-premises customers should navigate to the Ivanti Neurons for ITSM Downloads page and navigate to their respective 2023.X version of the software. If you haven’t upgraded to 2023.X, you’ll need to do so to apply the patch to your on-prem environment.
March 21, 2024
Apple M-Series Chip Sees Vulnerability within Silicon
Type of vulnerability: Side channel vulnerability allowing theft of cryptographic key data.
The problem: Recent research on Apple’s M-series of silicon chips revealed a vulnerability within the design of the silicon. Because the vulnerability exists directly within the silicon, it cannot be patched. ArsTechnica compiled the research, which comes from multiple technical researchers at different US universities. The initial researchers titled the attack GoFetch.
According to ArsTechnica, the vulnerability is “a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols.” Using a side channel in the Mac chips’ prefetcher, an attacker could potentially steal secret cryptographic key information while the Mac is performing cryptographic operations. The vulnerability affects Mac computers with M-series silicon chips.
The application used in the attack doesn’t need root access, just standard user privileges that the majority of macOS third-party apps already have. Threat actors can exploit the vulnerability if the target cryptographic process and the application are running on the same CPU cluster, assuming the application has standard user system privileges at that time.
The fix: While the flaw isn’t patchable, ArsTechnica said it could “be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations.”
Patched AWS MWAA Vulnerability Allowed Account Takeover
Type of vulnerability: One-click account takeover vulnerability.
The problem: A now-patched vulnerability in the AWS Managed Workflows Apache Airflow service would have permitted attackers to take over the management console of their victims’ Airflow instance. Researchers at Tenable uncovered the vulnerability, named FlowFixation, which permitted an account takeover if exploited.
The vulnerability got its name because it came from “a combination of session fixation on the web management panel of the AWS MWAA together with an Amazon AWS domain misconfiguration that leads to cookie tossing,” according to Tenable.
If a threat actor had successfully exploited the vulnerability, they’d be able to force their victims to authenticate their session. They’d also be potentially able to take over their victim’s Airflow web management account.
The Tenable researchers also mentioned concerns for cloud service providers’ customers, citing cloud services’ shared parent domains — and potential client-side code execution as a service — as a threat. Cloud customers sharing the same cloud site are vulnerable to multiple attacks, including cookie tossing.
The fix: According to Tenable, AWS has patched the vulnerability; however, we did not see a release bulletin from Amazon detailing patch information.
March 22, 2024
Millions of Electronic Locks Affected by Unsaflok Vulnerability
Type of vulnerability: Physical premises vulnerability in electronic door locks.
The problem: All Saflok system electronic locks are affected by a vulnerability that impacts “both the key derivation algorithm used to generate MIFARE Classic® keys and the secondary encryption algorithm used to secure the underlying card data,” according to manufacturer Dormakaba. The vulnerability was dubbed “Unsaflok.” Researchers discovered the flaw in September 2022 but didn’t disclose it until March 2024.
The weaknesses within the locks could permit a threat actor to use a pair of forged keycards to access every room in a hotel. While not an obvious direct threat to businesses at the time, access to physical premises like a hotel could lead to hardware compromise and theft.
The fix: While patches were rolled out in November 2023, less than half of the affected locks have been patched — technicians have fixed 36% to date. The vulnerability affects over 13,000 properties in 131 different countries. To fix the vulnerability, technicians have to update the locks’ software, create new keycards, upgrade the front desk software and hardware used to issue cards, and handle any third-party systems, like elevators.
Read next:
- Vulnerability Recap 3/19/24 – Microsoft, Fortinet & More
- 6 Best Vulnerability Management Software & Systems in 2024