Microsoft addressed an ASCII smuggling issue in 365 Copilot, and Google and Fortra issued critical security patches for actively exploited vulnerabilities in Chrome and FileCatalyst Workflow, respectively. To reduce the potential risks, update all impacted software to the most recent version and evaluate your system processes for potential modifications and security enhancements.

August 26, 2024

SonicWall Identifies Access Control Vulnerability

Type of vulnerability: Improper access control.

The problem: CVE-2024-40766, a critical access control vulnerability with a 9.3 severity level, was discovered in SonicOS on SonicWall systems. This flaw has the potential to bring down the firewall or grant unauthorized access to resources. Devices running SonicWall Firewall Gen5, Gen6, and Gen 7 are vulnerable to network-based threats that require no user interaction or authentication.

The fix: Upgrade to SonicWall’s firmware updates for Gen 5 (to version 5.9.2.14-13o), Gen 6 (to version 6.5.4.15.116n), and Gen 7 (to any version above 7.0.1-5035). Disable WAN management access or limit firewall management access to reliable sources if instant updates aren’t possible.

Traccar Fixes Path Traversal Vulnerabilities

Type of vulnerability: Path traversal.

The problem: Two major vulnerabilities, CVE-2024-24809 (CVSS score: 8.5) and CVE-2024-31214 (CVSS score: 9.7), were discovered in the Traccar GPS tracking system and affect versions 5.1 to 5.12. These path traversal weaknesses may allow unauthenticated attackers to drop malicious files. This can result in remote code execution under particular conditions, especially when you’ve permitted guest registration.

The fix: Traccar resolved these vulnerabilities in version 6, released in April 2024. It blocks self-registration by default, reducing the attack surface. Users should upgrade to Traccar 6 or higher to reduce the hazards. If you can’t update immediately, disable guest registration and unnecessary write access to prevent exploitation.

Versa Networks Patches File Upload Vulnerability

Type of vulnerability: Unrestricted file upload.

The problem: Versa Networks recently fixed a zero-day vulnerability, CVE-2024-39717, in Versa Director, a platform for controlling SD-WAN. This vulnerability, which existed in the “Change Favicon” feature, enabled threat actors with administrative capabilities to deliver malicious files disguised as PNG images. An APT attacker exploited this vulnerability which affected clients who failed to comply with system hardening and firewall standards.

The fix: This zero-day has been added to CISA’s Catalog of Known Exploited Vulnerabilities. Versa Networks advises clients to update their Versa Director installations to the most recent version to mitigate CVE-2024-39717. Furthermore, users should evaluate and follow the suggested system hardening and firewall rules. To check for exploitation, look for suspicious files in the /var/versa/vnms/web/custom_logo/ folder.

Explore how to prepare for zero-day threats. See how it works and the best practices for organizations to mitigate these attacks.

August 27, 2024

Apache Encounters Incorrect Authorization Vulnerability in OFBiz ERP

Type of vulnerability: Incorrect authorization.

The problem: Apache OFBiz, an open-source enterprise resource planning (ERP) system, contains a critical security weakness (CVE-2024-38856) with a CVSS score of 9.8, which allows unauthenticated attackers to execute remote code via a Groovy payload. This vulnerability, now actively exploited in the wild, affects systems used by big corporations worldwide, possibly compromising their sensitive operations.

The fix: To mitigate CVE-2024-38856, update Apache OFBiz to version 18.12.15. Federal agencies must roll out the revisions by September 17, 2024.

In his expert commentary regarding the issue, Greg Fitzgerald, co-founder of Sevco Security, warns that “even when patches are applied, a more insidious threat exists if companies have lost track of vulnerable instances.” Fitzgerald emphasizes an accurate IT asset inventory, citing that many assets remain uncovered by enterprise patch management and vulnerability management systems.

Microsoft Resolves ASCII Smuggling Vulnerability in 365 Copilot

Type of vulnerability: ASCII smuggling.

The problem: A recently patched vulnerability in Microsoft 365 Copilot allowed attackers to obtain sensitive user information via ASCII smuggling. Attackers could employ invisible Unicode characters to conceal harmful material in hyperlinks and exfiltrate data such as MFA codes. The exploit chain featured prompt injection and automatic tool invocation to find sensitive documents.

The fix: Microsoft rectified the vulnerability after disclosure in January 2024. Enterprises should activate data loss prevention and other security controls to limit hazards in AI technologies such as Copilot. Assess your risk tolerance to avoid data breaches from Copilots and safeguard bots with authentication measures.

Google Reveals Actively Exploited Chrome Flaw in V8 Engine

Type of vulnerability: Inappropriate implementation bug.

The problem: Google addressed an actively exploited security flaw in its Chrome browser, known as CVE-2024-7965. The vulnerability occurs from an incorrect implementation error in the V8 JavaScript and WebAssembly engines, which allows remote attackers to exploit heap corruption using crafted HTML pages. 

The bug was found by a security researcher named TheDog. Google hasn’t provided precise data about the assaults, but it has confirmed that the vulnerability is being actively exploited in the wild.

The fix: Google recommends updating Chrome to versions 128.0.6613.84/.85 for Windows and macOS, and 128.0.6613.84 for Linux. This update handles the actively exploited CVE-2024-7965 vulnerability in the V8 engine, preventing heap corruption attacks using manipulated HTML pages.

August 28, 2024

Fortra Patches Critical Access Flaw in FileCatalyst Workflow

Type of vulnerability: Credential exposure.

The problem: Fortra fixed a major vulnerability in FileCatalyst Workflow (CVE-2024-6633) with a CVSS score of 9.8. The vulnerability stems from a static password used for the HSQL database, which allows remote attackers to acquire administrative privileges. This default credential vulnerability jeopardizes program security, integrity, and availability. The issue was made public on July 2, 2024.

The fix: Fortra has published a patch for FileCatalyst Workflow 5.1.7 and later, which addresses the static password issue. Update to this version to mitigate CVE-2024-6633 and fix the high-severity SQL injection bug (CVE-2024-6632) in the setup process.

Cookie theft is another method attackers use to expose your credentials. Reduce this risk, learn how to prevent unauthorized access to your browser, and discover some ways to identify and recover from stolen credential attacks.

August 29, 2024

AVTECH IP Cameras Exploited via Old Command Injection Flaw

Type of vulnerability: Command injection.

The problem: CVE-2024-7029 (CVSS score: 8.7) is a command injection vulnerability in AVTECH IP cameras that permits remote code execution (RCE) using the brightness feature. Threat actors exploited this weakness to incorporate devices into botnets, affecting devices running firmware versions up to FullImg-1023-1007-1011-1009. It was publicly published in August 2024.

The fix: Currently, no patch is available for this issue. Users must examine their camera firmware and seek alternative or extra security steps to reduce risk.

August 30, 2024

Threat Actors Leverage Atlassian Confluence Flaw for Crypto Mining

Type of vulnerability: Remote code execution.

The problem: CVE-2023-22527, a severe RCE vulnerability in Atlassian Confluence Data Center and Server, enables unauthenticated remote code execution. Threat actors use this vulnerability to deploy XMRig miners, target SSH endpoints, and sustain persistence via cron jobs. Exploitation attempts increased significantly between June and July 2024.

The fix: To fix CVE-2023-22527, immediately update the Atlassian Confluence Data Center and Server to the newest versions. This patch addresses the major vulnerability and prevents future exploitation, protecting you against unauthorized remote code execution and illegal cryptocurrency mining.

Exploited Chrome Flaw Triggers Rootkit Deployment

Type of vulnerability: Type confusion.

The problem: CVE-2024-7971 is a high-severity type confusion vulnerability in Chrome’s V8 engine that North Korean actors exploited to execute code remotely. This resulted in the deployment of the FudModule rootkit. Victims of social engineering risked compromised systems and probable data theft.

The fix: Google addressed this flaw, eliminating the risk of remote code execution. To respond to CVE-2024-7971, update Chrome and other Chromium-based browsers to the latest version. Update Windows to solve associated vulnerabilities such as CVE-2024-38106 to avoid further exploitation and rootkit installation.

Read next:

• Vulnerability Recap 8/27/24: SolarWinds, Chrome, AWS
• Vulnerability Management: Definition, Process & Tools

The post Vulnerability Recap 9/2/24 – Big Companies Upgrade vs Risks appeared first on eSecurity Planet.

As always, the best way to get flaws quickly patched is to scan for vulnerabilities frequently and have a plan for fixing and documenting them. Make sure your security teams know their specific role in that process, and have frequent conversations about vulnerabilities so everyone knows what’s going on both in your infrastructure and in the industry overall.

August 19, 2024

Critical WordPress Vulnerability Jeopardizes Millions of Sites

Type of vulnerability: Privilege escalation.

The problem: LiteSpeed Cache, a WordPress plugin designed to reduce caching speeds and optimize page loads, has a vulnerability that affects at least 5 million WordPress instances. A member of security provider PatchStack’s Alliance community discovered the vulnerability and reported it to PatchStack, who then notified LiteSpeed Technologies, the plugin’s developer.

The plugin has a feature that creates a temporary user to crawl sites and cache web pages. “The vulnerability exploits a user simulation feature in the plugin which is protected by a weak security hash that uses known values,” PatchStack said. Unauthenticated users can exploit the weak hashes to escalate their privileges and upload malicious plugins or files.

The fix: Upgrade your LiteSpeed plugin to version 6.4.1, which includes the patch.

August 20, 2024

AWS Application Load Balancer Sees Configuration Issues

Type of vulnerability: Configuration issue leading to authentication bypass.

The problem: Application detection and response provider Miggo discovered a configuration vulnerability in Amazon Web Services’ Application Load Balancer (ALB) authentication feature. If an application is misconfigured as an ALB target group and is directly accessible, a threat actor could bypass ALB and use a shared public key server to set an arbitrary key ID, according to Liad Eliyahu from Miggo. The threat has been nicknamed ALBeast.

Aside from misconfiguration, misimplementation and issuer forgery also put AWS authentication processes at risk. “Until recently, the AWS ALB user authentication docs did not include guidance on validating a token’s signer—a crucial field for ensuring that the token was signed by the trusted ALB,” Eliyahu said. “Without this validation, applications might trust an attacker-crafted token.” An attacker could also forge an authentic token signed by ALBeast.

Applications that are exposed to the internet are particularly vulnerable to this flaw.

AWS updated its documentation after Miggo disclosed the vulnerability to its researchers. Now, an authentication signature needs to be verified and validated. AWS added new code that’s designed to validate the signer — the ALB instance that signs the token — according to Miggo.

The fix: Comply with all relevant documentation from AWS — use the new code they’ve provided to validate signatures. Miggo noted that AWS doesn’t consider issue forgery a formal vulnerability and has decided to reach out to customers with suboptimal configurations instead of changing the entire ALB component.

Learning about vulnerabilities as soon as possible is critical to protect your computer systems and networks, but it can be difficult to do manually. I recommend using a comprehensive vulnerability scanning product to find issues that must be fixed quickly.

August 21, 2024

Upgrade Chrome As Soon As Possible

Type of vulnerability: Type confusion.

The problem: A bug in the V8 JavaScript and Web Assembly engine affects Google Chrome on personal computers. The vulnerability allows remote threat actors to use specifically crafted HTML pages to exploit heap correction. They could potentially use the falsified HTML page to take control of your Chrome instance.

The vulnerability is tracked as CVE-2024-7971. It exists in versions of Chrome prior to 128.0.6613.84.

The fix: Chrome stable channel updates from Google include 128.0.6613.84/.85 for Windows and Mac devices and 128.0.6613.84 for Linux machines. To update to these versions:

• Open the Chrome browser and select the three vertical dots in the right corner.
• Click Help.
• Click About Chrome.
• If Chrome checks for updates and finds one, it will update the browser. Select Relaunch after it updates.

August 23, 2024

Another SolarWinds Web Help Desk Flaw Emerges

Type of vulnerability: Hardcoded credential.

The problem: Last week, I mentioned a Java deserialization flaw in SolarWinds Web Help Desk. This week, researchers have discovered another vulnerability in WHD, this one a hardcoded credential issue. If exploited, it allows an unauthenticated remote user to access the Web Help Desk’s controls and modify its data. Zach Hanley of Horizon3.ai discovered and reported the vulnerability. 

The flaw is tracked as CVE-2024-28987 and has a CVSS score of 9.1.

The fix: SolarWinds has released a hotfix, 12.8.3 number 2, that solves both last week’s remote code execution vulnerability and this week’s credential one.

CISA Adds Versa Director Vulnerability to Catalog

Type of vulnerability: Dangerous file type upload vulnerability. 

The problem: Versa Networks’ Director product has GUI customization options available for users who have Provider-Data-Center-Admin or Provider-Data-Center-System-Admin permissions. According to NIST, a malicious user with those privileges could use the “Change Favicon” option within the GUI to upload a malicious file that has a .png extension.

The file would masquerade as an image file, according to NIST. The exploit is only possible after a user with the correct privileges has logged into the Versa Director GUI successfully. Versa Networks noted that managed service providers are likely to be the main targets.

The vulnerability is tracked as CVE-2024-39717 and has a severity rating of 6.6.

The CISA has added this vulnerability to its catalog of Known Exploited Vulnerabilities (KEV). It has a High severity rating. According to NIST, Versa Networks is aware of one instance where the vulnerability was exploited because the customer didn’t implement older firewall guidelines.

The fix: To remediate CVE-2024-39717, upgrade to one of the following updated versions, with links to the download page provided by Versa Networks:

• 21.2.3: https://support.versa-networks.com/support/solutions/articles/23000024323-release-21-2-3
• 22.1.2: https://support.versa-networks.com/support/solutions/articles/23000025680-release-22-1-2
• 22.1.3: https://support.versa-networks.com/support/solutions/articles/23000026033-release-22-1-3
• 22.1.4: Not affected. 

Additionally, follow all of Versa Networks’ firewall guidelines and hardening best practices.

Double RCE Vulnerabilities Affect GPS Tracking Tool Traccar

Type of vulnerability: Path traversal leading to potential remote code execution.

The problem: Open-source GPS tracking solution Traccar has two path traversal vulnerabilities that could allow unauthenticated threat actors to execute code remotely. According to Horizon3.ai researcher Naven Sunkavally, Traccar is vulnerable when guest registration is enabled, which is its default configuration.

Traccar allows users to register their devices to be tracked, and Traccar shows their location when the devices communicate with the Traccar server. In version 5.1 of the solution, an image upload feature allows users to upload a picture of their device, but Traccar’s code has vulnerabilities in managing image file uploads.

The first vulnerability is tracked as CVE-2024-24809 and has a CVSS score of 8.5, with a high rating. The second is tracked as CVE-2024-31214 and has a critical CVSS score of 9.7. Both allow remote code execution if exploited.

“The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system,” Sunkavally said. “However, an attacker only has partial control over the filename.” The filename has to be a particular structure for the attackers to be successful.

The fix: Sunkavally recommends upgrading to Traccar 6. Alternatively, you can switch the registration setting to false so user self-registration isn’t automatically enabled.

Read next:

• Vulnerability Recap 8/20/24 – Microsoft Has the Spotlight This Week
• Best Vulnerability Management Software & Systems

The post Vulnerability Recap 8/27/24 – Wide Range of Vulnerabilities This Week appeared first on eSecurity Planet.

How Does Cookie Stealing Work?

Attackers steal cookies through phishing, malware, and MITM attacks, resulting in data theft, financial loss, and identity theft. Understanding the implications, prevention, and recovery procedures can enhance the protection of your accounts and personal information. Long-term threats need a serious effort to secure stolen data and safeguard your privacy against further misuse.

1. Launch the Initial Attack Vector

Attackers will send you phishing emails or develop fake websites that appear legitimate, deceiving you into entering your login information. They may also use flaws in websites you visit to install malware on your device that extracts cookies from your browser. This enables attackers to access your accounts, exposing you to illegal access and data theft.

2. Deploy Information-Stealing Malware

Malicious actors deliver malware via phishing emails that you open or by exploiting software flaws. Once installed, the malware hits your browser, whether Chrome, Firefox, or Brave, and extracts cookies and sensitive data. Without your knowledge, this virus captures your session and personal information, placing you in danger of account takeovers and data breaches.

3. Execute a Man-in-the-Middle (MITM) Attack

While surfing on unprotected public Wi-Fi, cybercriminals intercept the communication between the browser you’re using and the website you’re on. Without encryption, they can monitor your connection and steal your session cookies, allowing them to hijack your accounts. This exposes you to fraudulent transactions and account misuse when doing sensitive tasks on public networks.

4. Perform Session Hijacking

Attackers may take over your active session by collecting session cookies if you remain logged in to sites or apps. Hackers may conceal dangerous malware in photos or links on insecure websites that you visit. When you click on these links, the code becomes active, allowing them to overcome your login processes, including multi-factor authentication, and potentially get unwanted access to your personal and financial information.

5. Exploit Stolen Cookies

After obtaining your cookies, attackers can sell them on dark web marketplaces or use them for other illegal activities. They may update your account settings, make illicit transactions, or install other types of malware on your device. You may face long-term implications, such as identity theft and financial loss, prompting lengthy efforts to safeguard your compromised accounts and personal information.

Risks & Implications of Cookie Theft

Cookie theft carries serious consequences, including identity theft, financial loss, and illegal access to accounts. Attackers use stolen cookies to conduct unlawful transactions, violate privacy, and harm reputations. The repercussions can be difficult to discover and recover from, resulting in long-term consequences such as legal challenges, productivity loss, and continued exploitation of sensitive data.

Identity Theft

Identity theft happens when attackers utilize stolen cookies to obtain personal information such as names, addresses, or financial information. With this information, they can impersonate you, open credit accounts, and engage in fraudulent activities. The long-term consequences include destroyed credit, financial loss, and the significant time and effort required to recover your identity.

Financial Loss

Hackers can use stolen cookies to gain access to your financial accounts, make fraudulent transactions, or transfer funds. This might result in sudden financial losses, depleted bank accounts, and maxed-out credit cards. Recovering these funds can be difficult, and you may encounter legal or financial issues as a result.

Unauthorized Access

Once attackers hijack your cookies, they have illegal access to your online accounts. This can comprise personal, financial, or professional accounts that can access, alter, or remove sensitive data. Violating privacy and control over your accounts might result in substantial data loss or misuse.

Illegal Transactions

Stolen cookies allow attackers to carry out illegal activities, such as making purchases, transferring money, or changing account information. These activities can cause immediate financial harm, disturb your financial management, and result in disputes with financial institutions, thereby lowering your credit score.

Loss of Privacy

Attackers who gain access to your cookies may expose personal information such as browsing history, messages, and login information. This violation of privacy may reveal vital information, leaving you open to future assaults or exploitation. The loss of privacy can cause personal and emotional pain.

Damage to Your Reputation

If attackers exploit your stolen cookies to assume your identity online, they might release improper content or engage in fraudulent activity in your name. This can harm your personal or professional reputation, resulting in loss of trust, social ramifications, and possible career consequences.

Legal Consequences

Businesses that neglect to secure user cookies may face legal consequences if they are stolen and result in data breaches. The potential legal implications can include fines, lawsuits, and compliance. If the stolen identity is used for illegal activities, it may also lead to legal complications for that individual.

Productivity Loss

Dealing with the aftermath of cookie theft takes a significant amount of time and work, whether you’re regaining access to accounts or dealing with security breaches. This decrease in productivity may interfere with your everyday activities, cause stress, and result in missed opportunities or delayed tasks.

Vulnerability of Sensitive Data

Cookies frequently hold sensitive data, such as login credentials and personal information. If this data is stolen, it becomes vulnerable to misuse by hackers, potentially leading to more exploitation, illegal access to other accounts, and worse security breaches.

Difficulty in Detection

Cookie theft is often difficult to detect because attackers can operate without leaving visible evidence. The lapse in detection enables attackers to continue exploiting your accounts or data, causing more extensive damage before you’re even aware of the breach.

How Do You Know If You’re Being Targeted?

Early detection of cookie theft helps protect your online accounts and personal information. Understanding the subtle signs of compromised cookies can help you take quick action to secure your network and data further or avoid identity theft and financial implications.

You may be a victim of cookie theft if you: 

• Detect suspicious account activity: Look for unauthorized logins, posts, or transactions on your online profiles that you did not initiate.
• Receive unexpected password reset notifications: Identify unrequested password reset messages as potential evidence of exploited access.
• Discover unforeseen changes to settings: See if your email addresses, phone numbers, or credentials have been changed without your permission.
• Experience repeated logouts: Observe if you’re constantly and abruptly getting logged out of an account, as it may be a sign of session hijacking.
• Get unusual login notifications: Look for alerts regarding logins from unknown devices or places, which could indicate unwanted access.
• Spot strange network traffic: Monitor unexpected data transfers or connections to unknown servers, which may indicate cookie-related compromises.
• Observe random browser behavior: Notice if your browser redirects to suspicious sites or behaves weirdly. This could indicate unwanted interference.
• Receive security software alerts: Inspect any antivirus or security software alerts regarding detected network threats or suspicious activities in your browser.
• Notice increased spam or phishing messages: Examine if there’s a surge in spam or phishing attempts that could be targeting accounts via stolen cookies.
• Find unidentified devices in security logs: Look for new devices in your account’s security settings that you don’t recognize, which could indicate unauthorized access.

9 Ways to Prevent Cookie Stealing

Implement critical security measures such as establishing secure cookie flags, implementing SSL/TLS for encrypted sessions, and deploying strong firewalls. Enhance account security using Two-Factor Authentication (2FA), enforce strong password restrictions, and regularly update software to protect against possible threats.

Use Secure Cookie Flags

Configure cookies using security options like Secure and HttpOnly. The Secure option ensures that cookies are exclusively transferred via HTTPS, whereas the HttpOnly flag prohibits cookies from being accessible by client-side scripts. This lowers the chance of cookies being taken via unencrypted connections or cross-site scripting (XSS) attacks.

Deploy a Firewall

Install a reliable firewall to prevent malicious communications and safeguard against exploitation. Firewalls monitor incoming traffic, flag questionable requests, and enforce security policies to prevent unwanted access and session hijacking attempts. This protects your website from potential cookie theft threats and improves overall security.

Utilize SSL/TLS

Secure your website with HTTPS by using SSL/TLS certificates to encrypt data sent between users and servers. Encryption makes it nearly impossible for attackers to intercept and steal session cookies, keeping critical information safe during transmission and improving overall data security.

Apply 2FA or MFA

Increase account security by using two-factor authentication (2FA) or multi-factor authentication (MFA). While cookie theft may bypass MFA, this extra verification step can still provide significant protection. Requiring a second form of authentication in addition to passwords makes it far more difficult for attackers to access accounts, even if session cookies are compromised.

Adopt Strong Password Policies

Encourage the use of strong, unique passwords and implement standards for regular password upgrades. Enforcing complexity criteria and making regular adjustments lessens the risk of password breaches and the chance of attackers using stolen cookies to gain unauthorized access.

Update Website Software Regularly

Keep your website’s WordPress, themes, and plugins up to date. Regular updates fix security flaws that could be used to steal cookies. By installing the most recent updates and security fixes, you lessen the likelihood of attackers exploiting outdated programs to compromise session cookies.

Train Your Admin & Staff

Educate admin and other personnel on the dangers of session hijacking and the effective practices for prevention. Ensuring that they learn secure practices and recognize potential threats reduces risks. It also encourages the organization’s culture of adhering to security measures to prevent cookie theft and other common security risks. 

Beware of Phishing & Risky Websites

Stay alert for phishing attempts and avoid dangerous websites. Phishing scams and rogue websites can spread cookie-stealing software. Examine emails, texts, and site links thoroughly to avoid unintentional exposure to cookie theft and other cyber risks.

Clear Cache Regularly

Make it a practice to clear your browser’s cache and cookies periodically. This method helps to erase any potentially compromised cookies and reduces the impact of cookie theft. Regular cache emptying prevents malware impact and ensures that it has fewer resources to exploit even if it exists.

How to Recover from Cookie Theft

To recover from cookie theft, website administrators should do a security scan with a program to delete any detected risks. Then, invalidate active sessions, update passwords and security keys, and then refresh the website software. End users should change their passwords, clean their browser cache, enable two-factor authentication, monitor their accounts, and update their security settings.

Recovery Methods for Website Admins

Website administrators should apply these recovery techniques to manage and resolve cookie theft concerns successfully:

• Run a security scan: Use a reliable security tool like antivirus to scan your website thoroughly. Examine the scan results to detect and pinpoint any harmful code or vulnerabilities.
• Get rid of malicious codes: Utilize your security plugin or malware removal program to quarantine or delete any discovered risks. Run another scan to confirm complete removal, then update your security settings to avoid future infections.
• Disable active sessions: Go into your admin dashboard and log out all active users. The process invalidates stolen cookies and prevents unwanted access. Inform users that they must log in again using their changed credentials.
• Configure authentication credentials: Change all user and admin passwords. Review the WordPress salts and security keys in the wp-config file to remove all existing sessions and require users to log in again.
• Refresh website software: Verify and deploy updates to all plugins, themes, and core software. Ensure that all updates are properly installed to fix security vulnerabilities and guard against future attacks.

Recovery Methods for End Users

End users should follow these measures to secure their accounts and reduce the possibility of cookie theft: 

• Update passwords: For all affected accounts, replace the passwords immediately. To prevent future illegal access, use a password manager to create strong, unique passwords.
• Clear browser cache: To remove possibly compromised cookies and cached data, clear your browser’s cache and cookies. This step helps to remove any residual session data.
• Activate two-factor authentication (2FA): Turn on 2FA on your accounts to offer an extra degree of security. Configure 2FA in your account’s security settings to make illegal access more difficult.
• Keep track of account activity: Check your account activity regularly for any indications of unusual conduct or fraudulent activities. Report any odd activities to the service provider right at once.
• Adjust security settings: Review and improve your account’s security settings. Confirm that security measures such as security questions and email verification are up to date and correctly configured.

Frequently Asked Questions (FAQ)

What Are the 2 Types of Cookies?

Cookies are classified into two types: session cookies, which disappear when the browser is closed and are used for session activities; and persistent cookies, which remain on the device after the browser is closed and save data such as login credentials and site preferences for future visits.

How Do Cookies Track You?

Cookies track users by assigning them a unique identification that’s kept in the cookie. First-party cookies store user-specific information for a single site, whereas third-party cookies track activity across several sites. This enables individualized experiences and larger online behavior tracking, which is commonly used for targeted advertising and analyzing user habits.

Can Cookies Steal Passwords?

Cookies can’t steal passwords; nonetheless, they can be hijacked. In attacks such as session hijacking, hackers use cookies to get access to sensitive data, including passwords. Once they obtain this information, criminals can potentially steal money or compromise online accounts, thus, it’s critical to protect cookies from unwanted access.

Bottom Line: Mitigate the Risks of Cookie Theft

Cookies track and collect information, causing privacy concerns. Cookie theft can jeopardize your online security, and recovery might be difficult once it occurs. To avoid potential headaches dealing with cookie theft, prioritize prevention. Enhance network security by employing strong passwords, strengthening authentication methods, and keeping your software updated and monitored.

Preventing cookie theft is a critical part of network security, but additional measures should also be applied for your comprehensive protection. Explore our detailed guidelines on how to secure a network to learn more about effective network protection.

Julien Maury contributed to this article.

The post Cookie Theft: What Is It & How to Prevent It appeared first on eSecurity Planet.

August 12, 2024

Ivanti Runs Into Snag With Virtual Traffic Manager

Type of vulnerability: Authentication bypass. 

The problem: Ivanti Virtual Traffic Manager has a vulnerability that could lead to authentication bypass and subsequent creation of an administrator when exploited. According to the National Institute of Standards and Technology, the vulnerability stems from an incorrect implementation of authentication algorithms and exists in all vTM versions except 22.2R1 and 22.7R2.

“Customers who have ensured their management interface is bound to an internal network or private IP address have significantly reduced their attack surface,” the Ivanti notice reads. The vendor didn’t notice any active exploits when it released the security notice.

The flaw is tracked as CVE-2024-7593 and has a CVSS score of 9.8, a critical rating. 

The fix: Ivanti recommends updating Virtual Traffic Manager to the latest version, which you can do by logging into the Ivanti standard downloads portal.

August 13, 2024

Microsoft Patch Tuesday Sees Elevation of Privilege Vulnerability

Type of vulnerability: Multiple, including elevation of privilege.

The problem: Last week, Microsoft’s monthly Patch Tuesday announced 90 new CVEs, including multiple zero-day vulnerabilities. According to Trend Micro Zero Day Initiative researcher Dustin Childs, Microsoft listed four of the CVEs as public, and six are being actively exploited. That’s unusual for a single release, he said.

One of the vulnerabilities highlighted in Patch Tuesday was an elevation-of-privilege flaw in Windows Update. According to Microsoft, the vulnerability allows a threat actor with basic privileges to reintroduce old vulnerabilities that had already been mitigated. The attack would also need “additional interaction by a privileged user to be successful.”

The vulnerability is tracked as CVE-2024-38202 and has a severity score of 7.3.

The fix: There isn’t an official mitigation strategy for the EoP vulnerability yet; Microsoft will update its security notice whenever it releases a patch or other fix.

Patch Tuesday Lineup Also Includes RCE Flaw

Type of vulnerability: Remote code execution.

The problem: Microsoft discovered a vulnerability in Transmission Control Protocol (TCP) / Internet Protocol (IP) that affects Windows machines running IPv6. This vulnerability also belonged to the month’s Patch Tuesday roundup and is one of the more severe flaws patched recently, with a CVSS score of 9.8.

“An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution,” the notice said. Microsoft Security Response Center announced the vulnerability and instructed users to patch it. The flaw affects Windows Server, Windows 10, and Windows 11.

The fix: Install the most recent Windows security updates, which have the vulnerability patched. While disabling IPv6 is a possible fix, it’s not recommended, since that could stop other Windows components from working properly.

If your team is overwhelmed by new vulnerabilities, check out our guide to the best vulnerability scanners. These products automatically search your systems for flaws, based on known vulnerabilities.

August 15, 2024

SolarWinds Flaw Should Be Immediately Patched

Type of vulnerability: Deserialization, leading to remote code execution.

The problem: SolarWinds Web Help Desk is vulnerable to a Java deserialization flaw that allows remote threat actors to execute code on hosts. Researchers reported the issue to SolarWinds as an unauthenticated vulnerability, but according to Tenable, SolarWinds hasn’t been able to recreate the exploit without authentication, so it’s likely a difficult flaw to exploit. The vulnerability is tracked as CVE-2024-28986 and has a base CVSS score of 9.8.

The fix: Tenable recommends patching your instance of Web Help Desk despite SolarWinds’ inability to reproduce the exploit without authentication. Install Web Help Desk version 12.8.3 first, and then install the hotfix once you’ve updated the software.

Third-Party Application Package Installed on Pixel Devices

Type of vulnerability: Third-party application package installed on Pixel device firmware, with insufficient security controls.

The problem: Mobile security vendor iVerify’s EDR product discovered an unsecured Android device at data analytics firm Palantir Technologies. Researchers investigating the threat found an Android application package, Showcase.apk, that’s part of the device firmware. When it’s enabled, the package allows threat actors to access the operating system.

This vulnerability also opens Androids to code injection, man-in-the-middle attacks, and spyware, according to iVerify’s blog post about the vulnerability. The application runs with too-high privileges, and it’s installed on many Pixel devices that have been shipped for the past seven years.

iVerify notified Google about the vulnerability, and Google plans to release an update that removes Showcase.apk from its Pixel phones. Palantir Technologies plans to phase out Android phones and begin using Apple devices after performing the investigation.

The fix: If you have a Pixel phone, update to the newest operating system as soon as Google releases it. If you have a different Android phone, watch for new versions and update your phone immediately when the next version is released.

Entra ID Vulnerability Affects Hybrid Environments

Type of vulnerability: Authentication bypass.

The problem: Researchers at security firm Cymulate have discovered a vulnerability within Microsoft Entra ID, the product recently known as Azure Active Directory (AAD). This is the cloud-based version of Active Directory, not the on-premises one (which is known simply as Active Directory). The flaw occurs when Entra ID users are syncing multiple on-prem Active Directory domains to one Microsoft Azure tenant, which is in the cloud.

“This issue arises when authentication requests are mishandled by pass-through authentication (PTA) agents for different on-prem domains, leading to potential unauthorized access,” Cymulate’s report said. Threat actors manipulate credential validation and then don’t have to submit to typical security checks. 

“This vulnerability effectively turns the PTA agent into a double agent, allowing attackers to log in as any synced AD user without knowing their actual password; this could potentially grant access to a global admin user if such privileges were assigned.”

This can happen regardless of the threat actor’s initial Active Directory domain and allow them to move to another on-prem domain, Cymulate researchers Ilan Kalendarov and Elad Beber said. The researchers reported the issue to Microsoft in July. As of the release of Cymulate’s report, there’s no current estimated timeline for the fix.

The fix: Despite that, Cymulate recommends some mitigation strategies for this vulnerability, including enabling two-factor authentication for all synced users. They also remind customers that following Microsoft’s Secure Privilege Access guide helps harden the Microsoft Entra Connect Server.

August 17, 2024

Linux Vulnerability Affects Kernel’s Memory Allocation

Type of vulnerability: Linux DMA allocation.

The problem: Researchers discovered and fixed a vulnerability within the Linux kernel’s Direct Memory Access (DMA) allocation process. The flaw exists in the dmam_free_coherent() function and requires the call order to be fixed.

The dmam_free_coherent() function frees a DMA allocation. The freed vaddr is then available to be reused and then calls the devres_destroy() function to remove and free the data structure that tracks the DMA allocation. Between the two calls, a concurrent task could make an allocation with the same vaddr and add it to the devres list.

“If this happens, there will be two entries in the devres list with the same vaddr and devres_destroy() can free the wrong entry, triggering the WARN_ON() in dmam_match,” said the advisory.

The fix: This vulnerability is solved by destroying the devres entry before freeing the DMA allocation, according to the GitHub advisory posted for the vulnerability.

Read next:

• Vulnerability Recap 8/13/24 – Old Vulnerabilities Unexpectedly Emerge
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 8/20/24 – Microsoft Has the Spotlight This Week appeared first on eSecurity Planet.

The other major news — which could affect both businesses and individuals — is a zero-day vulnerability found in most major web browsers on both Mac and Linux machines. You’ll want to update your computer as soon as you learn about this — I certainly did. Look at our rundown, and make sure your security teams are apprised of any relevant vulnerabilities from this past week’s news.

August 5, 2024

Another Apache OfBiz Vulnerability to Watch

Type of vulnerability: Remote code execution.

The problem: Last week, I mentioned a path traversal vulnerability in the open-source framework Apache OfBiz that had been patched earlier in the year but was more recently being exploited. This new OfBiz flaw is a separate one. It’s tracked as CVE-2024-38856 and allows a threat actor to use a specifically created request to execute code on endpoints without authorization.

The vulnerability has a CVSS severity rating of 9.8 and affects all versions of Apache OfBiz up to 18.12.14.

The fix: Upgrade to version 18.12.15.

August 7, 2024

18-Year-Old Browser Flaw Requires Immediate Updates

Type of vulnerability: Zero-day code execution.

The problem: Researchers from application security vendor Oligo recently discovered a web browser vulnerability 18 years in the making. The flaw allows threat actors to fingerprint and identify browser users and to use an IP address of 0.0.0.0 to execute unauthorized code. The vulnerability applies to all major browsers running on macOS and Linux systems but not on Windows.

“Public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor’s host by using the address 0.0.0.0 instead of localhost/127.0.0.1,” Oligo researcher Avi Lumelsky said.

According to Oligo, the initial vulnerability, designed to identify browser users for legitimacy, also allows threat actors to fingerprint users by port-scanning them. By the time this was recognized as a major threat, it already existed in most browsers and would be quite challenging to solve, Lumelsky explained.  

The fix: If you use Google Chrome, click the three vertical dots at the top of the right corner of the browser window. Select “Help” and then “About Google Chrome.” From there, select the option to upgrade to a new browser. If you see “Relaunch,” click that, or Chrome may relaunch the browser automatically after closing the windows.

If you use Safari, click the Apple icon to open the menu and choose “System Settings.” Select “General” and then “Software Update.” Select “Update Now” if there’s a new update available, and follow any further instructions.

Microsoft Edge users should open the browser and select the three dots in the upper right-hand corner. Then, choose “Help and feedback” and select “About Microsoft Edge.” If there are updates available, Edge should automatically perform them. Then, you’ll need to restart Edge as prompted to apply those software updates.

If you use Mozilla Firefox, open Firefox and select the three horizontal lines at the top right of the browser. Click “Help” and then “About Firefox,” where Firefox will execute any available updates automatically. After the update process, select “Restart to Update Firefox.”

For further details on updating your browsers, Fox News provides instructions here.

If your security team has started to feel overwhelmed by tracking down vulnerability news, consider a scanning product that helps automate vulnerability tracking procedures. We’ve selected the best vulnerability scanners for businesses so you can pick a good option for your team.

Sinkclose Vulnerability Affects 18 Years of Processors

Type of vulnerability: Improper validation and potentially arbitrary code execution.

The problem: This week, we have not one but two 18-year-old vulnerabilities: researchers at IOActive discovered a flaw in AMD central processing units that has existed in processors made as early as 2006. It’s only just now been discovered and is known as Sinkclose. If exploited, the vulnerability would allow a threat actor to execute their own code within the processor’s firmware using System Management Mode (SMM). This can happen even when SMM is locked.

To successfully complete the attack, the malicious program would need to have access to  ring0, which is the layer of the firmware with the highest privileges and with access to the system kernel. The threat actor must get there first before they can exploit this flaw; this could be part of the reason it hasn’t been heavily exploited. The vulnerability is tracked as CVE-2023-31315 and has a CVSS score of 7.5.

The fix: AMD will patch some of its processors but not all; check out AMD’s security bulletin for a list of hardware that will receive a patch.

Windows Downgrade Attack Puts Operating System in Danger

Type of attack: OS version rollback.

The problem: A recently discovered flaw in Windows systems allows threat actors to roll operating systems back to older versions that have vulnerabilities in them. The researcher who discovered the flaw six months ago, Alon Leviev, presented his findings at the Black Hat conference last week. He was able to use the Windows Updates function to create OS downgrading updates and bypass the verification steps typically required for a system update.

“Armed with these capabilities, we managed to downgrade critical OS components, including DLLs, drivers, and even the NT kernel,” Leviev said. “Afterwards, the OS reported it’s fully updated, unable to install future updates, with recovery and scanning tools unable to detect issues.”

The vulnerability also applied to Microsoft Hyper-V, the vendor’s hypervisor for supporting virtual environments. Leviev was able to downgrade Hyper-V, as well as the Isolated User Mode process within Windows Credential Guard.

In this scenario, a computer that appears to be fully patched could actually be running an older operating system with multiple open vulnerabilities.

Microsoft hasn’t officially spoken on the vulnerability, but it published advisories for CVE-2024-38202 and CVE-2024-21302 around the same time that Leviev presented at Black Hat.

The fix: The vendor currently offers no solution. If your business uses Windows, restrict administrative privileges as much as you can and require password resets as soon as possible.

August 10, 2024

Google Quick Share Has 10 Flaws on Windows

Type of vulnerability: 

The problem: SafeBreach researchers discovered 10 different vulnerabilities in Google Quick Share, a wireless data transfer utility. When put together, some of them could lead to remote code execution attacks against Quick Share on Windows machines. This potential attack chain is now known as QuickShell.

The vulnerabilities included remote unauthorized file writes, remote forced Wi-Fi connection, and remote denial-of-service. According to SafeBreach, Google has fixed all the vulnerabilities and issued two CVEs: CVE-2024-38271 and CVE-2024-38272.

According to the researchers, a significant portion of the application code resides in an open-source repository, which could make it a valuable target for threat actors.

The fix: Google has fixed the flaws, so update your Android, Windows, and Chrome systems to the most recent versions.

August 12, 2024

OpenSSH Flaw Opens the Door for RCE

Type of vulnerability: Remote code execution.

The problem: OpenSSH, a network utilities suite based on the Secure Shell protocol, has a signal safety flaw, according to researchers at FreeBSD. FreeBSD, an open-source operating system project, released a security bulletin about the vulnerability, which occurs in a signal handler in sshd(8). According to the researchers, the logging function that the handler calls isn’t automatically async-signal-safe.

“The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default),” FreeBSD said in its notice. “This signal handler executes in the context of the sshd(8)’s privileged code, which is not sandboxed and runs with full root privileges.”

If exploited, the vulnerability allows a threat actor to execute remote code as root in OpenSSH. This affects the safety of OpenSSH’s encryption and transport security features.

The vulnerability is tracked as CVE-2024-7589 and has a CVSS score of 7.4.

The fix: FreeBSD instructs users to upgrade their system to a supported FreeBSD stable or release / security branch (releng) from after the date the flaw was fixed. After you’ve upgraded, restart sshd. FreeBSD provides more specific upgrade details as well.

Read next:

• Vulnerability Recap 8/5/24 – Already-Fixed Flaws Are Still Targeted
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 8/13/24 – Old Vulnerabilities Unexpectedly Emerge appeared first on eSecurity Planet.

July 31, 2024

Mirai Botnet Targets Apache OfBiz 

Type of vulnerability: Path traversal.

The problem: Apache OfBiz, a Java-based framework for developing enterprise resource planning (ERP) apps, had a path traversal vulnerability in May of this year. The update released for the flaw, which affected OFBiz versions before 18.12.13, fixed the issue. Recently, researcher Johannes Ulrich has seen increased activity against the vulnerability. In particular, the Mirai Botnet has been attacking it.

The flaw is tracked as CVE-2024-32113. Ulrich explained the attacker’s process when exploiting the vulnerability:

“The directory traversal is easily triggered by inserting a semicolon. All an attacker has to find is a URL they can access and append a semicolon followed by a restricted URL. The exploit URL we currently see is:

/webtools/control/forgotPassword;/ProgramExport

“forgotPassword” does not require any authentication and is public. “ProgramExport” is interesting because it allows arbitrary code execution.”

The threat actor would have to use a POST request to exploit the flaw sufficiently, Ulrich said, but they don’t automatically need a request body.

The fix: Upgrade your instance of Apache OfBiz to ​​version 18.12.13.

Android Weakness Exploited by Malware for Over Two Years

Type of vulnerability: Read permission given to malicious applications on Android devices.

The problem: Researchers at mobile security firm Zimperium discovered a malware campaign against Android devices in 2022 and have continued to track the malware since then. The campaign is SMS stealing, targeted at one-time passwords sent through text, so threat actors can use them to access accounts that they aren’t authorized to access.

The zLabs team has identified more than 107,000 malware samples throughout its research of over two years. They found that typically, a victim is fooled into sideloading an application onto the phone through a falsified app store or a similar tactic, and the application requests read permission for SMS messages on the device, which Android allows. Once the malware is on the Android device, it hides in wait and monitors SMS messages, looking for OTPs in particular.

The fix: There is currently no clear patch or redirect from the vendor. Zimperium mentions the importance of increasing enterprise mobile security measures. If you have an Android device, I recommend using an email address to receive one-time passwords instead of a phone number whenever possible.

Apple Fixes Multiple Vulnerabilities in Siri

Type of vulnerability: Access to sensitive information via voice prompts.

The problem: The mobile security issues continue, this time with Apple. The vendor recently patched vulnerabilities in Apple Watch, iPadOS, and iOS that could allow a threat actor to take sensitive data from a locked mobile device. Four of the vulnerabilities were related to Siri, Apple’s voice assistant. Malwarebytes released a security notice emphasizing the dangers of Siri’s ability to respond to voice commands from a locked device screen.

“Apple has restricted these options to stop an attacker with physical access from being able to access contacts from the lock screen and access other sensitive user data,” Malwarebytes said.

The fix: Update to iOS 17.6 or iPadOS 17.6 if you haven’t already.

August 1, 2024

Rockwell Automation Flaw Has Been Fixed

Type of vulnerability: Security bypass.

The problem: Security research firm Claroty found a vulnerability in Rockwell Automation ControlLogix 1756 devices that allowed an attacker to bypass Rockwell’s trusted slot feature. This capability is designed to enforce security on the devices and block communications on the local chassis if they happen on untrusted paths.

Claroty wrote in its report, “The vulnerability we found, before it was fixed, allowed an attacker to jump between local backplane slots within a 1756 chassis using CIP routing, traversing the security boundary meant to protect the CPU from untrusted cards.”

The threat actor needs network access to exploit the vulnerability in the devices. If successfully exploited, the threat actor could bypass the controls and send commands to the PLC CPU, Claroty said. The vulnerability affects ControlLogix, GuardLogix, and 1756 ControlLogix I/O modules.

Claroty disclosed the vulnerability to Rockwell, which then fixed the flaw.

The fix: Rockwell Automation provided the following table with the fixed firmware versions for each affected product.

If your team needs more consistent vulnerability information in a faster timeframe, check out our picks for the best vulnerability scanners, which can help you more quickly identify what to patch and protect.

VMware eSXI Vulnerability Still Being Exploited

Type of vulnerability: Authentication bypass.

The problem: A vulnerability affecting VMware eSXI hypervisors was patched recently but has seen multiple ransomware exploits. If a threat actor has sufficient Active Directory permissions, they could get full access to the eSXI host if it had previously been configured to use Active Directory to manage users. According to NIST’s National Vulnerability Database, the threat actor would recreate the eSXI Admin group on AD after it was deleted.

Microsoft researchers discovered the vulnerability and announced it in a research report last week. They disclosed the vulnerability to VMware through a coordinated vulnerability disclosure (CVD). 

eSXI hypervisors sometimes host virtual machines, which may support critical workloads and servers. Microsoft said, “In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.”

The vulnerability is tracked as CVE-2024-37085. It has a CVSS score of 7.2 from NIST and a base score of 6.8 from VMware.

The fix: Make sure you’ve patched any eSXI hypervisors, and also use two-factor authentication to make it harder for threat actors to gain unauthorized access.

August 5, 2024

Windows Security Features Have Multiple Flaws

Type of vulnerability: Security bypass.

The problem: Microsoft Windows’ Smart Screen and Smart App Control features have a number of security issues, which Elastic Security Labs reported earlier today. These flaws can lead to “initial access with no security warnings and minimal user interaction,” according to the researchers. No security popups or warnings will alert users that the attacker has gotten access, either, making this challenging to detect.

Smart Screen examines web pages for potential security issues and sends a warning notice to users if it finds one. Smart App Control predicts whether an application is safe to run on the computer system where it’s installed and blocks it if not.

The fix: Elastic Security Labs recommends that teams carefully study downloads happening on their computer system and avoid relying only on OS security features.

Read next:

• Vulnerability Recap 7/29/24 — Multiple Old Security Flaws Reappear
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 8/5/24 – Already-Fixed Flaws Are Still Targeted appeared first on eSecurity Planet.

If you’re part of an IT or security team responsible for handling vulnerabilities, make sure your team has a way to be immediately updated when new issues arise. Having a clearly defined process for mitigating vulnerabilities decreases the opportunity threat actors have to exploit them.

July 23, 2024

CISA Adds Two Vulnerabilities to Catalog

Type of vulnerability: Use-after-free and information disclosure.

The problem: The Cybersecurity and Infrastructure Security Agency (CISA) just added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. The first is a use-after-free vulnerability from 2012, tracked as CVE-2012-4792, that affects Microsoft’s Internet Explorer, a browser that’s now rarely used.

According to the catalog listing, the vulnerability “allows a remote attacker to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object.”

The second vulnerability is an information disclosure vulnerability within Twilio Authy’s API. It’s tracked as CVE-2024-39891 and allows an unauthenticated endpoint to accept requests with a phone number and respond with data about the phone number’s registration status with Authy.

The fix: The CISA recommends disabling Internet Explorer since it’s an end-of-life product.

Twilio recommends that Authy users update their versions of the Android and iOS Authy apps to the most recent version, which has fixed the bug.

If your business needs a more consistent method of identifying vulnerabilities, consider a scanning product for your full IT infrastructure. Check out our list of the best vulnerability scanners to see which one would be a good fit for your team.

Fortinet Identifies Windows SmartScreen Security Bypass Issue

Type of vulnerability: Security bypass.

The problem: A Fortinet-discovered Windows vulnerability could allow a remote threat actor to bypass Microsoft Windows SmartScreen security warnings and deliver maliciously crafted files. Threat actors like Lumma Stealer have actively exploited this vulnerability over the past year, according to Fortinet. Researchers have observed a campaign that uses the vulnerability to download malicious executables.

The vulnerability is tracked as CVE-2024-21412 and has an 8.1 CVSS score.

The fix: Mitigation strategies are more broad for this vulnerability — carefully scanning and verifying any sources before downloading files is at the top of the list. While I briefly mentioned this CVE in a February vulnerability recap, as part of a Microsoft Patch Tuesday effort, it looks like it’s still being exploited despite the patch, given the new Fortinet research.

Docker Vulnerability First Originated in 2018

Type of vulnerability: Authorization bypass.

The problem: Some versions of Docker Engine have a critical authorization vulnerability. Docker Engine has a standard all-or-nothing authorization method by default, according to the vendor’s security notice, but plugins like AuthZ are available to improve authorization security. However, attackers can bypass the plugin.

According to Docker, “An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly if not set to deny by default.”

This vulnerability was actually discovered in 2018 and fixed in 2019. However, the fix was excluded from Docker v19.03, a flaw that researchers recently discovered. Docker released patches for the vulnerability on July 23. It’s tracked as CVE-2024-41110 and has a CVSS score of 10.

The fix: Docker provided the following table to show affected versions and the versions you should upgrade to if you currently have one that’s vulnerable.

BIND Database Vulnerability Could Lead to DoS Attacks

Type of vulnerability: Multiple, including assertion failure and CPU overload.

The problem: Documented by the CISA, the Internet Systems Consortium (ISC) has released security bulletins for four different vulnerabilities that affect ISC’s Berkeley Internet Name Domain (BIND) 9. If exploited, the flaws could lead to a denial-of-service type of attack. All vulnerabilities have a CVSS score of 7.5.

The vulnerabilities are as follows:

• CVE-2024-4076: Client queries that trigger serving stale data and require lookups in local authoritative zone data could lead to assertion failure.
• CVE-2024-1975: A stream of SIG(0) signed requests could overrun the computer system’s available CPU resources.
• CVE-2024-1737: Resolver caches and authoritative zone databases with large numbers of RRs could slow the BIND database’s performance significantly.
• CVE-2024-0760: Excessive DNS requests via TCP to the BIND server could overwhelm it and make it unstable.

The fix: Look at each vulnerability’s notice to determine if your version of BIND is vulnerable and upgrade it to the recommended version if needed.

July 24, 2024

Tenable Uncovers Google Cloud Vulnerability

Type of vulnerability: Privilege escalation.

The problem: Researchers at Tenable discovered a vulnerability within the Cloud Functions and Cloud Build services in Google Cloud Platform. In these serverless compute and continuous integration and deployment services, a user who creates a new Cloud Function also triggers a backend process by default, Tenable said.

“This process, among other things, attaches a default Cloud Build service account to the Cloud Build instance that is created as part of the function’s deployment,” the security notice explained. “This process happens in the background and isn’t something that ordinary users would be aware of.”

The service account allows the user to have permissions that they shouldn’t have by default. A threat actor could use this access to escalate their privileges to the default account, and in some cases, this could affect other cloud services like Cloud Storage and Container Registry.

After Tenable notified Google Cloud Platform, GCP performed some level of remediation for Cloud Build accounts that were created after mid-June 2024. However, Cloud Build service accounts created prior to the fix have the same privileges as before, so the vulnerability still exists in older instances.

The fix: Tenable recommends replacing each cloud function’s Cloud Build service account with a least privilege service account.

July 26, 2024

Telerik Support Servers Open to Remote Code Execution

Type of vulnerability: Deserialization flaw.

The problem: Progress Software has released a notice warning Telerik Support Server users of a deserialization vulnerability within certain versions of the software. When exploited, the vulnerability allows a threat actor to execute code remotely. Versions prior to 2024 Q2 (10.1.24.709) are affected.

The fix: Upgrade your instance of Telerik Support Server to 2024 Q2 (10.1.24.709); according to Progress, this is the only way to mitigate the issue.

Read next:

• Vulnerability Recap 7/22/24 – CrowdStrike Issue Is One of Many
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 7/29/24 – Multiple Old Security Flaws Reappear appeared first on eSecurity Planet.

Regularly update your hardware and software to the most recent approved versions. Also, make sure your security team has a consistent schedule for monitoring industry news and vulnerabilities. This helps you stay on top of updates before threat actors have much time to exploit potential flaws in your infrastructure.

July 1, 2024

Early July Splunk Enterprise Vulnerability Should Be Patched Immediately

Type of vulnerability: Path traversal. 

The problem: A vulnerability within Splunk’s Enterprise application allows an attacker to perform a path traversal on the /modules/messaging/ endpoint in Windows installments of Splunk Enterprise. The vulnerability affects app versions below 9.2.2, 9.1.5, and 9.0.10. Splunk released the notice for the vulnerability at the beginning of July, but it’s now getting more attention.

According to the security notice, “The vulnerability exists because the Python os.path.join function removes the drive letter from path tokens if the drive in the token matches the drive in the built path.” 

The vulnerability should not affect Splunk Enterprise on non-Windows operating systems, like Linux. A proof of concept is available on GitHub.

The fix: Splunk provides the following chart for fixed versions. Any version higher than 9.2.2, 9.1.5, and 9.0.10 also works.

July 15, 2024

CISA Requires Patches for GeoServer RCE Vulnerability

Type of vulnerability: Remote code execution.

The problem: GeoServer, an open-source server for sharing and processing geospatial data, has a critical vulnerability in its GeoTools library API. When exploited, the flaw allows unauthenticated users to execute code remotely. According to the vulnerability notice:

“The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library, which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types… but is incorrectly being applied to simple feature types as well, which makes this vulnerability apply to ALL GeoServer instances.”

The Cybersecurity and Infrastructure Security Agency (CISA) has warned users of this vulnerability and now requires federal agencies to apply patches by August 5. It’s currently tracked as CVE-2024-36401.

The fix: Update your GeoServer instance with version 2.23.6, 2.24.4, or 2.25.2, which contain a patch for the issue.

If your business needs dedicated and consistent vulnerability scanning, read our guide to the best scanners next.

July 16, 2024

Ivanti Fixes Another EPM Issue

Type of vulnerability: SQL injection.

The problem: Ivanti recently released a security advisory for an SQL injection vulnerability within Ivanti Endpoint Manager 2024 flat. If exploited, the vulnerability allows a threat actor on the same network as Endpoint Manager to execute code arbitrarily without being properly authenticated. 

The vulnerability is tracked as CVE-2024-37381 and has a severity rating of 8.4. 

The fix: Ivanti provides instructions for downloading a hot patch for EPM 2024 flat within the security advisory: 

• Download the linked Security Hot Patch zip files.
• Make sure the two DLL files are unblocked.
• Replace the DLLs within the Core Server with the ones from the Hot Patch in the locations specified.
• If you use the PowerShell script, insert the hotpatch folder into directory C:\Program Files\LANDesk\ManagementSuite\. Use PowerShell as an admin and run JulyEPM2024HotPatch.ps1.
• Either reboot the Core Server or or close the EPM Console and run IISRESET so the new DLLs load properly.

July 17, 2024

Full Effect of Critical Cisco Vulnerability Unknown

Type of vulnerability: Form of authentication bypass. 

The problem: Cisco Smart Software Manager On-Prem (SSM On-Prem) has a critical vulnerability in its authentication mechanism. It’s a result of a faulty password change implementation procedure. If a device is affected by the vulnerability, an attacker can send specifically designed HTTP requests to that device.

When exploited successfully, the vulnerability allows the attacker to use compromised privileges to access the target user interface or API. They can then change other users’ passwords, including potential administrative credentials. Experts aren’t sure what could happen within the Cisco network once an attacker manages this, and Cisco hasn’t yet clarified this in a security bulletin.

The vulnerability is tracked as CVE-2024-20419 and has a CVSS score of 10, the highest a vulnerability can receive.

The fix: This vulnerability affects Cisco SSM versions 8-202206 and earlier. The first fixed release of the software is 8-202212; upgrade to this version of Cisco SSM as soon as possible. Cisco’s ongoing fixed releases within the security bulletin for this vulnerability.

SolarWinds Fixes 13 Issues in Access Rights Manager

Type of vulnerability: Multiple, including remote code execution. 

The problem: SolarWinds has addressed 13 vulnerabilities within its Access Rights Manager software, a user provisioning and access management tool for Active Directory and Azure AD. These include remote command injection, remote code execution, and traversal and information disclosure vulnerabilities. Of the 13, eight are critical and have a CVSS score of 9.6. Each has its own advisory notice from SolarWinds. 

Combined, the vulnerabilities allow attackers to use SYSTEM privileges, leak data, and read and delete files arbitrarily without authentication.

Trend Micro’s Zero Day Initiative partners with SolarWinds and helped it identify the vulnerabilities.

The fix: Download the fixed version of the software, Access Rights Manager 2024.3, to prevent exploitation.

Wiz Report Reveals Weaknesses in SAP AI Core

Type of vulnerability: Arbitrary code execution using AI training models. 

The problem: A report by security vendor Wiz discusses isolation issues within AI platforms, particularly SAP AI Core. AI Core facilitates integrations with other cloud services like HANA to access customer data using cloud access keys, according to Wiz. The researchers’ work revealed that they could move laterally and access private customer files and cloud account credentials using SAP’s legitimate AI training procedures.

The researchers were also able to successfully use cluster administrator privileges on the SAP AI Core Kubernetes cluster.

The fix: Wiz reported the vulnerabilities to SAP, which fixed them. Wiz also states that no customer data was compromised. Because training AI models naturally involves running arbitrary code, vulnerabilities are often baked into the AI training process. A long-term fix would mean setting more careful guardrails on this process and doing better sandboxing and isolation, according to Wiz.

July 19, 2024

Failed CrowdStrike Update Creates Opportunity for Hackers

Type of vulnerability: General possibility of exploit when Windows systems are down.

The problem: While this isn’t a specific type of vulnerability or software issue, the update failure of CrowdStrike’s Falcon Sensor last Friday did create the possibility for Windows systems to be attacked while weak. The attempted update to Falcon Sensor created an endless update cycle and the “blue screen of death,” which caused Windows systems globally to crash.

CrowdStrike stated that the issue was not a cyberattack. Its CEO, George Kurtz, initially posted on LinkedIn about the nature of the event — saying that it wasn’t a security incident — and received significant pushback for this statement. While the issue was a software error rather than an attack, it did create a security incident that could lower defenses on Windows systems.

The fix: CrowdStrike isolated the incident and has worked to fix it. It published a video for remote users to self-remediate their Windows laptop if the device is still having issues with the blue screen of death. 

July 22, 2024

Open-Source Platform BOINC Spoofed by Threat Actors

Type of vulnerability: Malware payloads. 

The problem: Managed security provider Huntress recently published a report on SocGholish malware behavior. SocGholish is now delivering AsyncRAT and Berkeley Open Infrastructure Network Computing Client (BOINC) payloads to victims.

BOINC is an open-source platform for volunteer computing. “The intention is to use ‘donated’ computer resources to contribute to the work of various legitimate science projects,” the Huntress researchers said. Malicious installations of BOINC look like they might route to a legitimate BOINC server that’s actually a different address. Huntress reports that it hasn’t yet noticed the infected hosts executing malicious activity.

This vulnerability does not reside within BOINC; rather, it’s a type of malware that installs malicious versions of BOINC. It is less a standard software vulnerability than a method by which threat actors deliver malicious payloads using open-source software.

The fix: Huntress provides the following indicators of compromise and file indicators:

While it’s rare for businesses to use BOINC, watch for any attempted installations of it, which could indicate an attack, according to Huntress.

Read next:

• Vulnerability Recap 7/15/24 — Industry Patches vs Flaw Exploits
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 7/22/24 – CrowdStrike Issue Is One of Many appeared first on eSecurity Planet.

Gogs’ security issues caused command execution and file deletion. Microsoft patched 143 vulnerabilities. OpenSSH and PHP exposed an RCE issue, and RADIUS protocols became susceptible to MitM attacks. GitLab disclosed a pipeline flaw and Veeam addressed flaws exploited in active ransomware attacks. Palo Alto patched an admin takeover bug. CISA and the FBI warned of OS command-injection threats while Censys reported a major Exim vulnerability.

To reduce the risks caused by these vulnerabilities, affected users should apply patches, upgrade software, and strengthen security measures as soon as possible.

July 8, 2024

Four Unpatched Flaws Discovered in Gogs

Type of vulnerability: Multiple, including argument injection and file deletion.

The problem: Four unpatched security issues in Gogs, an open-source Git service, enable attackers to exploit three critical flaws (CVE-2024-39930, CVE-2024-39931, CVE-2024-39932; CVSS: 9.9) and one high-severity vulnerability (CVE-2024-39933; CVSS: 7.7). These flaws allow command execution, code modification, deletion, and access to sensitive files. However, exploitation requires authentication and specific configurations.

The fix: Gogs hasn’t issued any fixes yet. Users should disable the built-in SSH server, turn off user registration, and consider using Gitea. SonarSource provided an unofficial patch, although this wasn’t thoroughly tested. Always keep systems up to date and reduce unnecessary service exposure.

Avoid unauthorized access by employing stronger authentication methods for your systems via access management tools. Explore our review of the top identity and access management (IAM) solutions, comparing their key features, use cases, and more.

July 9, 2024

Microsoft Releases Patches for 143 Security Flaws

Type of vulnerability: Multiple, including remote code execution (RCE) and privilege escalation.

The problem: Microsoft’s Patch Tuesday addressed 143 security issues. Five were rated critical and the remaining were tagged as important. CVE-2024-38080 (Windows Hyper-V Elevation of Privilege, CVSS score: 7.8) and CVE-2024-38112 (Windows MSHTML Platform Spoofing, CVSS score: 7.5), are actively exploited. These include sending a malicious file that requires user execution and .URL files that route users to risky websites via Internet Explorer.

The fix: Microsoft issued patches to address all 143 security issues. To mitigate these vulnerabilities, immediately apply the latest patches. It’s also recommended to avoid opening suspicious files and to use contemporary, safe browsers.

Following Patch Tuesday, multiple vendors also provided security updates to resolve various vulnerabilities:

• Adobe: Provided security upgrades for Premiere Pro, InDesign, and Bridge.
• Cisco’s: Addressed NX-OS Software CLI command injection vulnerability.
• Citrix: Rectified flaws in the Windows Virtual Delivery Agent and Citrix Workspace app.
• Fortinet: Identified several vulnerabilities in FortiOS and other products.
• Mozilla: Released Firefox 128 featuring multiple vulnerability updates.
• VMware: Discovered an HTML injection issue in Cloud Director.

OpenSSH Susceptible to RCE Vulnerability

Type of vulnerability: Multiple, including RCE and race condition in signal handling.

The problem: Select versions of the OpenSSH secure networking suite are vulnerable to CVE-2024-6409 (CVSS score: 7.0), a remote code execution vulnerability caused by a race issue in signal handling within the privilege separation (privsep) child process.

The vulnerability affects Red Hat Enterprise Linux 9 versions 8.7p1 and 8.8p1. Security researcher Alexander Peslyak, aka Solar Designer, identified the bug while reviewing CVE-2024-6387, which has a similar race condition issue. If attacked, attackers might run code remotely from the unprivileged SSHD server process.

The fix: Red Hat published patches for OpenSSH versions 8.7p1 and 8.8p1. To mitigate the risk, apply these updates immediately. Monitor network behavior for signals of exploitation and limit access to SSH servers to trusted IP addresses only.

Cybersecurity Researchers Uncovers RADIUS Protocol Vulnerability

Type of vulnerability: Multiple, including monster-in-the-middle (MitM) attack and integrity check bypass.

The problem: Cybersecurity researchers have discovered a security flaw in the RADIUS network authentication protocol known as BlastRADIUS (CVE-2024-3596, CVSS score: 9.0). This vulnerability can be used to launch MitM attacks and bypass integrity checks.

The RADIUS protocol’s reliance on the compromised MD5 algorithm enables attackers to change access-request packets undetected, allowing illegal user authentication and access. This vulnerability affects all standards-compliant RADIUS clients and servers, putting enterprises that send RADIUS packets over the internet especially at risk.

The fix: Update RADIUS servers and networking equipment to the most recent versions. To protect RADIUS traffic, use TLS or IPSec rather than susceptible authentication methods such as PAP, CHAP, or MS-CHAPv2. Organizations should additionally require the use of the message-authenticator attribute to improve packet security.

July 10, 2024

Multiple Threat Actors Exploit PHP Vulnerability

Type of vulnerability: Remote code execution (RCE).

The problem: CVE-2024-4577 (CVSS score: 9.8) is a severe PHP vulnerability that allows attackers to run malicious code on Windows computers with Chinese and Japanese language locales.

This bug, discovered in June 2024, results from Unicode characters being translated to ASCII, allowing attackers to escape the command line and input arguments directly to PHP. Within 24 hours, exploits began attacking honeypot servers with remote access trojans, bitcoin miners, and DDoS botnets. Notable malware include Gh0st RAT, RedTail, XMRig, and the Muhstik botnet.

The fix: Upgrade your installations to the most recent version to avoid CVE-2024-4577. This update fixes the Unicode to ASCII conversion issue, which prevents remote code execution vulnerabilities. To reduce the risks associated with similar vulnerabilities, patch on a regular basis and observe any unexpected activities.

GitLab Discloses Critical Pipeline Flaw

Type of vulnerability: Arbitrary pipeline execution.

The problem: CVE-2024-6385 (CVSS score: 9.6) is a significant vulnerability that affects GitLab Community and Enterprise editions (versions 15.8 to 17.1.2). This vulnerability allows attackers to launch pipeline jobs as any user, presenting major risks from unauthorized code execution.

GitLab pipelines, which are essential for CI/CD procedures, could be exploited under concealed settings, resulting in potential breaches and supply chain attacks. GitLab is used by high-profile companies, making this vulnerability particularly alarming.

The fix: GitLab recently released patched versions (17.1.2, 17.0.4, and 16.11.6) to fix CVE-2024-6385. Administrators should upgrade promptly to mitigate these hazards. To avoid future attacks, update software on a regular basis and monitor for unexpected activity.

July 11, 2024

Ransomware Group Exploits Veeam Backup & Replication Vulnerability

Type of vulnerability: Remote code execution.

The problem: CVE-2023-27532 (CVSS score: 7.5) in Veeam Backup & Replication allows attackers to execute arbitrary commands, compromising backup integrity and allowing for lateral movement.

Threat actors exploited a weakness in Veeam’s software to create unauthorized accounts such as “VeeamBkp,” allowing for network reconnaissance and data exfiltration. This resulted in defenses being disabled and ransomware being deployed, as demonstrated by the EstateRansomware group’s attack on a failover server using FortiGate SSL VPN and RDP connections.

The fix: Veeam addressed CVE-2023-27532 through their upgrades that prevent xp_cmdshell misuse and unauthorized account creation. For admins, upgrade immediately to avoid exploitation attempts. Monitor network activity, terminate unused services, and implement robust access controls.

Palo Alto Fixes Critical Authentication Flaw

Type of vulnerability: Authentication bypass.

The problem: The Palo Alto Networks Expedition’s CVE-2024-5910 and the PAN-OS’s CVE-2024-3596 vulnerability expose critical weaknesses. CVE-2024-5910 risks admin account takeover due to authentication flaws that compromise critical data. CVE-2024-3596 allows an adversary-in-the-middle attack between PAN-OS firewalls and RADIUS servers, potentially escalating privileges to ‘superuser’ via insecure CHAP or PAP settings.

Affected products include: 

• PAN-OS versions prior to 11.1.3, 11.0.4-h4;
• PAN-OS versions prior to 10.2.10, 10.1.14, and 9.1.19;
• Prisma Access (all versions).

The fix: Palo Alto Networks published Expedition version 1.2.92, which resolves the authentication issue. To mitigate risks, upgrade to this version or above. Update impacted PAN-OS versions to the listed patched releases, or secure RADIUS configurations using TLS-encapsulated CHAP/PAP or EAP-TTLS with PAP. Restrict network access to Expedition and use secure RADIUS setups with TLS to protect against assaults.

July 12, 2024

CISA, FBI Issue Alert on OS Command-Injection Vulnerabilities

Type of vulnerability: OS command-injection.

The problem: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released an urgent alert stating the persistence of OS command-injection vulnerabilities. CVE-2024-20399 in Cisco NX-OS allows authorized attackers to execute arbitrary instructions. This is exploited by threat actors such as Velvet Ant. Inadequate validation of user inputs causes these vulnerabilities, resulting in system takeovers, code execution, and data breaches.

The fix: To prevent OS command-injection vulnerabilities, CISA and the FBI recommend a secure-by-design approach to software development. Apply safer command-generation functions and rigorous threat modeling. Use modern component libraries, then conduct comprehensive code reviews and aggressive adversarial testing throughout the development process.

Censys Releases Advisory on Exim MTA Vulnerability

Type of vulnerability: Mail transfer agent (MTA) and RCE.

The problem: Censys recently raised an alert on CVE-2024-39929, which affects Exim versions up to 4.97.1. The serious vulnerability results from erroneous parsing of multiline RFC2231 header filenames, allowing remote attackers to bypass security filters.

Threat actors might exploit this weakness to deliver malicious executable attachments into recipients’ mailboxes, bypassing $mime_filename extension-blocking defenses. While no active exploitation has been confirmed, more than 1.5 million Exim servers remain vulnerable worldwide, especially in the United States, Russia, and Canada.

The fix: Exim developers issued a patch to solve CVE-2024-39929. System administrators should promptly update to the most recent version (4.98). To prevent potential exploitation efforts, admins should also prohibit remote access to Exim servers from the Internet until they’ve been fixed.

Read next:

• Vulnerability Recap 7/8/24: Intel, Cisco & More Face Risks 
• Best Vulnerability Management Software & Systems in 2024 
• Patch Management Policy: Definition, Steps & Benefits 

The post Vulnerability Recap 7/15/24 – Industry Patches vs Flaw Exploits appeared first on eSecurity Planet.

OpenSSH resolved a signal handler race problem, Juniper Networks managed an authentication bypass, and CocoaPods faced supply chain attack concerns. Cisco discovered a command injection issue, while a side-channel attack exposed Intel CPUs. Rockwell Automation handled RCE issues. Traeger addressed unauthorized controls on IoT grills before July 4th. If you’re compromised, apply patches and additional mitigating methods right away.

July 1, 2024

OpenSSH Releases Security Updates to Address RCE

Type of vulnerability: Signal handler race condition in OpenSSH server.

The problem: CVE-2024-6387 is a signal handler race issue within OpenSSH’s server (sshd) that affects glibc-based Linux systems. It supports unauthenticated remote code execution with root privileges. This bug impacts OpenSSH versions 8.5p1 through 9.7p1. It’s a regression of an 18-year-old flaw (CVE-2006-5051) that was reintroduced in October 2020.

The fix: OpenSSH issued updates to address CVE-2024-6387. Implement these changes immediately. To reduce risk, restrict SSH access via network controls, enforce segmentation, and do extensive regression testing to avoid known vulnerabilities from resurfacing. Regularly update and follow secure development methods, particularly in open-source projects.

Juniper Networks Addresses Authentication Bypass Vulnerability

Type of vulnerability: Authentication bypass using an alternate path.

The problem: CVE-2024-2973 is a severe authentication bypass vulnerability in Juniper Networks’ Session Smart Router and Conductor that affects high-availability redundancy deployments. It has a CVSS score of 10.0. The vulnerability allows attackers to circumvent authentication and obtain complete control of the compromised devices. It’s discovered during internal testing and affects many router versions.

The fix: Juniper Networks has published automatic fixes for vulnerable devices managed using MIST Cloud. Update your routers to the most recent versions (5.6.15, 6.1.9-lts, 6.2.5-sts). To protect your network devices from potential risks, apply patches on a regular basis and keep their firmware up to date.

CocoaPods Patches Vulnerabilities to Prevent Supply Chain Attacks

Type of vulnerability: Authentication bypass and insecure email verification.

The problem: Three critical CocoaPods vulnerabilities (CVE-2024-38366, CVE-2024-38367, and CVE-2024-38368) enabled attackers to claim unclaimed pods, alter packages, and execute arbitrary code on the Trunk server. These vulnerabilities put iOS and macOS apps at risk of serious supply chain attacks. Issues occurred from unsecure email verification and a defective parcel claim process that dates back to 2014.

The fix: CocoaPods fixed these flaws and reset all user sessions since October 2023. Make sure to update to the most recent CocoaPods version and constantly check your dependencies for any unapproved modifications. To avoid similar vulnerabilities, your organization should enhance their email verification processes and employ safe development standards.

Boost your organization’s permissions security by using an identity and access management solution. Read our guide to see the best IAM solutions available, including their strengths, weaknesses, cost, and more.

July 2, 2024

Velvet Ant Exploits Zero-Day Flaw in Cisco NX-OS Software

Type of vulnerability: Command injection.

The problem: CVE-2024-20399 is a command injection vulnerability in Cisco NX-OS Software that enables authorized local attackers to run arbitrary commands as root. China’s Velvet Ant hackers used this vulnerability to launch custom malware, hack into vulnerable computers, and upload files without generating syslog notifications. It affects various Cisco Nexus switches, and the fundamental cause is insufficient validation of CLI command parameters.

The fix: Cisco issued patches for CVE-2024-20399. Administrators should apply these updates as soon as possible and conduct frequent reviews of access controls and monitoring processes. To detect and mitigate these vulnerabilities, use stronger logging and centralized log analysis. To avoid attacks like this, properly validate CLI commands and make sure your administrative credentials are safe.

Intel CPUs Vulnerable to ‘Indirector’ that Leaks Sensitive Information

Type of vulnerability or attack: Side-channel attack via branch target injection.

The problem: Modern Intel CPUs, such as Raptor Lake and Alder Lake, are vulnerable to a new side-channel attack dubbed Indirector. This vulnerability occurs in the indirect branch predictor (IBP) and branch target buffer (BTB). It enables attackers to launch branch target injection (BTI) attacks. Using these hardware components, attackers can defeat existing defenses such as Spectre v2 (CVE-2017-5715) and leak sensitive data through speculative execution.

The fix: Intel analyzed the findings and concluded that existing mitigations, including IBRS, eIBRS, and BHI, are effective against Indirector attacks. Users should make sure to enable these mitigations. To improve security against side-channel attacks, securely use indirect branch predictor barrier (IBPB) and enhance the branch prediction unit (BPU) with more complicated tags, encryption, and randomization.

July 3, 2024

Threat Actors Exploit MSHTML Flaw to Deploy MerkSpy Surveillance Tool

Type of vulnerability: Remote code execution.

The problem: A Microsoft MSHTML vulnerability, CVE-2021-40444, was exploited to distribute the MerkSpy surveillance program. The attack starts with a malicious Word document providing a fictitious job description, which leads to remote code execution.

This downloads an HTML file (“olerender.html”), which contains shellcode that downloads and runs more malware. MerkSpy collects sensitive information, observes actions, and builds persistence, affecting users in Canada, India, Poland, and the United States.

The fix: Microsoft already released a patch for CVE-2021-40444 in September 2021. Update your systems with the latest security patches. Educate your employees on how to recognize phishing attempts and implement robust security measures, such as advanced endpoint protection and regular security audits, to detect and prevent such attacks. Improve your monitoring and logging security so that you can respond to unusual activity quickly.

Microsoft Reveals Security Flaws in PanelView Plus Devices

Type of vulnerability: Remote code execution and denial-of-service (DoS).

The problem: Microsoft discovers two vulnerabilities in Rockwell Automation PanelView Plus. These vulnerabilities, known as CVE-2023-2071 and CVE-2023-29464, enable remote, unauthenticated attackers to execute arbitrary code and create DoS circumstances. 

CVE-2023-2071 exploits insufficient input validation to upload and load malicious DLLs, resulting in remote code execution. CVE-2023-29464 uses similar input validation flaws to access memory data and send larger packets, resulting in a DoS. These flaws affect FactoryTalk View Machine Edition (versions 13.0, 12.0, and previous) and FactoryTalk Linx (versions 6.30, 6.20, and previous).

The fix: Rockwell Automation issued recommendations addressing these issues, urging users to update to the most recent versions of FactoryTalk View Machine Edition and FactoryTalk Linx. To minimize risks, patch your systems as soon as possible. Additional safeguards include network segmentation, firewalls to restrict external access, and network traffic monitoring for anomalous activities.

Multiple Vulnerabilities Found in Traeger Grills with D2 Wi-Fi Controller

Type of vulnerability: Insufficient authorization control and remote command execution.

The problem: Nick Cerne of Bishop Fox discovered several security issues in Traeger grills that used the D2 Wi-Fi Controller. These flaws enable remote attackers to execute actions, including collecting grill information and shutting the device off.

The critical weakness (CVSS score: 7.1) concerns insufficient authorization constraints in the API for grill registration, allowing attackers to remotely change the grill’s temperature and operational status. Exploiting these vulnerabilities can lead to food spoilage, as proved by researchers who raised the grill temperature from 165°F to 500°F.

The fix: Traeger has enabled automated firmware updates for grills using the D2 Wi-Fi Controller. This ensures that all affected grills connected to the Internet receive the necessary updates without requiring user intervention. For grill owners, make sure to update your devices. To avoid unauthorized access, secure your networks, monitor device activity, and turn off grills when they’re not in use.

July 5, 2024

Ghostscript Vulnerability Threatens Web Applications & Services

Type of vulnerability: Format string bug and remote code execution.

The problem: Ghostscript’s format string issue (CVE-2024-29510) allows remote attackers to execute arbitrary code by bypassing the -dSAFER sandbox. Ghostscript is widely used for document processing. Its vulnerability affects web applications, allowing file manipulation and RCE without user input.

The fix:  Ghostscript already published version 10.03.1 in April 2024 to address CVE-2024-29510. To ensure system security, update to the newest version. Monitor automated operations utilizing Ghostscript for vulnerabilities and install security fixes as soon as possible to avoid exploitation.

Read next:

• Vulnerability Recap 7/1/24: Apple, GitLab, AI Platforms at Risk 
• Best Vulnerability Scanning Tools & Software
• Patch Management Policy: Definition, Steps & Benefits 

The post Vulnerability Recap 7/8/24 – Intel, Cisco & More Face Risks appeared first on eSecurity Planet.