In the aftermath of CrowdStrike’s unique update failure that sparked a different type of security incident, standard vulnerability disclosures and patches proceed as usual. This week, we also saw some older issues return to light, including an Internet Explorer vulnerability first discovered in 2012. A Microsoft SmartScreen vulnerability from earlier this year resurfaced, and a Docker flaw from 2018 is still causing issues in a newer version of the software.
If you’re part of an IT or security team responsible for handling vulnerabilities, make sure your team has a way to be immediately updated when new issues arise. Having a clearly defined process for mitigating vulnerabilities decreases the opportunity threat actors have to exploit them.
July 23, 2024
CISA Adds Two Vulnerabilities to Catalog
Type of vulnerability: Use-after-free and information disclosure.
The problem: The Cybersecurity and Infrastructure Security Agency (CISA) just added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. The first is a use-after-free vulnerability from 2012, tracked as CVE-2012-4792, that affects Microsoft’s Internet Explorer, a browser that’s now rarely used.
According to the catalog listing, the vulnerability “allows a remote attacker to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object.”
The second vulnerability is an information disclosure vulnerability within Twilio Authy’s API. It’s tracked as CVE-2024-39891 and allows an unauthenticated endpoint to accept requests with a phone number and respond with data about the phone number’s registration status with Authy.
The fix: The CISA recommends disabling Internet Explorer since it’s an end-of-life product.
Twilio recommends that Authy users update their versions of the Android and iOS Authy apps to the most recent version, which has fixed the bug.
If your business needs a more consistent method of identifying vulnerabilities, consider a scanning product for your full IT infrastructure. Check out our list of the best vulnerability scanners to see which one would be a good fit for your team.
Fortinet Identifies Windows SmartScreen Security Bypass Issue
Type of vulnerability: Security bypass.
The problem: A Fortinet-discovered Windows vulnerability could allow a remote threat actor to bypass Microsoft Windows SmartScreen security warnings and deliver maliciously crafted files. Threat actors like Lumma Stealer have actively exploited this vulnerability over the past year, according to Fortinet. Researchers have observed a campaign that uses the vulnerability to download malicious executables.
The vulnerability is tracked as CVE-2024-21412 and has an 8.1 CVSS score.
The fix: Mitigation strategies are more broad for this vulnerability — carefully scanning and verifying any sources before downloading files is at the top of the list. While I briefly mentioned this CVE in a February vulnerability recap, as part of a Microsoft Patch Tuesday effort, it looks like it’s still being exploited despite the patch, given the new Fortinet research.
Docker Vulnerability First Originated in 2018
Type of vulnerability: Authorization bypass.
The problem: Some versions of Docker Engine have a critical authorization vulnerability. Docker Engine has a standard all-or-nothing authorization method by default, according to the vendor’s security notice, but plugins like AuthZ are available to improve authorization security. However, attackers can bypass the plugin.
According to Docker, “An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly if not set to deny by default.”
This vulnerability was actually discovered in 2018 and fixed in 2019. However, the fix was excluded from Docker v19.03, a flaw that researchers recently discovered. Docker released patches for the vulnerability on July 23. It’s tracked as CVE-2024-41110 and has a CVSS score of 10.
The fix: Docker provided the following table to show affected versions and the versions you should upgrade to if you currently have one that’s vulnerable.
BIND Database Vulnerability Could Lead to DoS Attacks
Type of vulnerability: Multiple, including assertion failure and CPU overload.
The problem: Documented by the CISA, the Internet Systems Consortium (ISC) has released security bulletins for four different vulnerabilities that affect ISC’s Berkeley Internet Name Domain (BIND) 9. If exploited, the flaws could lead to a denial-of-service type of attack. All vulnerabilities have a CVSS score of 7.5.
The vulnerabilities are as follows:
- CVE-2024-4076: Client queries that trigger serving stale data and require lookups in local authoritative zone data could lead to assertion failure.
- CVE-2024-1975: A stream of SIG(0) signed requests could overrun the computer system’s available CPU resources.
- CVE-2024-1737: Resolver caches and authoritative zone databases with large numbers of RRs could slow the BIND database’s performance significantly.
- CVE-2024-0760: Excessive DNS requests via TCP to the BIND server could overwhelm it and make it unstable.
The fix: Look at each vulnerability’s notice to determine if your version of BIND is vulnerable and upgrade it to the recommended version if needed.
July 24, 2024
Tenable Uncovers Google Cloud Vulnerability
Type of vulnerability: Privilege escalation.
The problem: Researchers at Tenable discovered a vulnerability within the Cloud Functions and Cloud Build services in Google Cloud Platform. In these serverless compute and continuous integration and deployment services, a user who creates a new Cloud Function also triggers a backend process by default, Tenable said.
“This process, among other things, attaches a default Cloud Build service account to the Cloud Build instance that is created as part of the function’s deployment,” the security notice explained. “This process happens in the background and isn’t something that ordinary users would be aware of.”
The service account allows the user to have permissions that they shouldn’t have by default. A threat actor could use this access to escalate their privileges to the default account, and in some cases, this could affect other cloud services like Cloud Storage and Container Registry.
After Tenable notified Google Cloud Platform, GCP performed some level of remediation for Cloud Build accounts that were created after mid-June 2024. However, Cloud Build service accounts created prior to the fix have the same privileges as before, so the vulnerability still exists in older instances.
The fix: Tenable recommends replacing each cloud function’s Cloud Build service account with a least privilege service account.
July 26, 2024
Telerik Support Servers Open to Remote Code Execution
Type of vulnerability: Deserialization flaw.
The problem: Progress Software has released a notice warning Telerik Support Server users of a deserialization vulnerability within certain versions of the software. When exploited, the vulnerability allows a threat actor to execute code remotely. Versions prior to 2024 Q2 (10.1.24.709) are affected.
The fix: Upgrade your instance of Telerik Support Server to 2024 Q2 (10.1.24.709); according to Progress, this is the only way to mitigate the issue.
Read next:
- Vulnerability Recap 7/22/24 – CrowdStrike Issue Is One of Many
- Best Vulnerability Management Software & Systems in 2024