Last week’s vulnerability news highlighted major flaws across industries, urging quick patch response. The majority of incidents involved malicious threat actors exploiting vulnerabilities in several software and systems.
Gogs’ security issues caused command execution and file deletion. Microsoft patched 143 vulnerabilities. OpenSSH and PHP exposed an RCE issue, and RADIUS protocols became susceptible to MitM attacks. GitLab disclosed a pipeline flaw and Veeam addressed flaws exploited in active ransomware attacks. Palo Alto patched an admin takeover bug. CISA and the FBI warned of OS command-injection threats while Censys reported a major Exim vulnerability.
To reduce the risks caused by these vulnerabilities, affected users should apply patches, upgrade software, and strengthen security measures as soon as possible.
July 8, 2024
Four Unpatched Flaws Discovered in Gogs
Type of vulnerability: Multiple, including argument injection and file deletion.
The problem: Four unpatched security issues in Gogs, an open-source Git service, enable attackers to exploit three critical flaws (CVE-2024-39930, CVE-2024-39931, CVE-2024-39932; CVSS: 9.9) and one high-severity vulnerability (CVE-2024-39933; CVSS: 7.7). These flaws allow command execution, code modification, deletion, and access to sensitive files. However, exploitation requires authentication and specific configurations.
The fix: Gogs hasn’t issued any fixes yet. Users should disable the built-in SSH server, turn off user registration, and consider using Gitea. SonarSource provided an unofficial patch, although this wasn’t thoroughly tested. Always keep systems up to date and reduce unnecessary service exposure.
Avoid unauthorized access by employing stronger authentication methods for your systems via access management tools. Explore our review of the top identity and access management (IAM) solutions, comparing their key features, use cases, and more.
July 9, 2024
Microsoft Releases Patches for 143 Security Flaws
Type of vulnerability: Multiple, including remote code execution (RCE) and privilege escalation.
The problem: Microsoft’s Patch Tuesday addressed 143 security issues. Five were rated critical and the remaining were tagged as important. CVE-2024-38080 (Windows Hyper-V Elevation of Privilege, CVSS score: 7.8) and CVE-2024-38112 (Windows MSHTML Platform Spoofing, CVSS score: 7.5), are actively exploited. These include sending a malicious file that requires user execution and .URL files that route users to risky websites via Internet Explorer.
The fix: Microsoft issued patches to address all 143 security issues. To mitigate these vulnerabilities, immediately apply the latest patches. It’s also recommended to avoid opening suspicious files and to use contemporary, safe browsers.
Following Patch Tuesday, multiple vendors also provided security updates to resolve various vulnerabilities:
- Adobe: Provided security upgrades for Premiere Pro, InDesign, and Bridge.
- Cisco’s: Addressed NX-OS Software CLI command injection vulnerability.
- Citrix: Rectified flaws in the Windows Virtual Delivery Agent and Citrix Workspace app.
- Fortinet: Identified several vulnerabilities in FortiOS and other products.
- Mozilla: Released Firefox 128 featuring multiple vulnerability updates.
- VMware: Discovered an HTML injection issue in Cloud Director.
OpenSSH Susceptible to RCE Vulnerability
Type of vulnerability: Multiple, including RCE and race condition in signal handling.
The problem: Select versions of the OpenSSH secure networking suite are vulnerable to CVE-2024-6409 (CVSS score: 7.0), a remote code execution vulnerability caused by a race issue in signal handling within the privilege separation (privsep) child process.
The vulnerability affects Red Hat Enterprise Linux 9 versions 8.7p1 and 8.8p1. Security researcher Alexander Peslyak, aka Solar Designer, identified the bug while reviewing CVE-2024-6387, which has a similar race condition issue. If attacked, attackers might run code remotely from the unprivileged SSHD server process.
The fix: Red Hat published patches for OpenSSH versions 8.7p1 and 8.8p1. To mitigate the risk, apply these updates immediately. Monitor network behavior for signals of exploitation and limit access to SSH servers to trusted IP addresses only.
Cybersecurity Researchers Uncovers RADIUS Protocol Vulnerability
Type of vulnerability: Multiple, including monster-in-the-middle (MitM) attack and integrity check bypass.
The problem: Cybersecurity researchers have discovered a security flaw in the RADIUS network authentication protocol known as BlastRADIUS (CVE-2024-3596, CVSS score: 9.0). This vulnerability can be used to launch MitM attacks and bypass integrity checks.
The RADIUS protocol’s reliance on the compromised MD5 algorithm enables attackers to change access-request packets undetected, allowing illegal user authentication and access. This vulnerability affects all standards-compliant RADIUS clients and servers, putting enterprises that send RADIUS packets over the internet especially at risk.
The fix: Update RADIUS servers and networking equipment to the most recent versions. To protect RADIUS traffic, use TLS or IPSec rather than susceptible authentication methods such as PAP, CHAP, or MS-CHAPv2. Organizations should additionally require the use of the message-authenticator attribute to improve packet security.
July 10, 2024
Multiple Threat Actors Exploit PHP Vulnerability
Type of vulnerability: Remote code execution (RCE).
The problem: CVE-2024-4577 (CVSS score: 9.8) is a severe PHP vulnerability that allows attackers to run malicious code on Windows computers with Chinese and Japanese language locales.
This bug, discovered in June 2024, results from Unicode characters being translated to ASCII, allowing attackers to escape the command line and input arguments directly to PHP. Within 24 hours, exploits began attacking honeypot servers with remote access trojans, bitcoin miners, and DDoS botnets. Notable malware include Gh0st RAT, RedTail, XMRig, and the Muhstik botnet.
The fix: Upgrade your installations to the most recent version to avoid CVE-2024-4577. This update fixes the Unicode to ASCII conversion issue, which prevents remote code execution vulnerabilities. To reduce the risks associated with similar vulnerabilities, patch on a regular basis and observe any unexpected activities.
GitLab Discloses Critical Pipeline Flaw
Type of vulnerability: Arbitrary pipeline execution.
The problem: CVE-2024-6385 (CVSS score: 9.6) is a significant vulnerability that affects GitLab Community and Enterprise editions (versions 15.8 to 17.1.2). This vulnerability allows attackers to launch pipeline jobs as any user, presenting major risks from unauthorized code execution.
GitLab pipelines, which are essential for CI/CD procedures, could be exploited under concealed settings, resulting in potential breaches and supply chain attacks. GitLab is used by high-profile companies, making this vulnerability particularly alarming.
The fix: GitLab recently released patched versions (17.1.2, 17.0.4, and 16.11.6) to fix CVE-2024-6385. Administrators should upgrade promptly to mitigate these hazards. To avoid future attacks, update software on a regular basis and monitor for unexpected activity.
July 11, 2024
Ransomware Group Exploits Veeam Backup & Replication Vulnerability
Type of vulnerability: Remote code execution.
The problem: CVE-2023-27532 (CVSS score: 7.5) in Veeam Backup & Replication allows attackers to execute arbitrary commands, compromising backup integrity and allowing for lateral movement.
Threat actors exploited a weakness in Veeam’s software to create unauthorized accounts such as “VeeamBkp,” allowing for network reconnaissance and data exfiltration. This resulted in defenses being disabled and ransomware being deployed, as demonstrated by the EstateRansomware group’s attack on a failover server using FortiGate SSL VPN and RDP connections.
The fix: Veeam addressed CVE-2023-27532 through their upgrades that prevent xp_cmdshell misuse and unauthorized account creation. For admins, upgrade immediately to avoid exploitation attempts. Monitor network activity, terminate unused services, and implement robust access controls.
Palo Alto Fixes Critical Authentication Flaw
Type of vulnerability: Authentication bypass.
The problem: The Palo Alto Networks Expedition’s CVE-2024-5910 and the PAN-OS’s CVE-2024-3596 vulnerability expose critical weaknesses. CVE-2024-5910 risks admin account takeover due to authentication flaws that compromise critical data. CVE-2024-3596 allows an adversary-in-the-middle attack between PAN-OS firewalls and RADIUS servers, potentially escalating privileges to ‘superuser’ via insecure CHAP or PAP settings.
Affected products include:
- PAN-OS versions prior to 11.1.3, 11.0.4-h4;
- PAN-OS versions prior to 10.2.10, 10.1.14, and 9.1.19;
- Prisma Access (all versions).
The fix: Palo Alto Networks published Expedition version 1.2.92, which resolves the authentication issue. To mitigate risks, upgrade to this version or above. Update impacted PAN-OS versions to the listed patched releases, or secure RADIUS configurations using TLS-encapsulated CHAP/PAP or EAP-TTLS with PAP. Restrict network access to Expedition and use secure RADIUS setups with TLS to protect against assaults.
July 12, 2024
CISA, FBI Issue Alert on OS Command-Injection Vulnerabilities
Type of vulnerability: OS command-injection.
The problem: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released an urgent alert stating the persistence of OS command-injection vulnerabilities. CVE-2024-20399 in Cisco NX-OS allows authorized attackers to execute arbitrary instructions. This is exploited by threat actors such as Velvet Ant. Inadequate validation of user inputs causes these vulnerabilities, resulting in system takeovers, code execution, and data breaches.
The fix: To prevent OS command-injection vulnerabilities, CISA and the FBI recommend a secure-by-design approach to software development. Apply safer command-generation functions and rigorous threat modeling. Use modern component libraries, then conduct comprehensive code reviews and aggressive adversarial testing throughout the development process.
Censys Releases Advisory on Exim MTA Vulnerability
Type of vulnerability: Mail transfer agent (MTA) and RCE.
The problem: Censys recently raised an alert on CVE-2024-39929, which affects Exim versions up to 4.97.1. The serious vulnerability results from erroneous parsing of multiline RFC2231 header filenames, allowing remote attackers to bypass security filters.
Threat actors might exploit this weakness to deliver malicious executable attachments into recipients’ mailboxes, bypassing $mime_filename extension-blocking defenses. While no active exploitation has been confirmed, more than 1.5 million Exim servers remain vulnerable worldwide, especially in the United States, Russia, and Canada.
The fix: Exim developers issued a patch to solve CVE-2024-39929. System administrators should promptly update to the most recent version (4.98). To prevent potential exploitation efforts, admins should also prohibit remote access to Exim servers from the Internet until they’ve been fixed.
Read next:
- Vulnerability Recap 7/8/24: Intel, Cisco & More Face Risks
- Best Vulnerability Management Software & Systems in 2024
- Patch Management Policy: Definition, Steps & Benefits
