If you updated Chrome and SolarWinds Web Help Desk in the last couple of weeks due to vulnerabilities, get ready to update them again — each has a new flaw. Additionally, a popular WordPress plugin has a critical issue, and AWS’s Application Load Balancer feature has a configuration vulnerability.
As always, the best way to get flaws quickly patched is to scan for vulnerabilities frequently and have a plan for fixing and documenting them. Make sure your security teams know their specific role in that process, and have frequent conversations about vulnerabilities so everyone knows what’s going on both in your infrastructure and in the industry overall.
August 19, 2024
Critical WordPress Vulnerability Jeopardizes Millions of Sites
Type of vulnerability: Privilege escalation.
The problem: LiteSpeed Cache, a WordPress plugin designed to reduce caching speeds and optimize page loads, has a vulnerability that affects at least 5 million WordPress instances. A member of security provider PatchStack’s Alliance community discovered the vulnerability and reported it to PatchStack, who then notified LiteSpeed Technologies, the plugin’s developer.
The plugin has a feature that creates a temporary user to crawl sites and cache web pages. “The vulnerability exploits a user simulation feature in the plugin which is protected by a weak security hash that uses known values,” PatchStack said. Unauthenticated users can exploit the weak hashes to escalate their privileges and upload malicious plugins or files.
The fix: Upgrade your LiteSpeed plugin to version 6.4.1, which includes the patch.
August 20, 2024
AWS Application Load Balancer Sees Configuration Issues
Type of vulnerability: Configuration issue leading to authentication bypass.
The problem: Application detection and response provider Miggo discovered a configuration vulnerability in Amazon Web Services’ Application Load Balancer (ALB) authentication feature. If an application is misconfigured as an ALB target group and is directly accessible, a threat actor could bypass ALB and use a shared public key server to set an arbitrary key ID, according to Liad Eliyahu from Miggo. The threat has been nicknamed ALBeast.
Aside from misconfiguration, misimplementation and issuer forgery also put AWS authentication processes at risk. “Until recently, the AWS ALB user authentication docs did not include guidance on validating a token’s signer—a crucial field for ensuring that the token was signed by the trusted ALB,” Eliyahu said. “Without this validation, applications might trust an attacker-crafted token.” An attacker could also forge an authentic token signed by ALBeast.
Applications that are exposed to the internet are particularly vulnerable to this flaw.
AWS updated its documentation after Miggo disclosed the vulnerability to its researchers. Now, an authentication signature needs to be verified and validated. AWS added new code that’s designed to validate the signer — the ALB instance that signs the token — according to Miggo.
The fix: Comply with all relevant documentation from AWS — use the new code they’ve provided to validate signatures. Miggo noted that AWS doesn’t consider issue forgery a formal vulnerability and has decided to reach out to customers with suboptimal configurations instead of changing the entire ALB component.
Learning about vulnerabilities as soon as possible is critical to protect your computer systems and networks, but it can be difficult to do manually. I recommend using a comprehensive vulnerability scanning product to find issues that must be fixed quickly.
August 21, 2024
Upgrade Chrome As Soon As Possible
Type of vulnerability: Type confusion.
The problem: A bug in the V8 JavaScript and Web Assembly engine affects Google Chrome on personal computers. The vulnerability allows remote threat actors to use specifically crafted HTML pages to exploit heap correction. They could potentially use the falsified HTML page to take control of your Chrome instance.
The vulnerability is tracked as CVE-2024-7971. It exists in versions of Chrome prior to 128.0.6613.84.
The fix: Chrome stable channel updates from Google include 128.0.6613.84/.85 for Windows and Mac devices and 128.0.6613.84 for Linux machines. To update to these versions:
- Open the Chrome browser and select the three vertical dots in the right corner.
- Click Help.
- Click About Chrome.
- If Chrome checks for updates and finds one, it will update the browser. Select Relaunch after it updates.
August 23, 2024
Another SolarWinds Web Help Desk Flaw Emerges
Type of vulnerability: Hardcoded credential.
The problem: Last week, I mentioned a Java deserialization flaw in SolarWinds Web Help Desk. This week, researchers have discovered another vulnerability in WHD, this one a hardcoded credential issue. If exploited, it allows an unauthenticated remote user to access the Web Help Desk’s controls and modify its data. Zach Hanley of Horizon3.ai discovered and reported the vulnerability.
The flaw is tracked as CVE-2024-28987 and has a CVSS score of 9.1.
The fix: SolarWinds has released a hotfix, 12.8.3 number 2, that solves both last week’s remote code execution vulnerability and this week’s credential one.
CISA Adds Versa Director Vulnerability to Catalog
Type of vulnerability: Dangerous file type upload vulnerability.
The problem: Versa Networks’ Director product has GUI customization options available for users who have Provider-Data-Center-Admin or Provider-Data-Center-System-Admin permissions. According to NIST, a malicious user with those privileges could use the “Change Favicon” option within the GUI to upload a malicious file that has a .png extension.
The file would masquerade as an image file, according to NIST. The exploit is only possible after a user with the correct privileges has logged into the Versa Director GUI successfully. Versa Networks noted that managed service providers are likely to be the main targets.
The vulnerability is tracked as CVE-2024-39717 and has a severity rating of 6.6.
The CISA has added this vulnerability to its catalog of Known Exploited Vulnerabilities (KEV). It has a High severity rating. According to NIST, Versa Networks is aware of one instance where the vulnerability was exploited because the customer didn’t implement older firewall guidelines.
The fix: To remediate CVE-2024-39717, upgrade to one of the following updated versions, with links to the download page provided by Versa Networks:
- 21.2.3: https://support.versa-networks.com/support/solutions/articles/23000024323-release-21-2-3
- 22.1.2: https://support.versa-networks.com/support/solutions/articles/23000025680-release-22-1-2
- 22.1.3: https://support.versa-networks.com/support/solutions/articles/23000026033-release-22-1-3
- 22.1.4: Not affected.
Additionally, follow all of Versa Networks’ firewall guidelines and hardening best practices.
Double RCE Vulnerabilities Affect GPS Tracking Tool Traccar
Type of vulnerability: Path traversal leading to potential remote code execution.
The problem: Open-source GPS tracking solution Traccar has two path traversal vulnerabilities that could allow unauthenticated threat actors to execute code remotely. According to Horizon3.ai researcher Naven Sunkavally, Traccar is vulnerable when guest registration is enabled, which is its default configuration.
Traccar allows users to register their devices to be tracked, and Traccar shows their location when the devices communicate with the Traccar server. In version 5.1 of the solution, an image upload feature allows users to upload a picture of their device, but Traccar’s code has vulnerabilities in managing image file uploads.
The first vulnerability is tracked as CVE-2024-24809 and has a CVSS score of 8.5, with a high rating. The second is tracked as CVE-2024-31214 and has a critical CVSS score of 9.7. Both allow remote code execution if exploited.
“The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system,” Sunkavally said. “However, an attacker only has partial control over the filename.” The filename has to be a particular structure for the attackers to be successful.
The fix: Sunkavally recommends upgrading to Traccar 6. Alternatively, you can switch the registration setting to false so user self-registration isn’t automatically enabled.
Read next:
- Vulnerability Recap 8/20/24 – Microsoft Has the Spotlight This Week
- Best Vulnerability Management Software & Systems