This week, Ivanti takes center stage again with a new set of security flaws, but it’s got plenty of company: Google, ecommerce platform Magento, and WordPress plugin LayerSlider join it, as well as version 2 of Hypertext Transfer Protocol. eSecurity Planet also follows up on a Linux-based vulnerability mentioned in last week’s recap. I recommend immediately updating any devices or software versions if your business uses any of the following products.
March 27, 2024
Recently Patched SQL Injection Issue Affects LayerSlider Plugin
Type of vulnerability: Unauthenticated SQL injection.
The problem: LayerSlider, a WordPress plugin for visual website content and graphic design, had an SQL injection vulnerability that was recently patched. When exploited, the vulnerability allowed an attacker to steal data like password hashes from databases. Wordfence, the creators of a WordPress security plugin, estimate over one million active installations of LayerSlider on the internet.
Wordfence posted a notice that the researcher who reported this vulnerability to them received a $5,500 reward. Wordfence hosts bug bounty events with the purpose of rewarding those who discover security threats.
The vulnerability is tracked as CVE-2024-2879 and has a Critical CVSS rating of 9.8.
The fix: LayerSlider version 7.10.1 fixes this vulnerability.
April 1, 2024
Long-Hidden OS Vulnerability Now Has Updated Payload Info
Type of vulnerability: Unauthorized remote access to Secure Shell.
The problem: In last week’s recap, we mentioned a vulnerability in XZ Utils, a command-line application for data compression, that allows an attacker to gain remote Secure Shell (SSH) access without being authorized. The vulnerability, CVE-2024-3094, is present through malicious code in the application, which the open-source community discovered in versions 5.6.0 and 5.6.1 of XZ Utils.
This week, the researchers at JFrog have updated payload information for the vulnerability. JFrog provides a detailed list of steps that the payload performs. Additionally, researchers have published a backdoor client to GitHub that XZ Utils users can use to push payloads to their infected servers. JFrog notes this is mostly useful for research, to compare patched versions to infected ones.
Affected distributions of XZ Utils include Fedora, Debian, Kali, and OpenSUSE. Red Hat Enterprise Linux and Ubuntu, however, were not affected.
The fix: JFrog provides instructions for finding whether your Linux distribution is vulnerable, with example code of vulnerable and safe outputs. The Cybersecurity & Infrastructure Security Agency recommends teams downgrade affected software to a non-vulnerable version of XZ Utils.
If your organization needs a consistent method of identifying vulnerabilities, check out our list of the best vulnerability scanning tools.
April 2, 2024
Update Pixel Devices to Most Recent Google Patch
Type of vulnerability: Zero-day.
The problem: Android recently disclosed two vulnerabilities in Google’s Pixel phones on its Pixel-specific security bulletin. The two flaws, CVE-2024-29745 and CVE-2024-29748, are both zero-days. Each has a High severity rating.
CVE-2024-2975 is an information disclosure issue in the bootloader component of the Pixel device. CVE-2024-29748 allows a threat actor to bypass the firmware and escalate their privileges when exploiting it.
The fix: According to the security notice, supported devices will be updated to the 2024-04-05 patch level. Android encourages customers to accept the security updates on their devices. When your phone begins the update process, don’t wait to perform it.
Ivanti Runs into Further Snags with ICS & IPS Networking Products
Type of vulnerability: Heap overflow, null pointer deference, and XML entity expansion vulnerabilities.
The problem: Ivanti’s newest Connect Secure and Policy Secure vulnerabilities don’t have critical ratings, but they should be patched as soon as possible regardless. Ivanti released a security bulletin for the following vulnerabilities:
- CVE-2024-21894: Heap overflow vulnerability in the IPsec component of Ivanti Policy Secure and Ivanti Connect Secure, which could lead to a denial-of-service attack and potential arbitrary code execution.
- CVE-2024-22052: Null pointer dereference vulnerability, also in the IPSec component of the products, which permits an unauthenticated attacker to send requests that crash ICS and IPS in a DoS attack.
- CVE-2024-22053: Heap overflow vulnerability in the IPSec component of both products, which allows an unauthenticated attacker to perform specific requests that initiate a DoS attack or read memory data.
- CVE-2024-22023: XML entity expansion or XEE vulnerability in the SAML component of both products, which permits an unauthenticated attacker to send XML requests that overwhelm the system and cause a DoS attack.
This new set of issues prompted Ivanti to promise a security overhaul of their systems.
The fix: Ivanti recently developed a remediation process for the vulnerabilities. Users should use the knowledge base article that provides remediation instructions to fix their own environment.
April 3, 2024
D-Link Vulnerability Affects Thousands of NAS Devices
Type of vulnerability: Backdoor and command injection.
The problem: A researcher known as NetSecFish discovered a vulnerability within some end-of-life D-Link network-attached storage devices. The vulnerability affects a function of /cgi-bin/nas_sharing.cgi, a file of HTTP GET Request Handler. It has a backdoor due to hardcoded credentials, according to the original researcher, and it can also lead to a command injection attack that can be carried out remotely.
According to the National Institute of Standards & Technology (NIST), affected versions include D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This vulnerability is tracked as CVE-2024-3273 and has a High severity score of 7.3.
The fix: NetSecFish recommends applying any relevant patches from D-Link. However, the NAS devices are currently end-of-life, so they should be replaced by devices that are actively supported by a storage manufacturer.
HTTP/2 Has Newly Uncovered DoS Vulnerability
Type of vulnerability: Packet overload leading to denial-of-service attack.
The problem: The second revision of HyperText Transfer Protocol (HTTP), used to load web pages, has a recently discovered vulnerability. Messages sent through HTTP/2 are permitted to have named fields in the header and the trailer sections of the message.
According to Carnegie Mellon University’s CERT Coordination Center, “These header and trailer fields are serialised as field blocks in HTTP/2. . . . Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream.” If an attacker sends data packets to the target server, the associated CONTINUATION frames won’t be properly appended. This causes an out-of-memory crash, Carnegie Mellon said.
There are multiple CVEs for this vulnerability, each associated with a different HTTP/2 implementation. Affected systems include the Apache HTTP Server Project, impacted by CVE-2024-27316, and Red Hat, impacted by seven different CVEs.
The fix: We recommend security teams immediately consult the list of vulnerabilities and patch any implementations as needed. If there’s no active patch, we suggest disabling HTTP/2 on any enterprise servers.
April 4, 2024
Magento Backdoor Is a Threat to Ecommerce Sites
Type of attack: Command injection.
The problem: A vulnerability in open-source ecommerce platform Magento has been recently exploited. The flaw is an arbitrary code execution vulnerability that permits attackers to inject backdoors into Magento’s code.
Adobe has released a security bulletin with impact information. The vulnerability is rated critical, with a CVSS score of 9.1. While Adobe released this information in February, threat actors are still exploiting it, based on research from Sansec. The malicious XML code in Magento’s servers is repeatedly infecting Magento users’ systems — it’s a persistent issue.
The fix: Adobe recommends updating Magento OS to the following versions based on your current version:
- 2.4.6-p4 for 2.4.6-p3 and earlier
- 2.4.5-p6 for 2.4.5-p5 and earlier
- 2.4.4-p7 for 2.4.4-p6 and earlier
Read next:
- Vulnerability Recap 4/1/24 – Cisco, Fortinet & Windows Server Updates
- 6 Best Vulnerability Management Software & Systems in 2024
