In last week’s major vulnerability news, various platforms performed a series of fixes for new and persistent vulnerabilities. QNAP released upgrades for their NAS devices after facing a stack buffer overflow flaw. Fluent Bit published a version upgrade following a memory corruption vulnerability. GitHub Enterprise Server and GitLab patched their authentication bypass and XSS issues. Google Chrome had its eighth zero-day exploit, triggering an emergency upgrade.
Additionally, CISA’s exploited vulnerabilities list now includes Apache Flink’s long-standing access control issue. With these new fixes and updates, users impacted by these vulnerabilities should upgrade their systems as soon as possible, apply access restrictions, perform increased monitoring, and follow the general best practices for security.
May 20, 2024
Critical QNAP NAS Vulnerability Exposes Devices to RCE
Type of vulnerability: Stack buffer overflow.
The problem: WatchTowr Labs discovered a severe stack buffer overflow vulnerability (CVE-2024-27130) in QNAP’s NAS operating system QTS. It’s found in the ‘No_Support_ACL’ function of ‘share.cgi’ and can result in remote code execution (RCE). However, exploitation requires precise conditions, such as acquiring a valid ‘ssid’ parameter from shared file links available online.
The fix: QNAP has released an emergency upgrade (QTS 5.1.7.2770 version 20240520) that addresses CVE-2024-27130 and other issues. Immediately update your QNAP devices to the most recent firmware to mitigate these issues. Check for future updates and be cautious while sharing download links to avoid exploitation.
Vulnerability in Fluent Bit Exposes Systems to DoS
Type of vulnerability: Memory corruption vulnerability.
The problem: CVE-2024-4323, a vulnerability in a popular logging program Fluent Bit, results in possible denial-of-service (DoS) attacks, information exposure, and remote code execution (RCE). Tenable discovered this memory corruption vulnerability that affects the tool’s built-in HTTP server. Exploitation requires access to the Fluent Bit monitoring API, which allows attackers to disrupt services or extract sensitive data.
The fix: Fluent Bit developers have published version 3.0.4, which addresses CVE-2024-4323. To mitigate the issue, immediately update to the newest version. Further protect your systems by limiting access to Fluent Bit’s API and blocking any impacted endpoints that aren’t in use.
If your system is already exposed to a DDoS attack, explore our guidelines on how to perform DDoS attack prevention in three stages.
May 21, 2024
GitHub Enterprise Server Update Fixes SAML Authentication Bypass
Type of vulnerability: Authentication bypass.
The problem: CVE-2024-4985 is a critical authentication bypass vulnerability in GitHub Enterprise Server (GHES) that uses SAML single sign-on (SSO) with encrypted assertions. Exploitation enables attackers to falsify an SAML response, granting them administrative capabilities and unrestricted access without authentication. This poses serious security risks, particularly for organizations that handle sensitive data.
The fix: GitHub has fixed the vulnerability in GHES versions 3.12.4, 3.11.10, 3.10.12, and 3.9.15. Update your instances to these versions. Administrators should additionally evaluate and adapt their SAML SSO setups. Report any issues with the upgrades to guarantee system stability and security.
Microsoft Releases Fix for Windows Server 2019 Patch Installation Error
Type of vulnerability: Patch installation error.
The problem: During the May 2024 Patch Tuesday security upgrades, Microsoft issued an emergency out-of-band (OOB) update (KB5039705) for Windows Server 2019 to address a bug that caused error 0x800f0982. This vulnerability, which affected servers with and without the English (United States) language pack, impeded the successful installation of crucial security patches. This affected system administrators worldwide.
The fix: Administrators should download and install the KB5039705 OOB update via Windows Update, WSUS, or the Microsoft Update Catalog. After installing this upgrade and rebooting the server, the May 2024 Patch Tuesday security patches should execute without issues.
Google’s Chrome 125 Update Fixes 6 Vulnerabilities, 4 High-Severity Bugs
Type of vulnerability: Type confusion, heap buffer overflow, and more
The problem: Google’s Chrome 125 update addresses six security issues, including four significant bugs that threaten user data and system stability. The vulnerabilities include a use-after-free flaw in Scheduling (CVE-2024-5157) and a type confusion bug in the V8 engine (CVE-2024-5158).They also fixed two heap buffer overflows in the ANGLE graphics engine (CVE-2024-5159) and Dawn WebGPU implementation (CVE-2024-5160).
The fix: Google has published security fixes for Chrome versions 125.0.6422.76 for Linux and 125.0.6422.76/.77 for Windows and macOS, which addressed the identified vulnerabilities. Upgrade your browsers right now to provide protection against possible attacks. Regularly install updates to maintain security and prevent attackers from exploiting these serious issues.
May 22, 2024
Veeam Addresses Vulnerabilities in Backup & Replication Update
Type of vulnerability: Authentication bypass, privilege escalation, NTLM relay attack, and more.
The problem: Veeam’s newest Backup & Replication version addresses four vulnerabilities, including a major authentication bypass flaw (CVE-2024-29849) that allows unauthorized access to Backup Enterprise Manager. The update also fixes serious concerns with NTLM relay attacks (CVE-2024-29850) and NTLM hash stealing (CVE-2024-29851). Additionally, they also fixed a privilege escalation flaw in Veeam Agent for Windows (CVE-2024-29853).
The fix: Veeam released Backup Enterprise Manager version 12.1.2.172 and Backup & Replication version 12.1.2 to address the vulnerabilities. Update to these versions instantly. If updating isn’t an option, Veeam recommends deactivating Backup Enterprise Manager. If you’re a Veeam Agent for Windows user, update to version 6.1.2.
Read our guide to learn how privilege escalation attacks work and the best practices for preventing it.
May 23, 2024
GitLab Releases Patches for XSS & Multiple Security Vulnerabilities
Type of vulnerability: Cross-site scripting (XSS) vulnerability, cross-site request forgery (CSRF) and denial-of-service (DoS).
The problem: GitLab has patched a critical XSS vulnerability (CVE-2024-4835) in the Visual Studio code editor, allowing unauthenticated attackers to take over user accounts via maliciously designed pages. However, for exploitation to occur, users must interact with it. GitLab also patched six medium-severity vulnerabilities, including CSRF via Kubernetes Agent Server, (CVE-2023-7045) and DoS (CVE-2024-2874).
The fix: GitLab released patches for versions 17.0.1, 16.11.3, and 16.10.6 for both Community Edition (CE) and Enterprise Edition (EE), which addressed the high-severity XSS vulnerability and several medium-severity vulnerabilities. Immediately update your GitLab installations to these versions to protect yourself from any threats.
May 24, 2024
CISA Adds Old Apache Flink Flaw to Known Exploited Vulnerabilities List
Type of vulnerability: Critical access control.
The problem: CVE-2020-17519, a four-year-old vulnerability that affects Apache Flink versions 1.11.0 to 1.11.2, poses serious risks caused by insufficient access control. Exploitation gives remote attackers access to sensitive files on JobManager filesystems, jeopardizing data integrity and confidentiality. The vulnerability highlights the urgent need for timely upgrades to prevent unauthorized access and minimize dangers in widely used open-source frameworks.
The fix: To mitigate CVE-2020-17519, upgrade to Apache Flink versions 1.11.3 or 1.12.0. Federal agencies must also apply the necessary updates by June 13, 2024, according to the CISA directive. To avoid exposure to cyber threats, all companies should implement the mitigation actions described in the catalog or stop using impacted products if fixes aren’t available.
Google Releases Emergency Fix for the 8th Actively Exploited Zero-Day
Type of vulnerability: High-severity type confusion.
The problem: CVE-2024-5274, a zero-day in Chrome, results from a ‘type confusion’ vulnerability in the V8 JavaScript engine. Attackers use this vulnerability to control memory allocation, resulting in arbitrary code execution. This enables the attackers to gain control of afflicted systems, endangering user data, privacy, and system integrity.
The fix: Update your Chrome browser to version 125.0.6422.112/.113 for Windows and Mac. Linux users will receive the update in the coming days. While Chrome enabled automatic updates, you can also manually check your settings. Google’s plan to release security updates weekly reduces patch gap issues to narrow down the window of opportunity for threat actors.
Read next:
- Vulnerability Recap 5/20/24: Patch Tuesday, Chrome & D-Link
- Top Open-Source Vulnerability Scanners & Tools
- Best Vulnerability Management Software & Systems in 2024