Vulnerability Recap 7/1/24 – Apple, GitLab, AI Platforms at Risk

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Last week, critical vulnerability news emerged on multiple platforms. Ollama AI Platform, which permitted remote code execution via path traversal, patched its vulnerabilities in its version updates. MOVEit Transfer had an authentication bypass that affected 2,700 instances. GrimResource method leveraged MMC XSS vulnerabilities. Fortra’s FileCatalyst patched a SQL injection vulnerability. Apple issued updates for AirPods’ Bluetooth authentication bypass flaw.

Meanwhile, Funnull’s Polyfill.io domain control drove Google to disable ads on the impacted websites. Vanna.AI resolved a prompt injection issue. Lastly, GitLab addressed several vulnerabilities, emphasizing the need for timely updates and stronger safety processes. To improve security, users should update software on a regular basis, establish strong authentication procedures, and limit access to key resources.

June 24, 2024

Ollama AI’s Probllama Vulnerability Enables RCE

Type of vulnerability: Multiple, including remote code execution (RCE), path traversal, and insufficient input validation.

The problem: A security flaw in the Ollama AI infrastructure platform, identified as CVE-2024-37032, enabled attackers to do RCE. The vulnerability, known as Probllama, resulted from insufficient input validation, which led to a route traversal problem. 

The exploit required sending malicious HTTP requests to overwrite arbitrary files on the server, potentially corrupting them and remotely executing code. Due to the server’s default root privileges and lack of authentication, publicly exposed Docker deployments could particularly be vulnerable.

The fix: Ollama version 0.1.34, released on May 7, 2024, addressed the vulnerability, following responsible disclosure. Update to the latest version right now. To avoid similar issues, use robust input validation, authentication procedures, and limit API server exposure, particularly in Docker deployments. Implement authentication-enabled reverse proxies to strengthen AI infrastructure security.

Enhance your authentication practices and see what solution fits your organization by reading our guide on passkey solutions for MFA, SSO, and passwordless authentication.

June 25, 2024

Critical Flaw in MOVEit Transfer Impacts Over 2000 Instances

Type of vulnerability: Authentication bypass and improper authentication.

The problem: A serious security issue in Progress Software’s MOVEit Transfer (CVE-2024-5806) lets attackers bypass SFTP authentication and imitate any user. Exploitation involves information of an existing username, remote authentication capability, and public access to the SFTP service. 

The vulnerability affects versions released prior to 2024.0.2. Unpatched instances are at risk of unauthorized access and control to MOVEit systems. Approximately 2,700 instances are vulnerable globally.

The fix: Progress Software resolved the issue in subsequent versions of MOVEit Transfer. Upgrade to the newest versions right away and follow security guidelines, such as blocking public RDP access and limiting outbound connections to trusted endpoints. To minimize similar vulnerabilities, ensure that third-party components such as IPWorks SSH have suitable authentication measures in place and are updated regularly.

Threat Actors Leverages GrimResource to Exploit MMC Flaw

Type of vulnerability: Multiple, including code execution, cross-site scripting (XSS), and file-based exploits.

The problem: Threat actors are leveraging GrimResource, a new attack method which uses engineered MSC files to get full code execution via Microsoft Management Console (MMC). It takes advantage of a long-unpatched XSS vulnerability in the apds.dll module. It allows arbitrary JavaScript code to be executed when a malicious MSC file is opened. This bypasses ActiveX warnings and can result in unauthorized access, system takeover, and malware deployment.

The fix: Microsoft Defender and Smart App Control provided some guidance against malicious MSC files. Avoid downloading or opening files from unidentified sources. Regularly update security software and use robust email filtering to reduce dangers. Organizations should educate their staff about phishing tactics and limit the use of MMC to trustworthy applications to strengthen security protections against such vulnerabilities.

June 26, 2024

Fortra Addresses Critical SQL Injection in FileCatalyst

Type of vulnerability: SQL injection.

The problem: A critical SQL injection vulnerability, identified as CVE-2024-5276, impacts Fortra FileCatalyst Workflow versions 5.1.6 Build 135 and earlier and has a CVSS score of 9.8. This issue allows attackers to tamper with the application database, potentially granting administrative privileges and altering or deleting data. Exploitation requires anonymous or authenticated user access, which poses a major risk if not patched. 

The fix: Tenable has provided a proof-of-concept exploit. Fortra also recently fixed the issue in FileCatalyst Workflow 5.1.6 Build 139. Update to this version immediately. As a temporary solution, disable the vulnerable servlets (csv_servlet, pdf_servlet, xml_servlet, and json_servlet) in Apache Tomcat’s “web.xml” file. Regularly upgrade software and restrict anonymous access to avoid more issues. 

Employing web application firewalls (WAF) can also mitigate SQL injection risks. Discover the top WAF solutions, including their features, use cases, and more.

Apple AirPods Firmware Update Fixes Major Flaws

Type of vulnerability: Authentication bypass.

The problem: An authentication issue with Apple’s AirPods, Powerbeats Pro, and Beats Fit Pro (CVE-2024-27867) enabled attackers within Bluetooth range to mimic previously paired devices. It obtains unauthorized access to the headphones, potentially listening in on private conversations. The vulnerability affected several models, and attackers may exploit it during connection requests to linked devices.

The fix: Apple issued firmware patches (6A326 for AirPods and 6F8 for Beats) to address the vulnerability and enhance state management. To avoid unwanted access, update your firmware immediately. To avoid future vulnerabilities, keep your firmware up to date, enable automatic updates, and exercise caution when using Bluetooth in public places. Review security advisories on a regular basis, and implement patches as soon as possible.

Chinese Firm Funnull Obtains Polyfill.io, Causes Supply-Chain Risks

Type of vulnerability: Supply-chain attack and JavaScript library tampering.

The problem: Funnull, a Chinese company, acquired the Polyfill.io domain and updated its JavaScript library (“polyfill.js”) to redirect users to malicious sites, exposing a critical vulnerability. This supply-chain assault affects approximately 110,000 websites that integrate the library, possibly exposing users to scams and malware. Funnull’s control of the domain raises questions about the library’s integrity, causing site administrators to remove it immediately.

The fix: Google has restricted ads for e-commerce companies that utilize Polyfill.io to safeguard users. Cloudflare and Fastly have offered alternate endpoints to replace Polyfill.io, and website owners are encouraged to remove any references to the hacked library. Maintain thorough content security regulations. Regularly monitor and update your third-party dependencies. Use strong code integrity checks and avoid relying on possibly vulnerable external libraries.

June 27, 2024

Critical Prompt Injection Flaw in Vanna.AI Exposes Users to RCE

Type of vulnerability: Prompt injection and remote code execution.

The problem: Cybersecurity experts have discovered a critical security weakness in the Vanna.AI library that might be misused to execute remote code via prompt injection techniques. The vulnerability, identified as CVE-2024-5565 and assigned a CVSS score of 8.1, affects the “ask” function. This function can be used to run arbitrary commands, allowing malicious actors to obtain unauthorized access and potentially compromise systems.

Vanna.AI is a Python-based machine learning framework that allows you to query SQL databases with natural language prompts. The prompt injection vulnerability stems from the dynamic development of Plotly code, which is used to show SQL query results. An attacker can create a malicious prompt that contains executable Python code, resulting in RCE.

The fix: Following appropriate disclosure, Vanna.AI has released a hardening guide to help mitigate the vulnerability. This guide recommends:

  • Updating to the most recent Vanna library version.
  • Running the “ask” function within a sandboxed environment.
  • Implementing pre-prompting and comprehensive security mechanisms when integrating large language models (LLMs) with vital resources.

June 28, 2024

GitLab Releases Security Updates to Address 14 Vulnerabilities

Type of vulnerability: Multiple, RCE, XSS, cross-site request forgery (CSRF), and more.

The problem: GitLab has issued security upgrades to fix 14 security issues, including one major vulnerability that could be used to execute continuous integration and continuous deployment (CI/CD) pipelines as any user. CVE-2024-5655 (CVSS score: 9.6) is the most serious of these vulnerabilities, allowing a malicious actor to launch a pipeline as another user.

These flaws impact GitLab Community Edition (CE) and Enterprise Edition (EE) with the following versions:

  • 17.1 prior to 17.1.1
  • 17.0 prior to 17.0.3
  • 15.8 prior to 16.11.5

Other significant vulnerabilities include the following:

  • CVE-2024-4901 (CVSS score 8.7): A stored XSS vulnerability that could be imported from a project with malicious commit notes.
  • CVE-2024-4994 (CVSS score 8.1): A CSRF attack on GitLab’s GraphQL API, resulting in the execution of arbitrary GraphQL changes.
  • CVE-2024-6323 (CVSS score 7.5): An authorization flaw in the global search feature that allows sensitive information to be leaked from a private repository within a public project.
  • CVE-2024-2177 (CVSS score 6.8): A cross-window forgery vulnerability allows an attacker to exploit the OAuth authentication procedure using a forged payload.

The fix: Update to the most recent versions to avoid possible risks. While there’s no indication of active exploitation of these weaknesses, the fixes should be applied as soon as possible to guarantee GitLab environments are secure. GitLab has resolved these vulnerabilities in CE and EE versions 17.1.1, 17.0.3, and 16.11.5

The patch for CVE-2024-5655 includes two breaking changes:

  • GraphQL authentication using CI_JOB_TOKEN is turned off by default.
  • When a merge request is retargeted after its prior target branch has been merged, pipelines will no longer run automatically.

Read next:

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Maine Basan Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.




Top Cybersecurity Companies

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis