The remote code execution vulnerabilities from last week’s recap continue, and Microsoft Patch Tuesday identifies plenty of issues to patch — but fortunately, most of them aren’t critical vulnerabilities. PHP’s Windows flaw is now being exploited by ransomware, almost immediately after researchers publicized the issue. Google also has an elevation of privilege vulnerability in its Pixel phones, among others; Android has published fixes for all the device issues.
Aside from the updates in this recap, keep a careful eye on all your vendors’ security bulletins, as always. Vulnerabilities like zero-days crop up quickly, and threat actors are vigilant in exploiting them as soon as possible. Additionally, if you’re an Ivanti customer or use other products that frequently appear in our recaps and in security news, pay particularly careful attention. You’ll want to check for product security updates a couple of times a week.
June 6, 2024
NVIDIA Patches 10 Vulnerabilities in GPU Products
Type of vulnerability: Multiple, including code execution and elevation of privilege.
The problem: NVIDIA recently patched five vulnerabilities in its GPU Display Driver and five in its vGPU virtualization software. The vulnerabilities are rated either medium or high. They include code execution, information disclosure, elevation of privilege, data tampering, and denial of service. Attackers could exploit the vulnerabilities with the intent of stealing data within AI workloads, for which NVIDIA’s GPU chips are popular.
The fix: Install updated versions of the GPU Display Driver through NVIDIA’s Downloads page and update the vGPU software through NVIDIA’s licensing portal.
June 7, 2024
Ransomware Exploiting PHP Flaw
Type of vulnerability: Argument injection vulnerability leading to ransomware exploits.
The problem: In last week’s vulnerability recap, we mentioned a security flaw in PHP, CVE-2024-4577, that allows threat actors to perform argument injection on Windows installations. Some of the affected systems are running XAMPP, which already has vulnerabilities that make it unsuitable for production environments. Shortly after PHP posted a patch, threat actors began to exploit the vulnerability using ransomware.
Researchers at Imperva published a blog post about the ransomware, TellYouThePass, which has been in operation since 2019. It affects both Windows and Linux. According to Imperva’s notice, “The attackers used the known exploit for CVE-2024-3577 to execute arbitrary PHP code on the target system, leveraging the code to use the ‘system‘ function to run an HTML application file hosted on an attacker-controlled web server via the mshta.exe binary.”
The binary used suggests that the threat actors are using a living-off-the-land strategy.
The fix: Patch your PHP environments to the most recent version immediately.
If you’re interested in an automated solution that checks your business environments for vulnerabilities, read our rundown of the best vulnerability scanning tools.
June 11, 2024
Google Pixel Updates Include High-Rated EoP Vulnerability
Type of vulnerability: Elevation of privilege.
The problem: Google recently rolled out updates for 50 vulnerabilities to its Pixel phones. Among these is an elevation of privilege (EoP) vulnerability, CVE-2024-32896, which Android specifically mentions may be under targeted exploitation in the bulletin.
According to NIST’s National Vulnerability Database (NVD), a logic error exists in the device’s code that could lead to authentication bypass. Then the threat actor could escalate their privileges without needing any execution privileges. This could allow them to make changes within the device’s firmware.
The fix: Upgrade your Pixel device to the most recent security update.
June 12, 2024
Proof of Concept Released for RCE Vulnerability in Ivanti EPM
Type of vulnerability: SQL injection leading to remote code injection.
The problem: Researchers from Horizon3AI have published a proof of concept (PoC) for a vulnerability in Ivanti Endpoint Manager. The bug is an SQL injection vulnerability and has a critical CVSS rating of 9.8 out of 10. It’s tracked as CVE-2024-29824.
The EPM vulnerability can lead to remote execution of arbitrary code when successfully exploited. It allows threat actors to perform commands on Endpoint Manager without being authenticated. According to Zero Day Initiative, “The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries.” The SQL injection vulnerability resides in the RecordGoodApp function of Endpoint Manager.
Horizon3AI’s proof of concept is available on GitHub.
The fix: Use Ivanti’s knowledge base article to apply the remediation to Ivanti Endpoint Manager.
June 13, 2024
Microsoft Fixes Over 50 Flaws for Patch Tuesday
Type of vulnerability: Multiple, including RCE.
The problem: For June’s Patch Tuesday, Microsoft resolved more than 50 vulnerabilities, including issues in Windows Server Service, Windows NT OS Kernel, and Microsoft Word. It also republished nine non-Microsoft CVEs, including multiple Chrome issues.
Only one Microsoft CVE is rated as critical — the Windows Server Service vulnerability has a 9.8 CVSS score. This remote code execution vulnerability occurs in Microsoft messaging queuing (MSMQ). It’s tracked as CVE-2024-30080.
The fix: Immediately download the most recent version of your Windows Server Service software, as well as any other services on the Patch Tuesday list.
June 14, 2024
Seven ASUS Routers Vulnerable to Authentication Bypass
Type of vulnerability: Authentication bypass.
The problem: Hardware vendor ASUS released a security notice and firmware update for seven of its routers. They’re vulnerable to authentication bypass attacks, permitting an unauthenticated threat actor to log into the router and gain control over it. The vulnerability is tracked as CVE-2024-3080 and has a critical rating and a CVSS score of 9.8.
Affected router versions include:
- XT8
- XT8_V2
- RT-AX88U
- RT-AX58U
- RT-AX57
- RT-AC86U
- RT-AC68U
The fix: Update your router to the most recent firmware version. Additionally, use strong passwords on your routers with at least 10 characters of different types.
Read next:
- Vulnerability Recap 6/10/24 — RCE Attacks in Major Platforms
- Best Vulnerability Management Software & Systems in 2024
