Vendors and researchers disclosed a wide range of vulnerabilities this week from common Cisco IOS, Fortinet, and Windows Server issues to more focused flaws affecting developers (PyPI), artificial intelligence (Ray, NVIDIA), and industrial controls (Rockwell Automation). While most issues can be fixed through prompt patching and updating, a few remain unfixed and may require more significant changes to the security stack to block possible attacks.
March 22, 2024
Emergency Out-of-Band Windows Server Security Updates
Type of vulnerability (or attack): Memory leak.
The problem: The March 12th Microsoft security patches introduced a memory leak flaw in the local security authority subsystem service (LSASS) process that consumes all physical and virtual memory on server Domain Controllers. When either on-premise or cloud-based Active Directory domain controllers process Kerberos authentication requests, the leak causes the LSASS process to stop responding and the domain controller will unexpectedly restart.
The fix: Apply the emergency fixes issued by Microsoft for:
Attackers Actively Exploit Fortinet Enterprise Management Server SQLi Flaw
Type of vulnerability: SQL injection (SQLi) flaw.
The problem: A SQLi flaw tracked as CVE-2023-48788 permits remote code execution (RCE) with SYSTEM privileges in low complexity attacks that don’t require user interaction. Horizon3 published an analysis and proof of concept to exploit Fortinet’s FortiClient Enterprise Management Server (EMS).
The US Cybersecurity & Infrastructure Security Agency (CISA) added this exploit to their vulnerability catalog indicating active exploitation in the wild. Current ShadowServer statistics show over 300,000 potentially vulnerable servers with open connections to the internet.
The fix: Update affected versions ASAP:
- FortiClient EMS 7.2: Upgrade versions 7.2.0 through 7.2.2 to version 7.2.3 or above
- FortiClient EMS 7.0: Upgrade versions 7.0.1 through 7.0.10 to version 7.0.11 or above
March 25, 2024
Hackers Pollute Python Package Index Open-Source Libraries
Type of vulnerability (or attack): Malicious library code.
The problem: Hackers placed malicious code into Python Package Index (PyPI) open-source library repositories using lookalike (aka, typosquatting) package names to trick developers into inserting the malicious code into projects. Checkmarx estimates over 170,000 developers use affected libraries and might possess corrupted code. The corrupted code steals information such as Telegram session data, files, keystrokes, Instagram session tokens, and more.
On March 28th, PyPI administrators temporarily suspended new project creation and new registration to block additional malicious uploads. Checkmarx posted a list of the malware packages detected and removed from the PyPI repository.
The fix: Checkmarx published indicators of compromise and libraries to remove, but developers should also apply a website and application vulnerability scanner such as AppScan or Invicti to perform software composition analysis and locate malicious libraries and code components.
For more options to protect the development security and operations (DevSecOps) process, read about the best DevSecOp tools.
March 26, 2024
Apple Update Fixes Potential Arbitrary Code Execution Flaw
Type of vulnerability: Arbitrary code execution (ACE).
The problem: Decoding videos with large frame sizes on iOS and macOS devices could trigger an integer overflow flaw made possible by an integer overflow flaw and trigger an out-of-bounds write to memory. Google Project Zero researcher Nick Galloway reported the bug, tracked as CVE-2024-1580, that attackers could use for ACE.
The fix: Most Apple products download updates automatically, but check to ensure users apply the updates:
- iOS and iPadOS: Versions 17.4.1 or 16.7.7
- visionOS: Version 1.1.1
- macOS: Versions Sonoma 14.4.1 or Ventura 13.6.6
- Safari: Version 17.4.1 for macOS Monterey and macOS Ventura
OpenSource AI Framework Under Attack via Disputed Vulnerability
Type of vulnerability: Arbitrary code execution (ACE).
The problem: Many organizations, including Amazon, LinkedIn, and Netflix, use the AI framework Ray to train ChatGPT on huge server clusters. Developed by Anyscale, Ray allows any user to send unauthenticated HTTP requests to the dashboard, and Anyscale maintains that the lack of authentication is intentional and that any use of the framework outside of a fully controlled network violates best practices.
However, Oligo Security researchers “found that thousands of publicly exposed Ray servers all over the world were already compromised.” Oglio tracks vulnerability CVE-2023-48022, rated CVSS 9.8 (out of 10), and calls it Shadow Ray. Without authentication, attackers may execute ACE to steal data or passwords, infect AI models during the training stages, launch supply chain attacks, drain payment accounts, or subvert clusters to run cryptomining.
The fix: The dispute prevents the vulnerability’s inclusion in most vulnerability scanners. To block further attacks, search for Ray instances, run Anyscale tools to detect exposed clusters, and ensure they only run within fully controlled networks. Exposed instances should be assumed to be compromised, so execute incident response plans to inspect clusters, users, exfiltrated data, and AI models for signs of compromise.
Rockwell Automation Fixes 10 Industrial Controls Flaws That Could Crash Systems
Type of vulnerability: Heap-based buffer overflow, improper authentication, improper input validation (2), improper traffic throttling, improper restriction of operations within the bounds of a memory buffer, out-of-bounds read, out-of-bounds write, uninitialized pointer access, and use-after-free flaws.
The problem: Rockwell Automation, along with CISA, provided advisories, updates, and workarounds for three different industrial control solutions: Arena Simulation, FactoryTalk View ME on PanelView Plus 7 Boot Terminal, and PowerFlex 527. Many different types of vulnerabilities ultimately lead to a common issue: unexpected system crash.
Security researcher Michael Heinzl reported the six Arena Simulation vulnerabilities to Rockwell Automation that enable attackers to insert unauthorized code or trigger denial of service conditions. Most of these vulnerabilities require users to open malicious files within the network.
The FactoryTalk View ME on PanelView Plus 7 Boot Terminal flaw neglects to check for authentication for the restart process, so attackers could unexpectedly restart the product without permission. The three PowerFlex 527 flaws perform improper input validation and allow uncontrolled resource consumption that attackers could use to crash systems or disrupt CIP communication to force manual restarts for recovery.
The fix: Rockwell Automation offers specific remediation for each product and links to updated versions within their announcement pages (linked above):
- Arena Simulation: Upgrade to version 16.20.03 and don’t open untrusted files from unknown sources to mitigate an issue within the Microsoft dynamic library link file.
- FactoryTalk View ME on PanelView Plus 7 Boot Terminal: Upgrade to a corrected version of V11, V12, V13, or V14 or follow security best practices.
- PowerFlex 527: Currently, no fix exists and Rockwell Automation recommends isolating the installation via network segmentation, disabling web servers, and following best practices.
NVIDIA Fixes ChatRTX User Interface Vulnerabilities, One High Risk
Type of vulnerability: Improper privilege management (high risk) and cross-site scripting (XSS).
The problem: NVIDIA’s ChatRTX connects large language models (LLMs) to an organization’s content and data. In the security advisory, NVIDIA discloses UI flaws that could lead to local escalation of privileges, information disclosure, data tampering, code execution, and denial of service.
The fix: Update the latest ChatRTX software update from NVIDIA.
March 27, 2024
Cisco Patches 16 High & Medium Vulnerabilities in Access Point, IOS & More
Type of vulnerability: Access control list bypass, authorization bypass, boot bypass, command injection, denial of service (11), and privilege escalation.
The problem: Cisco announced a number of important updates to fix vulnerabilities in Cisco IOS and IOS XE (8 high, 4 medium severity), Cisco Access Point (2 high, 1 medium severity), Cisco Catalyst Center (1 medium severity), and Cisco Aironet Access Point (1 medium severity). CISA also issued an alert encouraging prompt updates since the most serious vulnerabilities could cause denial of service and attackers could trigger events remotely without authentication.
The fix: Cisco recommends prompt application of patches. Only one high and two medium vulnerabilities offer any option for a workaround to remediate the vulnerability.
JetBrains Patches 26 Security Issues with TeamCity Version 2024.03
Type of vulnerability: Disclosed vulnerabilities include arbitrary file removal, open redirect, two-factor authentication (2FA) bypass, unauthenticated administration registration, XML external entity injection, and XSS.
The problem: JetBrains released TeamCity 2024.03, the latest upgrade to their build management and continuous integration server. In addition to many new features, bug fixes, and performance improvements, the new release fixes 26 security problems. However, to lessen potential compromise for customers, JetBrains only discloses select vulnerabilities and keeps the others undisclosed.
The fix: JetBrains recommends prompt installation of updates, and starting with this latest version, the TeamCity software will auto-download light security patches and prompt administrators to install them.
Splunk Enterprise Updates Fix High Severity Vulnerabilities
Type of vulnerability: Authentication token exposure, command safeguards bypass, third-party package vulnerabilities.
The problem: Splunk issued advisories for fixes to Splunk Enterprise and Splunk Universal Forwarder. The largest number of updates address third-party updates in Splunk Enterprise and Universal Forwarder that range between high and low in severity.
The highest-rated Splunk vulnerability, CVE-2024-29946, rated CVSS 8.1 (out of 10), allowed successful phishing attacks to initiate a browser request for command safeguards bypass in the Splunk Enterprise and Splunk Cloud Platform Dashboard Examples Hub. The token validation process bug in Splunk Enterprise, CVE-2024-29945, rated 7.2 and could allow debug features to expose authentication tokens in log files and internal indexes.
The fix: Update Splunk products to fixed versions (or higher):
- Splunk Enterprise 9.0: Update to version 9.0.9
- Splunk Enterprise 9.1: Update to version 9.1.4
- Splunk Enterprise 9.2: Update to version 9.2.1
- Splunk Cloud: Update to version 9.1.2312.100
- Splunk Universal Forwarder 9.0: Update to version 9.0.9
- Splunk Universal Forwarder 9.1: Update to version 9.1.4
- Splunk Universal Forwarder 9.2: Update to version 9.2.1
Struggling to keep up with vulnerabilities? Consider a vulnerability management tool to prioritize, track and manage vulnerabilities.
March 29, 2024
XZ Utils Backdoor Found in Fedora Development & Experimental Linux Versions
Type of vulnerability: Supply chain malicious code.
The problem: Red Hat security teams issued an emergency announcement to immediately stop using Fedora 41, Fedora Rawhide, or any Linux version running the xz data compression utilities versions 5.6.0 and 5.6.1. These versions of the libraries contain malicious code that introduces a backdoor, CVE-2024-3094 rated CVSS 10 (out of 10), into Linux environments.
The fix: Red Hat recommends downgrading to Fedora Linux 40, immediate cessation of any Fedora Rawhide versions, and downgrading openSUSE versions.
Read next:
