Vulnerability Recap 4/15/24 – Palo Alto, Microsoft, Ivanti Exploits

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Last week’s cybersecurity incidents revealed significant vulnerabilities across multiple platforms. Threats range from severe weaknesses in Ivanti’s VPN appliances to zero-day exploits in popular software such as Palo Alto Networks’ PAN-OS and Telegram’s Windows client. Typically, these vulnerabilities result in remote code execution or denial-of-service attacks, posing major dangers to users’ data security.

To mitigate these risks, users must promptly apply vendor-provided software patches and updates, as well as exercise vigilance when using online services and apps. You can strengthen your cybersecurity defenses by using reliable antivirus software, firewalls, intrusion detection systems, and virtual private networks (VPNs). Employ robust password management techniques, two-factor authentication (2FA), and regular backups of essential data.

In addition to securing internal assets, you also need to ensure SaaS data is protected. Check out our article on SaaS security checklist and learn how to create one.

April 8, 2024

Multiple Vulnerabilities Discovered in LG WebOS Smart TVs

Type of vulnerability: Authorization bypass, privilege escalation, command injection.

The problem: Bitdefender researchers discovered four vulnerabilities in LG WebOS smart TVs that allowed unauthorized access and control. These issues affect over 91,000 exposed machines, putting them at risk of DDoS assaults, account theft, and malware infestations.

CVE-2023-6317 allows for the bypass of permission procedures, enabling unauthorized users to be added. CVE-2023-6318 permits privilege escalation to get root access. CVE-2023-6319 enables the execution of arbitrary commands via music lyrics display. CVE-2023-6320 permits authenticated command injection, allowing arbitrary command execution.

The fix: LG issued security upgrades on March 22, 2024, which addressed the vulnerabilities. To reduce risks, users should update their LG WebOS smart TVs as soon as possible through Settings > Support > Software Update. It’s suggested that automatic updates be enabled.

Shadowserver Identifies Thousands of Vulnerable Ivanti VPN Appliances

Type of vulnerability: Remote code execution (RCE), denial-of-service (DoS).

The problem: The Shadowserver Foundation found approximately 16,000 internet-exposed Ivanti VPN appliances that could be affected by CVE-2024-21894, a high-severity heap overflow vulnerability that allows remote code execution. This vulnerability exists in all supported versions of Ivanti Connect Secure and Policy Secure.

As of April 7, around 10,000 Ivanti VPN instances were susceptible, predominantly in the United States, Japan, and other countries. However, it’s unknown how many of them are legitimate Ivanti VPNs and how many are honeypots.

The fix: On April 2, Ivanti provided fixes to address this problem and three other vulnerabilities. Ivanti encourages all users to update their instances with the most recent software fixes to reduce the risks associated with CVE-2024-21894 and other vulnerabilities. Furthermore, users should regularly monitor their environments for indicators of exploitation and take the appropriate actions to strengthen cybersecurity defenses.

Looking for an alternative method for secure remote access? Consider exploring virtual desktop infrastructure.

April 9, 2024

Critical Windows Command Injection Vulnerability in Rust Standard Library 

Type of vulnerability: Command injection.

The problem: CVE-2024-24576 impacts the Rust standard library on Windows, allowing unauthenticated attackers to run arbitrary commands using OS command and argument injection flaws. GitHub rates it critical, indicating that it poses a significant danger to Windows systems, with the ability for remote exploitation without any user interaction.

Programs or dependencies that use untrusted arguments to invoke batch files on Windows versions prior to 1.77.2 are vulnerable. Other programming languages are also impacted, with patches and documentation changes in the works.

The fix: Rust published version 1.77.2, which improves argument escaping and modifies the Command API to address the problem. To prevent unexpected execution, move batch files to folders that aren’t included in the PATH environment variable.

Microsoft Addresses Critical Vulnerability in AKS Confidential Containers

Type of vulnerability: Unauthenticated access, remote code execution.

The problem: Microsoft performed a significant patch that addresses at least 150 vulnerabilities, with a focus on CVE-2024-29990, which affects Azure Kubernetes Service (AKS) confidential containers. The exploit has a CVSS severity of 9/10. This significant vulnerability allows unauthenticated attackers to take complete control of Azure Kubernetes clusters, allowing them to steal credentials and compromise sensitive containers.

The fix: Microsoft strongly recommends quick patching to mitigate the risks associated with CVE-2024-29990. Users should install the most recent security patches for Azure Kubernetes Service and constantly monitor their environments for evidence of unauthorized access or malicious behavior.

April 10, 2024

Fortinet Patches Critical RCE Vulnerabilities in FortiOS and Other Products

Type of vulnerability: RCE, credential protection weakness, arbitrary file deletion, arbitrary command execution.

The problem: Fortinet has released updates for several vulnerabilities, including a major remote code execution problem in FortiClientLinux (CVE-2023-45590). This vulnerability enables unauthenticated remote attackers to execute arbitrary code via a code injection flaw.

Other high-severity vulnerabilities include credential protection flaws (CVE-2023-41677), arbitrary code execution in FortiClientMac (CVE-2023-45588, CVE-2024-31492), and arbitrary file deletion/command execution in FortiSandbox (CVE-2024-23671, CVE-2024-21755, CVE-2024-21756).

The fix: Fortinet has published updates for the vulnerable products, including FortiClientLinux versions 7.2.1 and 7.0.11. Users are encouraged to rapidly upgrade their Fortinet appliances in order to mitigate the risks associated with these vulnerabilities.

April 11, 2024

Windows & MacOS Face Risks in New MITRE Sub-Techniques Exploits

Type of vulnerability: TCC manipulation, phantom DLL hijacking.

The problem: North Korean threat actors use new exploitation tactics of MITRE sub-techniques on Windows and macOS, including TCC modification and Phantom Dynamic Link Library (DLL) hijacking. The Lazarus Group and APT41 are suspected of using these approaches to compromise system integrity for espionage.

TCC manipulation targets macOS and bypasses application permission constraints. Phantom DLL hijacking exploits non-existent DLL files in Windows, allowing malicious DLLs to run unnoticed by the operating system.

The fix: TCC manipulation requires maintaining system integrity protection (SIP) and limiting app permissions. Phantom DLL hijacking can be prevented by adopting monitoring systems, proactive application restrictions, and blocking remote DLL loading until Windows handles phantom DLLs.

Palo Alto Networks Addresses Firewall Disruption Flaws

Type of vulnerability: Denial-of-service, firewall disruption, data processing vulnerability.

The problem: Palo Alto Networks announced PAN-OS patches that addressed many critical vulnerabilities that might interrupt firewalls. CVE-2024-3385 allows unauthenticated attackers to reboot hardware firewalls using specially crafted packets, affecting the PA-5400 and PA-7000 devices. CVE-2024-3384 and CVE-2024-3382 allow remote DoS attacks against PAN-OS firewalls. CVE-2024-3383 is another severe vulnerability that affects user access control via Cloud Identity Engine (CIE) data processing.

The fix: Palo Alto Networks’ update resolved these vulnerabilities involving decryption, user impersonation, and third-party components. They recommend applying these updates promptly to mitigate the risks associated with these vulnerabilities.

April 12, 2024

Critical Zero-Day Vulnerability Exploited in Palo Alto’s PAN-OS Software

Type of vulnerability: Command injection, remote code execution.

The problem: Another Palo Alto Networks’ incident last week disclosed a significant zero-day vulnerability, CVE-2024-3400, in PAN-OS software’s GlobalProtect gateway. This vulnerability allows unauthenticated attackers to run arbitrary code with root access. Palo Alto also warned of this active exploitation by threat actors using the RCE to breach firewalls.

While both cases involve vulnerabilities in Palo Alto Networks’ PAN-OS software, the first incident focuses on high-severity vulnerabilities, such as denial-of-service problems, whilst the second incident exposes a severe zero-day vulnerability that allows remote code execution.

The fix: Palo Alto Networks aims to deploy fixes for affected PAN-OS 10.2, 11.0, and 11.1 versions on April 14th. Meanwhile, clients should enable particular threat prevention measures or temporarily disable the impacted functionalities.

Telegram Addresses Source Code Typo That May Lead To RCE

Type of vulnerability: Potential remote code execution.

The problem: On April 9, rumors circulated about a zero-day vulnerability in Telegram’s Windows app that enabled the automated running of Python programs. Telegram first denied the claims via X (formerly Twitter). However, the next day, a proof-of-concept exploit surfaced, revealing a typo in Telegram’s source code. This error, notably in the file extension handling, enabled Python scripts to run without notice when clicked, potentially leading to RCE attacks.

The fix: In Telegram’s statement via BleepingComputer, while they claimed that the bug wasn’t a zero-click flaw, they’ve released a server-side fix that appends “.untrusted” to .pyzw files, causing Windows to alert users for action rather than automatically executing. Future client-side upgrades will contain more security features to address similar problems.

Users should be careful when accessing files, upgrade Telegram Desktop as soon as any patch becomes available, and report any potential vulnerabilities via its bug bounty program.

Read next:

Featured Partners: Vulnerability Management Software

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Maine Basan Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis