Cisco, Ivanti, Oracle, and several others issued patches for a variety of serious vulnerabilities this week, many of them accompanied by proof-of-concepts (PoC) released by researchers. Once released, the PoC starts the clock for active attacks, especially for security tools, as demonstrated in active attacks on Palo Alto’s PAN-OS vulnerability fixed the week before.
Adam Maruyama, Field CTO of Garrison Technology, warns that “attackers know the value of targeting cybersecurity software: they not only defuse the security mechanism, but also gain the elevated system privileges and network positioning that security solutions enjoy. Unless major security players [adopt] secure-by-design architectures, this trend will only accelerate due to platformization and consolidation.”
In an environment with many unpatched systems, prioritize the security tools expected to protect other systems. If updates can’t be performed immediately, consider deploying additional security controls or at least disconnecting vulnerable devices from direct internet access.
April 13, 2024
Delinea Secret Server Patched After Researcher’s Public Disclosure
Type of vulnerability: Authentication bypass.
The problem: The simple object access protocol (SOAP) application programming interface (API) for Delinea’s Secret Server privileged access management (PAM) failed to properly authenticate inputs that allowed privileged access to non-privileged users. The vulnerability initially affected the Delinea Platform, Secret Server Cloud, and Secret Server on-prem.
Researcher Johnny Yu discovered the vulnerability in February and published a proof of concept on April 10th after no response to all attempts to responsibly disclose it. Delinea responded quickly to the public disclosure to publish workarounds on April 12th and issue patches on April 13th.
The fix: Delinea recommends upgrading instances of Secret Server if possible and also provides workarounds to block the vulnerability. They also published methods to check for indicators of compromise.
April 15, 2024
Juniper Issues Security Bulletins To Fix Junos OS and Junos OS Evolved
Type of vulnerabilities: Cross-site scripting (XSS), malformed BGP tunnel encapsulation attribute (2), path traversal, and denial of service (DoS).
The problem: Junos issued five security bulletins on April 15th for a variety of issues affecting the Junos OS and Junos OS Evolved network operating systems that run on Juniper Networks products. These medium and high vulnerabilities could allow the injection of webscript or HTML code, unauthorized file read, and crash systems. These fixes add to a dozen other security bulletins issued last week by Junos to fix third-party software vulnerabilities in Junos OS.
The fix: Upgrade Junos OS and Junos Evolved instances to fix all vulnerabilities. Both the XSS and path traversal flaws may be mitigated by limiting access to the J-Web interface and the XSS vulnerability can be avoided by disabling J-Web.
Widely-used PuTTY Utility Allows Recovery of Encryption Secret Keys
Type of vulnerability: Deterministic cryptographic number generation.
The problem: The open-source PuTTY tool enables SSH, Telnet, and other network protocols used for remote server connections and file transfers. Openwall researchers discovered a flaw in PuTTY versions 0.68 through 0.80 that didn’t generate sufficiently random numbers for encryption keys, which could allow an attacker to fully recover keys and impersonate users after obtaining roughly 60 signatures.
The fix: Upgrade to PuTTY version 0.81 and revoke all existing encryption keys. Products that rely on the PuTTY code, including FileZilla, TortoiseGit, TortoiseSVN, and WinSCP, also need to be updated.
Unfixed PAN-OS Maximum-Critical Zero-Day Vulnerabilities Under Attack
Type of attack: Command injection vulnerability.
The problem: Researchers at watchTowr and Rapid7 published exploits for Palo Alto’s zero-day disclosed last week. Despite available patches, threat researcher Yutaka Sejiyama detected over 82,000 vulnerable firewalls exposed to the internet early the next week, but by the end of the week, Shadowserver estimated the number to be reduced to just over 22,000.
Researchers from GreyNoise began tracking unique IP addresses attempting to launch attacks on unpatched devices. The service saw as many as 10 IP addresses launched in a single day and noted at least 15 observed malicious IPs.
The fix: Ideally, apply patches to exposed and vulnerable Palo Alto firewalls configured with GlobalProtect Gateway or GlobalProtect portal. Palo Alto published workarounds that require a Threat Prevention subscription, and previous mitigation advice to disable device telemetry is no longer valid.
To scan networks and applications for these and other vulnerabilities, consider using a vulnerability scanning tool.
April 16, 2024
Leaky Command Line Interface in AWS and Google Cloud is Intentional
Type of vulnerability: Unauthorized information disclosure.
The problem: The command line interface (CLI) for AWS and Google Cloud can allow attackers with CLI access to obtain passwords, user names, and other secrets used to access cloud repositories. Orca Security disclosed the flaw, called LeakyCLI, but both cloud providers declined to take action and assumed CLI can only be accessed in secure environments.
A similar flaw disclosed last year to Microsoft, CVE-2023-36052, earned a CVSS score of 8.6. Microsoft fixed this vulnerability in Azure CLI, making it unclear why Amazon and Google don’t address the security issue.
The fix: Without an available fix, avoid storing secrets in environment variables. Instead, use secrets store services offered by the cloud providers.
Many vulnerability scanners fail to scan disputed vulnerabilities or insecure-by-design flaws. To read more about a similar issue, read ShadowRay Vulnerability: 6 Lessons for AI & Cybersecurity.
April 17, 2024
Ivanti MDM Solution Patches 27 Vulnerabilities, Including 2 RCE Flaws
Type of vulnerability: ACE with SYSTEM privilege, denial of service, heap-based buffer overflow, RCE, and read sensitive information from memory vulnerabilities.
The problem: Ivanti released an update to their Avalanche mobile device management (MDM) product that fixed 27 vulnerabilities. The fixes include two critical heap-buffer-overflow vulnerabilities rated 9.8 out of 10 that could allow unauthorized users to execute RCE attacks.
The fix: Update to Avalanche 6.4.3 as soon as possible. Ivanti also publishes additional information regarding upgrade steps, if needed.
Oracle Issues 441 Patches for 30 Products, Including 21 Critical Patches
Type of vulnerability: Authentication bypass, remote code execution (RCE), and more.
The problem: Oracle released 441 patches for 30 products, including Oracle Commerce, Oracle MySQL, Oracle Financial Services Applications, and Oracle Communications. These updates address 239 separate CVEs, of which 21 were considered critical and 79 were considered to be high vulnerabilities. Oracle customers need to log in to read individual vulnerability and product details, but several of the critical vulnerabilities allow for RCE without authentication.
The fix: Oracle “strongly recommends” that customers apply critical patches immediately. Some flaws may be reduced by blocking specific network protocols or removing privileged access to the tool. However, either option may break system functionality and aren’t recommended as long term solutions.
Chrome & Firefox Browsers’ Latest Updates Fix High Severity Flaws
Type of vulnerability: Arbitrary code execution (ACE), object corruption, out of bounds reads, use-after-free defect, and more.
The problem: Google Chrome 124 fixed 23 security flaws and Mozilla Firefox 125 fixed 15 vulnerabilities. Mozilla later updated Firefox ESR 115.10, which addressed nine of the same vulnerabilities in Firefox 125. The flaws could allow for a variety of attack effects that could crash systems, execute malicious code, or crash JavaScript code.
The fix: Most browsers will automatically update, but updates might require application restart to complete. Check for users who haven’t updated their browser or restarted their computer for an extended period of time and force system or browser restart if necessary.
Cryptominers Exploit OpenMetadata Vulnerabilities to Hijack Kubernetes
Type of vulnerability: Authentication bypass.
The problem: Microsoft researchers discovered five vulnerabilities (CVE-2024-28255, -28847, -28253, -28848, -28254) in the open-source OpenMetadata platform used to manage metadata across various data sources. These vulnerabilities, now fixed, could be used to bypass authentication and execute RCE in Kubernetes environments.
The flaws could be used for a variety of exploits, such as using lateral movement to access external resources. However, most attackers observed exploiting the vulnerability hijacked the workload to mine for cryptocurrency.
The fix: Check clusters running OpenMetadata workloads and update the image to version 1.3.1 or later.
Consider reading more about container and Kubernetes security tools.
April 18, 2024
Cisco Integrated Management Controller Flaws Allows Root Privileges
Type of vulnerability: Command injection vulnerability.
The problem: Cisco announced CVE-2024-20295 with a CVSS score of 8.8 out of 10 that could allow a local attacker to perform attacks using the command line interface embedded in the Cisco Integrated Management Controller. An associated proof of concept verifies that insufficient user-supplied input validation can allow attackers to elevate to root privileges.
A similar flaw, tracked as CVE-2024-20356, was also announced and received a similarly high CVSS score of 8.7 out of 10. Both flaws require administrator level access to the tool.
The fix: Check the individual security advisories or the Cisco Security Advisories page for the affected products and updated versions available. No workaround was provided for either issue.
April 19, 2024
CrushFTP Reveals Exploited Zero-Day Vulnerability
Type of vulnerability: Information disclosure.
The problem: Unauthenticated and authenticated WebInterface users of the CrushFTP program can retrieve system files outside of the program’s virtual file server. Exploitation of this flaw is happening now, and while originally reported by Airbus CERT, Crowdstrike also confirms witnessing active attacks.
The fix: CrushFTP recommends immediate upgrade to version 11.1.0 or higher. However, customers using a DMZ in front of a CrushFTP instance won’t be vulnerable to the flaw.
Read next:
- Vulnerability Recap 4/15/24 – Palo Alto, Microsoft, Ivanti Exploits
- Vulnerability Management as a Service (VMaaS): Ultimate Guide
