Many of this week’s disclosures involve new aspects of old vulnerabilities. Palo Alto’s Pan-OS flaw impacts Siemens products and receives new remediation instructions. An old Microsoft Windows spooler flaw is added to the CISA KEV list, and the Cactus Ransomware gang currently pursues unfixed Qlik Sense servers with a vulnerability patched in September 2023.
Both new and old vulnerabilities can enable an attacker with suitable skills to exploit them, regardless of the CVS score severity. It seems that many continue to struggle to keep up with patching and updating backlogs, which suggests that more organizations need outside help from patch management as a service or managed service providers (MSPs) to catch up.
April 22, 2024
CISA Adds 2022 Windows Print Spooler Vulnerability to KEV Catalog
Type of vulnerability: Elevation of privilege.
The problem: Microsoft Threat Intelligence published a report on how a Russian threat group, known as APT28 or Forest Blizzard, used customized malware to exploit the CVE-2022-38028 vulnerability in the Windows Print Spooler to gain elevated permissions. Although fixed in the October 2022 updates, Microsoft notes that the zero-day vulnerability may have been exploited as early as April 2019.
The fix: Microsoft fixed this vulnerability in their October 2022 patches, but didn’t disclose active exploitation of the vulnerability until this month. The exploitation disclosure led the US Cybersecurity Infrastructure and Security Agency (CISA) to add the vulnerability to the known exploited vulnerabilities (KEV) catalog. Federal agencies have until May 14, 2024, to apply patches or disable vulnerable software.
Consider reading more about forensic tools and processes to investigate attacks.
April 23, 2024
Palo Alto Updates Pan-OS Remediation & Siemens RUGGEDCOM Impacted
Type of vulnerability: Command injection vulnerability.
The problem: The CVSS 10.0/10.0 Pan-OS vulnerability, CVE-2024-3400, makes this recap for the third consecutive week thanks to a new disclosure from Siemens and a revised remediation from Palo Alto. Siemens issued a notice that the RUGGEDCOM APE 1808, an industrial platform hardened for harsh physical environments, could come pre-installed with Palo Alto next generation firewalls vulnerable to the Pan-OS vulnerability.
The fix: Siemens recommends customers contact customer service for patches or apply mitigations: disable GlobalProtect gateway and GlobalProtect portal (disabled by default) or apply Threat Prevention subscription blocks.
Palo Alto also revised their remediation, which now advises four potential levels of fixes (after installing the latest PAN-OS hotfix) based upon detected compromise levels:
- Unsuccessful exploitation attempt: Create a master key and elect AES-256-GCM.
- Vulnerability tested, 0-byte file created, no indication of unauthorized command injection: Perform the same remediation as exploit level 1.
- A file is found copied to a location accessible via web request (typically running_config.xml): Perform a Private Data Reset of the device.
- Interactive command execution evidence detected (shell-based back doors, introduction of code, etc.): Perform a Factory Reset and reconfigure the device.
Warning: Performing the last two fixes will destroy data and eliminate the possibility to capture forensic artifacts. Destruction of forensic artifacts will prevent incident response investigations and criminal investigations, and could affect cybersecurity insurance processes.
10.0 Flowmon Vulnerability Threatens a Small Number of Huge Customers
Type of vulnerability: Command injection vulnerability.
The problem: Progress Software released patches to fix CVE-2024-2389 in their Flowmon network performance and security software tool. In a proof of concept published by Rhino Security, a specially crafted application programming interface (API) command allows system commands without authentication and permits full compromise of the Flowmon server with root permissions.
Although web vulnerability search engines such as Shodan show less than 100 servers exposed to the internet, Flowmon’s customers tend to be the largest enterprises like KIA, Orange, TDK, and Volkswagen. This network software uses full access to the network to function, so a compromise of the server provides attackers with enormous access to the enterprise.
The fix: Patch Flowmon immediately to version 11.1.14 or 12.3.5 and upgrade all Flowmon modules to the latest available versions. There is no workaround available, and the published proof of concept will probably allow attacks in the near future.
Attackers can easily exploit 10.0 vulnerabilities, so be prepared and develop an incident response plan.
April 24, 2024
Cisco Patches Firewall Vulnerabilities Actively Exploited for Espionage
Type of vulnerability: Command injection vulnerability, denial of service, persistent local code execution.
The problem: Members of the Cisco Talos and Duo Security Research team uncovered zero-day flaws, named Arcane Door, actively exploited by state actors to exfiltrate network data through Adaptive Security Appliances (ASAs) and Firepower Threat Defense. The initial access remains unknown, but indicators of compromise include gaps in logging, unexpected reboots, and access by a set of IP addresses suspected to be controlled by the adversary.
Cisco suspects the attacker began exploitation as early as July 2023, and the UK, Canadian, and Australian cybersecurity agencies issued a joint advisory. Cisco’s announcement and the advisory explains how attackers used the flaws to exfiltrate device configuration files, disable system logging, and modify configuration to provide authorized direct access for attacker-controlled devices.
The fix: Cisco’s event notice recommends immediate upgrade of affected devices. To check for signs of compromise, Cisco recommends a process to collect data for review by Cisco’s Technical Assistance Center.
Google Patches One Critical & Two High-Severity Chrome Bugs
Type of vulnerability: Out-of-bounds read, type confusion, use-after-free.
The problem: Google released new Chrome versions for Windows, Mac, and Linux to fix multiple security issues and chose to highlight three critical to high vulnerabilities reported by security researchers. The critical exploit type bug, CVE-2024-4058, could be exploited for arbitrary code execution (ACE) or sandbox escapes.
The fix: For those with Chrome updates automatically enabled, make sure that all users restart their browsers. For manual updates, perform updates promptly.
Broadcom Patches Brocade SANnav Flaw 19 Months After Discovery
Type of vulnerability: Password storage.
The problem: The Brocade management application for storage area networks (SANs), SANnav, operates as a virtual machine that lacks built-in firewalls and can be manipulated into sending credentials via clear-text (HTTP). The latest update addresses 18 vulnerabilities discovered by researcher Pierre Barre (AKA: Pierre Kim), who disclosed that he brought these issues to Broadcom 19 months ago.
The report timeline reveals that Brocade rejected penetration tests performed in August 2022 and February 2023 because they hadn’t been on the latest version of their software. Only after additional testing in May 2023 did Brocade accept the vulnerabilities existed, but did not issue patches until December 2023. Broadcom further embargoed publishing CVEs, security bulletins, or disclosure of Brocade Fibre Channel siteches until April 2024.
The fix: Broadcom support recommends upgrading to Brocade v2.3.1, v2.3.0a, and later releases.
Having trouble keeping up with patches? Try patch management as a service (PMaaS).
April 25, 2024
WP Automatic Plugin for WordPress Actively Exploited to Hijack Websites
Type of vulnerability: SQL injection.
The problem: Attackers actively seek to exploit vulnerability CVE-2024-27956, with a CVSS score of 9.8/10, in the WP-Automatic plugin. WPScan explains the exploitation process, which starts with a SQL injection attack that executes unauthorized database queries to create new admin-level user accounts on the WordPress websites. Then attackers can upload malicious plugins, web shells, backdoors, and even rename the WP-Automatic file to prevent exploitation by rival attackers.
The fix: Immediately update the plugin to version 3.92.1.
Unfixed September 2023 Qlik Sense Vulns Under Ransomware Attack
Type of vulnerability: Arbitrary code execution.
The problem: The Qlik Sense business intelligence software issued patches in August 2023 and September 2023 for vulnerabilities that could allow ACE. Arctic Wolf warned of a Cactus ransomware campaign against these vulnerabilities at the end of November, yet Fox-IT still detected over 3,000 vulnerable servers this April.
The fix: Update the software as soon as possible to avoid ransomware attacks.
Read next:
- Vulnerability Recap 4/22/24 – Cisco, Ivanti, Oracle & More
- Best Ransomware Protection & Removal Tools
- Managed IT Service Providers (MSPs): A Fast Way to Secure IT
