Critical multi-platform vulnerabilities impacting diverse systems dominated the past week’s cybersecurity headlines. Juniper Networks released updates for the high-severity flaws in SRX and EX Series. A coding vulnerability in Microsoft’s Azure Pipelines affected 70,000 open-source projects. Linux distros faced a heap-based buffer overflow issue. Jenkins CLI exposed flaws in build systems, and Mastodon encountered a critical origin validation error.
With the recent surge in critical vulnerabilities, organizations should regularly update and patch software, and perform routine vulnerability assessments and penetration testing. Vendor risk management and collaboration within the industry further enhance your system’s resiliency. Keep reading for further details on this week’s vulnerabilities.
January 29, 2024
Juniper Releases Updates for Critical RCE Vulnerabilities
Type of vulnerability: Missing authentication flaw and cross-site scripting (XSS) vulnerability.
The problem: Juniper Networks’ SRX and EX Series include high-severity weaknesses, particularly CVE-2024-21619 (CVSS score: 5.3), a missing authentication vulnerability that exposes sensitive information, and CVE-2024-21620 (CVSS score: 8.8), a cross-site scripting bug that allows arbitrary command execution. Both affect J-Web and all Junos OS versions. Exploiting these issues could provide a threat actor control over systems.
The Known Exploited Vulnerabilities list also added the previously disclosed issues CVE-2023-36846 and CVE-2023-36851, emphasizing the importance of immediate fix.
The fix: Juniper Networks has published out-of-cycle fixes for CVE-2024-21619 and CVE-2024-21620 — apply fixes to the identified versions. As a temporary remedy, disable J-Web or limit access to trusted hosts.
January 30, 2024
Azure Pipelines Code Flaw Hits Open-Source Projects
Type of vulnerability: Code vulnerability in Microsoft’s Azure Pipelines.
The problem: Legit Security researchers discovered a vulnerability in Azure Pipelines that affects approximately 70,000 open-source projects. Exploiting this issue enables hackers to introduce malicious code during testing, potentially exposing sensitive data. It’s triggered by contributions to build system projects and tricks the system into running test code in a live environment. This gets a severity score of 7.3 out of 10.
The fix: Microsoft already issued a fix in October 2023 to address this vulnerability. It protects the customers who have received the most recent updates or have them installed automatically. The issue primarily affects the on-premise version of Azure Pipelines, requiring manual updates for security. Additionally, Azure DevOps now streamlines organization-level policy control for creating pull requests from forked GitHub projects.
Neil Carpenter, principal technical evangelist at Orca Security, issued an advisement regarding Azure Pipelines and Jenkins CLI vulnerabilities:
“This [Azure Pipelines] disclosure and the Jenkins arbitrary file read vulnerability disclosed last week highlight that organizations need to focus not just on the security of their applications themselves but, also, the security of the infrastructure used to build and test the applications. Organizations should be sure they have solid plans for the security of CI/CD pipelines and updating and monitoring DevOps infrastructure, and that they have clear response plans if a potential incident is found.”
January 31, 2024
Apple Faces New Active Exploitation in Multiple OS
Type of vulnerability: Kernel flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS.
The problem: CVE-2022-48618 (CVSS score: 7.8) allows attackers with arbitrary read and write privileges to potentially overcome Pointer Authentication, which affects several Apple operating systems. Exploitation poses the possibility of unauthorized access and control over affected devices. Despite Apple’s December 2022 patch, the flaw’s public disclosure a year later exposes possible vulnerabilities in devices running versions prior to iOS 15.7.1, requiring immediate action.
The fix: Apply the issued patches starting December 13, 2022, by updating to iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2. Given the reported vulnerability, federal civilian executive branch agencies should implement solutions by February 21, 2024. Additionally, Apple expanded fixes for a WebKit bug (CVE-2024-23222) to include the Apple Vision Pro headset in visionOS 1.0.2.
Glibc Flaw Threatens Major Linux Distributions
Type of vulnerability: Heap-based buffer overflow vulnerability in the GNU C library.
The problem: A recently discovered vulnerability (CVE-2023-6246) in glibc’s __vsyslog_internal() function poses a serious threat to Linux systems, allowing local attackers to gain complete root access. This heap-based buffer overflow was accidentally introduced in glibc 2.37 in August 2022, and it affects major Linux distributions such as Debian, Ubuntu, and Fedora.
Qualys, a cybersecurity firm, also uncovered more issues (CVE-2023-6779 and CVE-2023-6780) in __vsyslog_internal(), as well as a qsort() bug that causes memory corruption and has affected all glibc versions since 1992.
The fix: Mitigate CVE-2023-6246 by updating glibc to a version released after the bug was introduced in glibc 2.37. Because of the greater impact, timely updates are critical. Address other vulnerabilities (CVE-2023-6779 and CVE-2023-6780) by regularly checking for glibc upgrades.
February 1, 2024
Jenkins CLI Vulnerability Enables RCE
Type of vulnerability: Arbitrary file read vulnerability that can allow RCE.
The problem: CVE-2024-23897 reveals a significant vulnerability in the Jenkins CLI, allowing attackers to access files on the controller file system. This security issue stems from an apparently harmless CLI feature that grants unauthorized access to sensitive data and cryptographic keys. With a CVSS score of 9.8, the vulnerability allows remote code execution and other attacks.
The fix: Following the vulnerability patches last week, there’s a newly updated Proof-of-Concept (PoC) exploit for CVE-2024-23897 published on GitHub. Users are strongly advised to update their installations to the latest version promptly to mitigate potential risks.
Ivanti Discloses Two New High Severity Flaws, Releases Patch Updates
Type of vulnerability: Privilege escalation and server-side request forgery.
The problem: Ivanti warns of two high-severity flaws in Connect Secure and Policy Secure, one of which has been targeted for exploitation. CVE-2024-21888 (CVSS score: 8.8) enables privilege escalation, whereas CVE-2024-21893 (CVSS score: 8.2) discloses a server-side request forgery in SAML. There is no indication of CVE-2024-21888 impact so far, although CVE-2024-21893 exploitation is targeted and affects a small number of consumers. Ivanti predicts increased exploitation once the details become public.
CISA published an advisory outlining updated mitigations to prevent threat actors from exploiting vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways on Ivanti devices.
The fix: Ivanti has released patches for high-risk issues in Connect Secure and Policy Secure. Apply patches to 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.6R1.3. To avoid threat actor persistence, they recommend doing a factory reset before patching. Import “mitigation.release.20240126.5.xml” as a temporary solution, but remain alert as exploitation may increase upon public publication.
February 2, 2024
Mastodon Vulnerability Poses Remote Account Impersonation Risks
Type of vulnerability: Critical origin validation error.
The problem: Mastodon, an open-source platform used to build self-hosted social networking services, identified a significant security flaw (CVE-2024-23832, CVSS score: 9.4). It allows attackers to mimic and take control of any account on the decentralized social network due to inadequate origin validation. Vulnerable versions include pre-3.5.17, 4.0.x (pre-4.0.13), 4.1.x (pre-4.1.13), and 4.2.x (pre-4.2.5).
This disclosure comes seven months after Mastodon patched two other severe problems (CVE-2023-36460 and CVE-2023-36459) that might be used by attackers to launch denial-of-service (DoS) or remote code execution.
The fix: To address CVE-2024-23832, Mastodon recommends upgrading to versions 3.5.17, 4.0.13, 4.1.13, or 4.2.5. Admins must apply changes by February 15, 2024; however, Mastodon is withholding technical details to reduce the danger of exploitation. Individual administrators must ensure that their instances receive security updates on time due to the federated structure of the decentralized network.
Read next: