Microsoft, as usual, led the pack in quantity for Patch Tuesday this March with fixes for nearly 59 vulnerabilities including two critical flaws. Patching teams may be busy with this anticipated work, but be sure to also address the off-schedule critical vulnerabilities that affect Fortinet, QNAP, Kubernetes, and WordPress plug-ins.
March 8, 2024
150,000 Fortinet Secure Web Gateways Remain Exposed
Type of vulnerability: Arbitrary code execution (ACE).
The problem: The FortiOS SSL VPN feature vulnerability, CVE-2024-21762, disclosed February 8th, remains exposed to attack on nearly 150,000 devices according to the ShadowServer Foundation website. So far research sites, such as the GreyNoise exploit tracking site, don’t yet see active exploitation trends. CISA added the vulnerability to the known exploited vulnerabilities catalog over a month ago.
The fix: Fortinet advised users to disable SSL VPN until their FortiOS and FortiProxy deployments can be upgraded.
Frequent Ransomware Target QNAP Discloses 3 Vulnerabilities
Type of vulnerability: Improper authentication, injection vulnerability, SQL injection (SQLi).
The problem: QNAP disclosed three vulnerabilities affecting several products: QTS, QuTS hero, QuTScloud, and myQNAPcloud. The critical vulnerability, CVE-2024-21899 with a CVSS score of 9.8, can allow remote and unauthorized users to compromise the network. The other two vulnerabilities, CVE-2024-21900 and CVE-2024-21901, only merit medium ratings because they require authentication.
Ransomware gangs, notably Deadbolt, Checkmate, and Qlocker, actively targeted QNAP vulnerabilities in the past. With the disclosure of this vulnerability, they likely will develop new exploits so patching teams should move quickly. Not all patch management services and tools extend to non-standard equipment such as QNAP network accessible storage (NAS) devices to be sure to verify patching of this vulnerability specifically.
The fix: QNAP issued fixed versions of all products and recommended prompt upgrade. QTS, TuTS, and QuTScloud may be updated from the control panel, but the myQNAPcloud requires administrators to log in as administrator and search for myQNAPcloud in the App Center.
March 11, 2024
Update Patched RegistrationMagic WordPress Plug-in Now
Type of vulnerability: Privilege escalation
The problem: RegistrationMagic, a WordPress plug-in that helps build custom registration forms, enable user registration, process payments, and provide user login misses a capability check that permits attackers with at least subscriber-level access to gain admin privileges. A bug bounty participant revealed the flaw during a Wordfence Bug Bounty Program Extravaganza last month.
The fix: Update to version 5.3.1.0 of RegistrationMagic plug-in promptly.
March 12, 2024
Microsoft Patch Tuesday Fixes 59 Vulnerabilities, Including 18 RCE
Type of vulnerability: 24 elevation of privilege, 18 remote code execution (RCE), six information disclosure, six denial of service (DoS), three security feature bypass, and two spoofing vulnerabilities.
The problem: Microsoft patched 59 vulnerabilities including two critical and 57 important vulnerabilities. The release did not disclose any zero day vulnerabilities or active exploitations.
The two critical vulnerabilities affect Windows Hyper-V. CVE-2024-21407, a remote code execution vulnerability, and CVE-2024-21408, a denial of service vulnerability could allow an attacker to take full control or crash the Hyper-V service, respectively. Other notable patched vulnerabilities, all rated important, include:
- Azure Kubernetes Service CVE-2024-21400: Allows attackers to elevate privileges, steal credentials and is one of four Azure flaws patched.
- Microsoft Defender CVE-2024-20671: Permits successful attackers to prevent Microsoft Defender from starting by exploiting this feature bypass vulnerability.
- Microsoft Compressed Folder CVE-2024-26185: Only applies to Windows 11 where attackers could use specially crafted files or links to tamper with compressed folders.
- Open Management Infrastructure CVE-2024-21334: Leads to a use-after-free vulnerability by exploiting this RCE with specially crafted requests.
- Windows Print Spooler CVE-2024-21433: Permits successful attackers of this “exploitation more likely” vulnerability to elevate privileges and gain SYSTEM privileges.
- Windows Kernel CVE-2024-26182: Gains SYSTEM privileges through successful exploitation; only one of five similar vulnerabilities to rate “exploitation more likely.”
- Microsoft Office CVE-2024-26199: Enables elevation of privilege for any user without existing admin or elevated privileges and can lead to SYSTEM privileges.
The fix: Proceed with patching affected Microsoft products. Note that many admins find that the cumulative update, KB5035849, will not properly install on Windows 10 and Windows Server Systems. Manual installation is possible, but the August 2021 servicing stack update (KB5005112) must be installed first.
Need help patching quickly? Patch management-as-a-service can boost the patching process.
Adobe Patches Animate, Bridge, ColdFusion, Experience Manager, Lightroom, & PremierPro
Type of vulnerability: ACE, arbitrary system file read, memory leak, security feature bypass.
The problem: Adobe issued critical and important patches for five products: Animate, Bridge, ColdFusion, Lightroom for macOS, and PremierePro. It also released important and moderate updates for Adobe Experience Manager.
Adobe did not disclose any known exploits of these various vulnerabilities. However, their security incident response team recommends prioritizing the critical-level arbitrary system file read vulnerability patch for ColdFusion.
The fix: Update software using patches from the relevant download center, download page, or link in the instructions for each software.
Cisco Fixes Vulnerabilities In IOS XR, Secure Client & SD-WAN vManage
Type of vulnerability: Four DoS, a feed injection, a privilege escalation, three protection bypass, and an unauthenticated REST API access vulnerability.
The problem: Cisco announced patches for 10 vulnerabilities (one critical, four high, five medium) affecting its IOS XR Software, SD-WAN vMaange, and Secure Client products. The notable critical vulnerability, CVE-2023-20214, allows an attacker to bypass authentication validation for the SD-WAN vManage REST API to gain read and limited write permissions to SD-WAN vManage.
The fix: None of the critical or high vulnerabilities and only two of the medium vulnerabilities have available workarounds. Cisco recommends updating to patched versions of the products.
March 13, 2024
Fortinet Patches FortiClient Enterprise Management Server RCE Bug
Type of vulnerability: SQL injection (SQLi) and remote code execution (RCE).
The problem: A SQLi vulnerability in the FortiClient Enterprise Management Server’s DB2 Administration Server potentially enables RCE with SYSTEM privileges through specially crafted packets. The vulnerability, CVE-2023-48788, earns a critical CVSS score of 9.8 because low-complexity attacks will exploit unpatched servers without user interaction and allow the attacker to execute unauthorized code or commands.
The fix: Fortinet recommends an update of the FortiClientEMS and didn’t publish any potential workarounds. Upgrade FortiClientEMS versions 7.0.1 through 7.0.10 to 7.0.11 or above and upgrade versions 7.2.0 through 7.2.2 to version 7.2.3.
Windows Kubernetes Clusters Vulnerable to Command Injection
Type of vulnerability: Command injection attack.
The problem: Timer Peled, an Akamai security researcher, uncovered a high-severity vulnerability, CVE-2023-5528, rated CVSS 7.2 which fails to sanitize input and permits an attacker to perform command injection attacks to apply malicious YAML files onto the cluster and execute code on cluster endpoints. This vulnerability affects default Kubernetes installations in on-prem Windows and Azure Kubernetes Service that use an in-tree storage plug-in.
The fix: Upgrade to Kubernetes versions 1.28.4 or later to fix the flaw. For those unable to patch quickly, Akamai’s blog provides an OPA rule to add to detect and block potential attacks.
Vulnerable ChatGPT Plug-ins Open Account Takeover Opportunities
Type of vulnerability: Improper validation and authentication.
The problem: Salt Labs researchers studying ChatGPT plug-in processes discovered three different flaws with significant validation and authentication issues. One flaw allowed a malicious attacker to intercept plug-in requests and replace valid plug-ins with malicious code.
A second vulnerability fails to perform proper user authentication and permits user impersonation that can lead to ChatGPT account takeover. The final flaw uses 0Auth redirection to steal user credentials by inserting a malicious URL between the user and ChatGPT.
The fix: The researchers publish workarounds, but ChatGPT also fixed the flaws, so users should update their applications to pick up the revised plug-in code.
Discontinued WordPress Plug-ins Expose Over 10,000 Sites
Type of vulnerability: Privilege escalation.
The problem: Wordfence disclosed two vulnerabilities discovered in their bug bounty program within discontinued WordPress plug-ins for the miniOrgange Malware Scanner and Web Application Firewall. The vulnerability enables unauthenticated attackers to update the user password to grant themselves admin privileges and the plug-ins show more than 10,000 active installations.
The fix: Upon disclosure, miniOrange simply closed the plug-ins permanently and no patch will be released. Delete these plug-ins from WordPress sites immediately.
Read more about how websites and application vulnerability scanners can proactively help development teams catch issues.
March 18, 2024
Critical DDoS Vulnerability Exposed in Kubernetes Delivery Tool, Argo CD
Type of vulnerability: Cache overflow, unsafe array handling, DoS.
The problem: The Kubernetes security specialist KTrust discovered a trio of vulnerabilities in ArgoCD, a top GitOps continuous delivery tool for Kubernetes. The vulnerabilities allow for attackers to brute force cache overflows to bypass security measures, crash the application or cause in-memory data loss due to unsafe array handling, and cause DoS by exploiting unsafe array modification in multithreaded environments.
The fix: No workaround is available for these issues; however, Argo CD released patches so update quickly and keep in mind their Upgrade Overview to avoid issues.
Read next:
