This week was relatively quiet regarding new vulnerabilities, but we’re seeing a few issues, like flaws in WhatsApp Gold and NVIDIA. Additionally, researchers published a report on a Kia dealer portal vulnerability that’s since been fixed but affected millions of vehicles. The flaw could have allowed RCE on vehicles, including unlocking the car, tracking its travel patterns, and causing it to honk.
Continue to maintain consistent patching and vulnerability scanning processes throughout your business’s infrastructure. And while you’re watching for application and system vulnerabilities, you might want to keep an eye on your smart vehicles as well.
September 24, 2024
Upgrade WhatsApp Gold to Fix Six New Flaws
Type of vulnerability: Not yet specified.
The problem: Researchers recently discovered six vulnerabilities in WhatsApp Gold, a network performance and monitoring solution, that exist in versions below 24.0.1. The flaws range in severity from 8.8 to 9.8. Progress Software, which owns WhatsApp Gold, released a security bulletin advising customers to upgrade their WhatsApp Gold instances to version 24.0.1.
Researchers Sina Kheirkhah and Andy Niu, as well as researchers at Tenable, discovered the vulnerabilities. The six CVEs include:
- CVE-2024-46908
- CVE-2024-46907
- CVE-2024-46906
- CVE-2024-46905
- CVE-2024-46909
- CVE-2024-8785
Progress Software hasn’t yet revealed specific details about the vulnerabilities.
The fix: Upgrade to version 24.0.1 of WhatsApp Gold.
To automate vulnerability tracking and patching, consider a vulnerability scanning tool, which examines your infrastructure for known vulnerabilities that need to be updated.
One of Ivanti’s August Vulnerabilities Added to KEV
Type of vulnerability: Authentication bypass.
The problem: A vulnerability in Ivanti Virtual Traffic Manager was recently added to the CISA’s known exploitable vulnerabilities (KEV) catalog. I previously highlighted this flaw in an August vulnerability recap when Ivanti had already fixed it. An incorrect implementation of vTM’s authentication algorithm could allow a remote threat actor to gain access to the admin panel without authenticating themselves.
Versions 22.2R1 and 22.7R2 are free from this vulnerability, but all other versions of vTM are affected. The vulnerability is tracked as CVE-2024-7593 and has a severity rating of 9.8.
While this vulnerability was one of an unfortunate string of sequential flaws in Ivanti’s products over the last few months, it’s good to see the vendor continue to patch and update users on issues consistently. Ivanti has demonstrated its commitment to improving its security posture, and it’s by no means the only vendor navigating major vulnerabilities just because it’s been so prevalent in headlines.
The fix: If you haven’t updated your instance of Virtual Traffic Manager yet, upgrade now to versions 22.2R1, 22.3R3, 22.5R2, 22.6R2, or 22.7R2.
September 25, 2024
NVIDIA Flaw Exploited Through Container Images
Type of vulnerability: Time-of-check/time of use and file creation.
The problem: Computing provider NVIDIA recently updated its Container Toolkit and GPU Operator due to vulnerabilities that could lead to data tampering, code execution, or privilege escalation.
Version 1.16.1 and earlier versions of Container Toolkit have a time-of-check/time-of-use (TOCTOU) vulnerability. If the installations use default software configuration, a threat actor could use a specifically crafted container image to access the host file system. This vulnerability is tracked as CVE-2024-0132.
The other Container Toolkit vulnerability allows a threat actor to use the container image to create empty files on the host file system. This vulnerability is tracked as CVE-2024-0133.
The security bulletin is unclear as to which vulnerability affects NVIDIA GPU Operator, stating different things in different sections of the bulletin. Still, it’s safe to assume that GPU Operator versions 24.6.1 and earlier could be affected by CVE-2024-0133.
The fix: Use the NVIDIA Container Toolkit installation guide and the GPU Operator documentation to install the appropriate software version.
September 26, 2024
Linux CUPS Flaw Permits Command Execution
Type of vulnerability: Malicious URL injection, potentially leading to RCE.
The problem: Vulnerabilities in Linux systems’ OpenPrinting Common Unix Printing Systems could allow a threat actor to perform remote command execution. CUPS is an open-source Linux and Unix system that allows computers to act as print servers and assign jobs to printers.
“A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer),” wrote Simone Margaritelli, the researcher who published a blog on the vulnerability.
According to Margaritelli, the entry point for an exploit would be port 631 via a UDP packet on the wide area network or public internet. On a LAN, the threat actor would use spoofed zeroconf / mDNS / DNS-SD ads.
“The vulnerability stems from inadequate validation of network data, allowing attackers to get the vulnerable system to install a malicious printer driver, and then send a print job to that driver triggering execution of the malicious code,” said security firm Ontinue. “The malicious code is executed with the privileges of the lp user – not the superuser ‘root’.” According to Ontinue, this is an example of chaining a set of flaws together to produce the hypothetical exploit.
Researchers don’t expect the vulnerability to be widely exploited. The four individual flaws include:
The fix: Until patches are available, disable UDP port 631. The port must be enabled for a threat actor to exploit the vulnerability.
Microsoft Doesn’t Consider Privilege Escalation Flaw a Vulnerability
Type of vulnerability: DLL hijacking leading to privilege escalation.
The problem: Drive remapping and cache poisoning could lead to DLL hijacking of Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022. The attack could allow an unauthenticated threat actor to escalate a medium integrity process to a high integrity one.
The attack wouldn’t involve intervention from a user account control (UAC) prompt, according to Fortra. It would require the attacker to have medium integrity privileges within the system already.
The vulnerability is tracked as CVE-2024-6769 and has a base score of 6.7. While Microsoft didn’t classify it as a vulnerability when Fortra first reported it to them, Fortra identified it as a privilege escalation opportunity for attackers.
The fix: Neither Fortra nor NIST gives mitigation instructions in their bulletins, and Microsoft doesn’t view the flaw as a vulnerability. It only applies to administrators, so if you’re an admin on those Windows systems, pay close attention to their activity.
RCE Could Have Affected Millions of… Kia Vehicles?
Type of vulnerability: Remote command execution.
The problem: For two years, security researchers Sam Curry, Justin Rhinehart, Neiko Rivera, and Ian Carroll have been studying vulnerabilities in connected vehicles. Last week, Curry published a writeup of their discoveries specific to Kia vehicles. A vulnerability in the Kia owner’s website and mobile app allowed users to execute internet-to-vehicle commands.
The researchers could also generate a valid access token for the Kia dealership website and authenticate themselves to use the dealer portal. The HTTP requests they discovered allowed an attacker to access a victim’s vehicle using only the car’s license plate number.
“From the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified,” Curry said. “An attacker could resolve someone’s license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk.”
The researchers immediately reported the issue to Kia once they saw how it all worked. They also created a proof-of-concept dashboard to show the impact of the exploit more clearly. According to Curry’s timeline in the report, Kia remediated the vulnerability in August and had begun to test it. Curry disclosed the flaw publicly last week.
The fix: Kia has reportedly fixed their dealer portal API.
Read next: