One theme that our recent vulnerability recaps have revealed is that threat actors are consistently exploiting flaws with already-active patches. Sometimes, the flaws have been fixed for months during an exploit. It’s challenging for security teams to patch all the software solutions your business uses rapidly, but let this be your weekly reminder to prioritize patching schedules. Today, we’re looking at GitHub, Grafana, and Apple vulnerabilities.
October 10, 2024
GitHub Flaw Allows Authentication Bypass
Type of vulnerability: Improper verification of cryptographic signature.
The problem: GitHub published a security update for Enterprise Server due to a high-severity vulnerability that allows an attacker to bypass SSO authentication. The flaw results from improper verification of a cryptographic signature, and without SSO authentication required, a threat actor could gain access to the server instance and provision other users.
The threat actor would need direct network access and a signed SAML response or metadata document to exploit the flaw. They’d also need the encryption assertions feature to be enabled before an exploit, according to NIST’s National Vulnerability Database. The flaw is tracked as CVE-2024-9487. It affects all GitHub Enterprise Server versions before 3.15.
GitHub fixed the issue in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. Other flaws fixed in 3.14.2 include a vulnerability in the management console, which exposed sensitive data in HTML forms, and a medium-severity information disclosure flaw involving malicious URLs.
The fix: Upgrade to one of the fixed versions immediately.
Does your business need a more streamlined version of identifying vulnerabilities? Are you trying to find them manually? We recommend using a vulnerability scanning tool to simplify this process. Check out our guide to the best vulnerability scanners next.
October 15, 2024
Previously-Patched Roundcube Webmail Flaw Has Been Exploited
Type of vulnerability: Cross-site scripting.
The problem: Russian-based Positive Technologies discovered and announced an attempted exploit of a patched vulnerability in Roundcube Webmail. Roundcube Webmail is an open-source email solution written in PHP. The vulnerability, CVE-2024-37383, is a stored cross-site scripting vulnerability that permits a threat actor to run JavaScript code on a victim’s web page. It was fixed in May 2024 after CrowdStrike researchers identified it.
Positive Technologies has since noticed exploit attempts through an email with tags that decode and run JavaScript. The email was sent to a governmental organization within a Commonwealth of Independent States (CIS) member nation. Positive Technologies hasn’t been able to link the threat to a specific threat actor group. Still, it’s noticed that government agencies are a major target since they tend to use Roundcube Webmail.
Roundcube client versions earlier than 1.5.6 or 1.6 to 1.6.6 are vulnerable to the Roundcube flaw if not yet patched.
The fix: Update any affected versions of Roundcube Webmail immediately.
Positive Technologies provides a couple of network indicators to look for if you’re concerned about a potential exploit.
Proxmox-Developed Kubernetes Images Are Vulnerable to Attack
Type of vulnerability: Enabled default credentials.
The problem: A vulnerability in Kubernetes Image Builder enables default credentials during the image build process. According to Joel Smith, virtual machine images that use Proxmox, an open-source option for image building, don’t have disabled default credentials. Threat actors could then exploit the Kubernetes nodes that use those images and potentially gain root access if they used the default credentials.
The flaw only affects Kubernetes clusters that host VMs created with Image Builder when Proxmox is the virtualization provider.
The vulnerability has a severity rating of 9.8 and is tracked as CVE-2024-9486. It affects Kubernetes Image Builder versions v0.1.37 and earlier.
The fix: Upgrade Kubernetes Image Builder to version 0.1.38.
October 17, 2024
Grafana Releases Patches for Critical SQL Vulnerability
Type of vulnerability: SQL expression, potentially leading to command injection and local file inclusion.
The problem: Grafana released patches for version 11.0.x, 11.1.x, and 11.2.x due to a critical SQL expression vulnerability.
“The vulnerability was in an experimental feature named SQL Expressions that allows for data source query output to be post-processed by executing one or more SQL queries,” Grafana said. It passes the query and data to the DuckDB CLI, which executes the SQL against the DataFrame data.
Because the SQL queries weren’t sanitized, Grafana said, a command injection and local file inclusion vulnerability resulted.
Because of an incorrect implementation of feature flags, this experimental feature is enabled by default for the API. However, to be exploitable, the DuckDB binary must be accessible through the PATH of the Grafana process environment.
Feature flags, which allow users to enable and disable software, aren’t implemented correctly, so SQL Expressions is enabled by default for the API. However, Grafana’s process environment must have the DuckDB binary accessible through PATH for a threat actor to exploit this vulnerability. Your system won’t be vulnerable without DuckDB, Grafana explained.
An attacker could use this vulnerability to access any file on Grafana’s host machine, which includes passwords stored in the files without encryption. Viewer permissions, or any higher permissions, are sufficient for the attack; it’s not restricted to admins. The flaw is tracked as CVE-2024-9264.
The fix: Download one of Grafana’s security fixes based on the product you use. Grafana also mentions removing the DuckDB binary from PATH or your entire environment; it’s unnecessary for any other Grafana feature.
ClickFix Campaign Uses Google Meet as Attack Vector
Type of vulnerability: Phishing and malware installation.
The problem: Security provider Sekoia published a blog detailing its findings on the ClickFix campaign, which uses falsified Google Meet pages to install infostealers on Windows and Mac computers. ClickFix performs social engineering to impersonate popular websites like Google Chrome to get users to click on fake sites.
“By pivoting on the text elements in ClickFix messages displayed to users, such as the phrase “Press the key combination” or “CTRL+V”, we discovered several websites masquerading as the homepage of a Google Meet video conference,” Sekoia researcher Quentin Bourgue said. According to Bourgue, the fake sites showed pop-ups falsely indicating that the microphone and headset had issues, encouraging victims to click buttons to resolve the issue.
Sekoia provides the following examples of domain names, as well as an IP address that they attribute to the ClickFix cluster using fake Google Meet sessions:
The fix: No specific fix is available.
October 18, 2024
Apple Fixes Flaw Reported by Microsoft in New Sequoia Release
Type of vulnerability: Authorization bypass.
The problem: Microsoft’s Threat Intelligence team discovered a vulnerability within macOS related to its Transparency, Consent, and Control (TCC) technology. The flaw could allow a threat actor to bypass TCC and access the victim’s data. Microsoft dubbed the vulnerability HM Surf and reported it to Apple. Apple has since fixed the flaw in Sequoia 15.
The new macOS update fixes issues within other Apple features, including Kernel, Sandbox, and Shortcuts. The TCC flaw is tracked as CVE-2024-44133. Microsoft has already noticed behaviors from Defender for Endpoint that suggest Adload, a macOS threat family, is exploiting the vulnerability.
The fix: Upgrade your Mac devices to macOS Sequoia 15.
Read next: