Mar 21, 2024NewsroomVulnerability / Web Security

Ivanti has disclosed details of a critical remote code execution flaw impacting Standalone Sentry, urging customers to apply the fixes immediately to stay protected against potential cyber threats.

Tracked as CVE-2023-41724, the vulnerability carries a CVSS score of 9.6.

“An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network,” the company said.

The flaw impacts all supported versions 9.17.0, 9.18.0, and 9.19.0, as well as older versions. The company said it has made available a patch (versions 9.17.1, 9.18.1, and 9.19.1) that can be downloaded via the standard download portal.

It credited Vincent Hutsebaut, Pierre Vivegnis, Jerome Nokin, Roberto Suggi Liverani and Antonin B. of NATO Cyber Security Centre for “their collaboration on this issue.”

Ivanti emphasized that it’s not aware of any customers affected by CVE-2023-41724, and added that “threat actors without a valid TLS client certificate enrolled through EPMM cannot directly exploit this issue on the internet.”

Recently disclosed security flaws in Ivanti software have been subject to exploitation by at least three different suspected China-linked cyber espionage clusters tracked as UNC5221, UNC5325, and UNC3886, according to Mandiant.

The development comes as SonarSource revealed a mutation cross-site scripting (mXSS) flaw impacting an open-source email client called Mailspring aka Nylas Mail (CVE-2023-47479) that could be exploited to bypass sandbox and Content Security Policy (CSP) protections and achieve code execution when a user replies to or forwards a malicious email.

“mXSS takes advantage of that by providing a payload that seems innocent initially when parsing (during the sanitization process) but mutates it to a malicious one when re-parsing it (in the final stage of displaying the content),” security researcher Yaniv Nizry said.

Mar 13, 2024NewsroomPatch Tuesday / Software Update

Microsoft on Tuesday released its monthly security update, addressing 61 different security flaws spanning its software, including two critical issues impacting Windows Hyper-V that could lead to denial-of-service (DoS) and remote code execution.

Of the 61 vulnerabilities, two are rated Critical, 58 are rated Important, and one is rated Low in severity. None of the flaws are listed as publicly known or under active attack at the time of the release, but six of them have been tagged with an “Exploitation More Likely” assessment.

The fixes are in addition to 17 security flaws that have been patched in the company’s Chromium-based Edge browser since the release of the February 2024 Patch Tuesday updates.

Topping the list of critical shortcomings are CVE-2024-21407 and CVE-2024-21408, which affect Hyper-V and could result in remote code execution and a DoS condition, respectively.

Microsoft’s update also addresses privilege escalation flaws in the Azure Kubernetes Service Confidential Container (CVE-2024-21400, CVSS score: 9.0), Windows Composite Image File System (CVE-2024-26170, CVSS score: 7.8), and Authenticator (CVE-2024-21390, CVSS score: 7.1).

Successful exploitation of CVE-2024-21390 requires the attacker to have a local presence on the device either via malware or a malicious application already installed via some other means. It also necessitates that the victim closes and re-opens the Authenticator app.

“Exploitation of this vulnerability could allow an attacker to gain access to multi-factor authentication codes for the victim’s accounts, as well as modify or delete accounts in the authenticator app but not prevent the app from launching or running,” Microsoft said in an advisory.

“While exploitation of this flaw is considered less likely, we know that attackers are keen to find ways to bypass multi-factor authentication,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

“Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

Another vulnerability of note is a privilege escalation bug in the Print Spooler component (CVE-2024-21433, CVSS score: 7.0) that could permit an attacker to obtain SYSTEM privileges but only upon winning a race condition.

The update also plugs a remote code execution flaw in Exchange Server (CVE-2024-26198, CVSS score: 8.8) that an unauthenticated threat actor could abuse by placing a specially crafted file onto an online directory and tricking a victim into opening it, resulting in the execution of malicious DLL files.

The vulnerability with the highest CVSS rating is CVE-2024-21334 (CVSS score: 9.8), which concerns a case of remote code execution affecting the Open Management Infrastructure (OMI).

“A remote unauthenticated attacker could access the OMI instance from the Internet and send specially crafted requests to trigger a use-after-free vulnerability,” Redmond said.

“The first quarter of Patch Tuesday in 2024 has been quieter compared to the last four years,” Narang said. “On average, there were 237 CVEs patched in the first quarter from 2020 through 2023. In the first quarter of 2024, Microsoft only patched 181 CVEs. The average number of CVEs patched in March over the last four years was 86.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

Mar 06, 2024The Hacker NewsData Security / Cloud Security

Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn’t anyone’s fault; it’s inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.

For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.

Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched Data Protection for Google Drive to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit.

How Material Security helps organizations safeguard Google Drive

Trying to answer fundamental questions about what’s in Google Drive and where it’s shared is painstakingly manual using the Workspace admin dashboard, and working with the Drive API is costly and complex. Given the breadth of sensitive content, this is an area that warrants focus, but it’s challenging to get to the depth required.

Material is backed by a powerful data platform that syncs with your Google Workspace tenant to build out a structured model of historical file contents, metadata, permissions, and sharing settings that is kept up-to-date based on ongoing activity. This data platform enables in-depth inspection that wouldn’t be possible by interfacing with the Drive API alone. With this data platform as the foundation, Material:

• Scans file contents against a set of custom built ML-based detection rules to identify and classify sensitive content across a wide range of PII, PCI, PHI, and other confidential data categories
• Calculates file and folder permission sets and sharing settings to build a unified access model that is easier to understand and demonstrate for compliance
• Enables automated access revocation based on precise search results and activity triggers to continuously reduce the risk profile

The precision of Material allows you to effectively wrangle such a complex and vast data repository without getting in the way of daily use – security without impacting productivity. See it for yourself.

Illuminate blind spots across your Google Drive footprint

With a powerful data platform as the foundation, you gain an expressive search interface that guides you through your Google Drive footprint to identify toxic combinations worthy of investigation. You can search against file metadata, ownership, content, location, and sharing to answer questions such as:

• Show me every file that contains financial records that are shared externally
• Show me every file viewable via a public link that contains PII
• Show me every file accessible by these users who are departing the company next week
• Show me every file with confidential information that’s shared with a gmail address
• Show me every file in a Shared Drive that contains health records

As you illuminate more of those dangerous blind spots, you continuously gain a more complete view of the environment with heightened security posture – the types of things that make it easier to sleep at night.

Block exfiltration paths with automated remediation

The primary remediation mode to fix toxic combinations in Google Drive is to revoke access. That sounds easy on the surface, but when you consider the conditions of the whole space, it becomes a multi-dimensional puzzle. When is external sharing valid and when is it not? Are there users that belong to groups that they shouldn’t? Which settings should change when a document is modified to add confidential information?

Precise search and activity-based filtering enables remediation workflows for scenarios such as:

• Automatically revoking public links for any file that contains classified information
• Sending users a message to confirm external sharing when files contain any sensitive data
• Cutting off access to all files shared with specific external domains in a single bulk job
• Revoking all access to a specific account that displays behaviors of a compromise
• Resetting any files accessible to the organization that contain personal health information to Restricted

Applying automation generally can get in the way of day-to-day use, so it’s important to build with precision – a better understanding of the nature of content, which domains are trusted, and common user behaviors help you contain the surface area the right way.

Keep your productivity suite productive with Material Security

At Material, we focus our efforts on the productivity suite because we believe that it’s critical infrastructure to any organization. And as critical infrastructure, in-depth security defenses that can effectively stop attacks and reduce risk across the environment are paramount.

The new capabilities with Data Protection for Google Drive solve hard data discovery, governance, and access problems that have traditionally been challenging to do without dedicated tooling.

Want to see it for yourself? Schedule a personal demo with our team today.

Jan 17, 2024NewsroomBrowser Security / Vulnerability

Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw.

The issue, tracked as CVE-2024-0519, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash.

“By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service,” according to MITRE’s Common Weakness Enumeration (CWE).

Additional details about the nature of the attacks and the threat actors that may be exploiting them have withheld in an attempt to prevent further exploitation. The issue was reported anonymously on January 11, 2024.

“Out-of-bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” reads a description of the flaw on the NIST’s National Vulnerability Database (NVD).

The development marks the first actively exploited zero-day to be patched by Google in Chrome in 2024. Last year, the tech giant resolved a total of 8 such actively exploited zero-days in the browser.

Users are recommended to upgrade to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.