Apr 15, 2024NewsroomFirewall Security / Vulnerability

Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild.

Tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall.

Fixes for the shortcoming are available in the following versions –

• PAN-OS 10.2.9-h1
• PAN-OS 11.0.4-h1, and
• PAN-OS 11.1.2-h3

Patches for other commonly deployed maintenance releases are expected to be released over the next few days.

“This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled,” the company clarified in its updated advisory.

It also said that while Cloud NGFW firewalls are not impacted by CVE-2024-3400, specific PAN-OS versions and distinct feature configurations of firewall VMs deployed and managed by customers in the cloud are affected.

The exact origins of the threat actor exploiting the flaw are presently unknown but Palo Alto Networks Unit 42 is tracking the malicious activity under the name Operation MidnightEclipse.

Volexity, which attributed it to a cluster dubbed UTA0218, said CVE-2024-3400 has been leveraged since at least March 26, 2024, to deliver a Python-based backdoor called UPSTYLE on the firewall that allows for the execution of arbitrary commands via specially crafted requests.

It is unclear how widespread the exploitation has been, but the threat intelligence firm said it has “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems.”

In attacks documented to date, UTA0218 has been observed deploying additional payloads to launch reverse shells, exfiltrate PAN-OS configuration data, remove log files, and deploy the Golang tunneling tool named GOST (GO Simple Tunnel).

No other follow-up malware or persistence methods are said to have been deployed on victim networks, although it’s unknown if it’s by design or due to early detection and response.

Apr 12, 2024NewsroomNetwork Security / Zero-Day

Palo Alto Networks is warning that a critical flaw impacting its PAN-OS software used in its GlobalProtect gateways is being exploited in the wild.

Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity.

“A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall,” the company said in an advisory published today.

The flaw impacts the following versions of PAN-OS, with fixes expected to be released on April 14, 2024 –

• PAN-OS < 11.1.2-h3
• PAN-OS < 11.0.4-h1
• PAN-OS < 10.2.9-h1

The company also said that the issue is applicable only to firewalls that have the configurations for both GlobalProtect gateway (Network > GlobalProtect > Gateways) and device telemetry (Device > Setup > Telemetry) enabled.

Cybersecurity firm Volexity has been credited with discovering and reporting the bug.

While there are no other technical details about the nature of the attacks, Palo Alto Networks acknowledged that it’s “aware of a limited number of attacks that leverage the exploitation of this vulnerability.”

In the interim, it’s recommending customers with a Threat Prevention subscription to enable Threat ID 95187 to secure against the threat.

The development comes as Chinese threat actors have increasingly relied on zero-day flaws impacting Barracuda Networks, Fortinet, Ivanti, and VMware to breach targets of interest and deploy covert backdoors for persistent access.

Mar 22, 2024NewsroomCyber Defense / Vulnerability

A China-linked threat cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts as part of an “aggressive” campaign.

Google-owned Mandiant is tracking the activity under its uncategorized moniker UNC5174 (aka Uteus or Uetus), describing it as a “former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China’s Ministry of State Security (MSS) focused on executing access operations.”

The threat actor is believed to have orchestrated widespread attacks against Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and U.K. government organizations between October and November 2023, and again in February 2024 using the ScreenConnect bug.

Initial access to target environments is facilitated by the exploitation of known security flaws in Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709), F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185), and Zyxel (CVE-2022-3052).

A successful foothold is followed by extensive reconnaissance and scanning of internet-facing systems for security vulnerabilities, with UNC5174 also creating administrative user accounts to execute malicious actions with elevated privileges, including dropping a C-based ELF downloader dubbed SNOWLIGHT.

SNOWLIGHT is designed to download the next-stage payload, an obfuscated Golang backdoor named GOREVERSE, from a remote URL that’s related to SUPERSHELL, an open-source command-and-control (C2) framework that allows attackers to establish a reverse SSH tunnel and launch interactive shell sessions to execute arbitrary code.

Also put to use by the threat actor is a Golang-based tunneling tool known as GOHEAVY, which is likely employed to facilitate lateral movement within compromised networks, as well as other programs like afrog, DirBuster, Metasploit, Sliver, and sqlmap.

In one unusual instance spotted by the threat intelligence firm, the threat actors have been found to apply mitigations for CVE-2023-46747 in a likely attempt to prevent other unrelated adversaries from weaponizing the same loophole to obtain access.

“UNC5174 (aka Uteus) was previously a member of Chinese hacktivist collectives ‘Dawn Calvary’ and has collaborated with ‘Genesis Day”https://thehackernews.com/”Xiaoqiying’ and ‘Teng Snake,'” Mandiant assessed. “This individual appears to have departed these groups in mid-2023 and has since focused on executing access operations with the intention of brokering access to compromised environments.”

There is evidence to suggest that the threat actor may be an initial access broker, even claiming to be affiliated with the MSS in dark web forums. This is bolstered by the fact some of the U.S. defense and U.K. government entities were simultaneously targeted by another access broker referred to as UNC302.

The findings once again underscore Chinese nation-state groups’ continued efforts to breach edge appliances by swiftly co-opting recently disclosed vulnerabilities into their arsenal in order to conduct cyber espionage operations at scale.

“UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, U.K. government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation,” Mandiant researchers said.

“There are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape. These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”

The disclosure comes as the MSS warned that an unnamed foreign hacking group had infiltrated “hundreds” of Chinese business and government organizations by leveraging phishing emails and known security bugs to breach networks. It did not reveal the threat actor’s name or origin.

Mar 05, 2024NewsroomEmail Security / Network Security

The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.

The new attack chain “can be used for sensitive information gathering purposes and to enable follow-on activity,” enterprise security firm Proofpoint said in a Monday report.

At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world.

The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks’ success.

The ZIP attachments come with an HTML file that’s designed to contact an actor-controlled Server Message Block (SMB) server.

“TA577’s objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes based on characteristics of the attack chain and tools used,” the company said, which could then be used for pass-the-hash (PtH) type attacks.

This means that adversaries who are in possession of a password hash do not need the underlying password to authenticate a session, ultimately enabling them to move through a network and gain unauthorized access to valuable data.

TA577, which overlaps with an activity cluster tracked by Trend Micro as Water Curupira, is one of the most sophisticated cybercrime groups. It has been linked to the distribution of malware families like QakBot and PikaBot in the past.

“The rate at which TA577 adopts and distributes new tactics, techniques, and procedures (TTPs) suggests the threat actor likely has the time, resources, and experience to rapidly iterate and test new delivery methods,” Proofpoint said.

It also described the threat actor as acutely aware of the shifts in the cyber threat landscape, quickly adapting and refining its tradecraft and delivery methods to bypass detection and drop a variety of payloads. Organizations are highly recommended to block outbound SMB to prevent exploitation.

Feb 29, 2024NewsroomLinux / Network Security

Threat hunters have discovered a new Linux malware called GTPDOOR that’s designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX)

The malware is novel in the fact that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications.

GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated by means of a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network (PLMN).

Security researcher haxrob, who discovered two GTPDOOR artifacts uploaded to VirusTotal from China and Italy, said the backdoor is likely linked to a known threat actor tracked as LightBasin (aka UNC1945), which was previously disclosed by CrowdStrike in October 2021 in connection with a series of attacks targeting the telecom sector to steal subscriber information and call metadata.

“When run, the first thing GTPDOOR does is process-name stomps itself – changing its process name to ‘[syslog]’ – disguised as syslog invoked from the kernel,” the researcher said. “It suppresses child signals and then opens a raw socket [that] will allow the implant to receive UDP messages that hit the network interfaces.”

Put differently, GTPDOOR allows a threat actor that already has established persistence on the roaming exchange network to contact a compromised host by sending GTP-C Echo Request messages with a malicious payload.

This magic GTP-C Echo Request message acts as a conduit to transmit a command to be executed on the infected machine and return the results back to the remote host.

GTPDOOR “Can be covertly probed from an external network to elicit a response by sending a TCP packet to any port number,” the researcher noted. “If the implant is active a crafted empty TCP packet is returned along with information if the destination port was open/responding on the host.”

“This implant looks like it is designed to sit on compromised hosts that directly touch the GRX network – these are the systems that communicate to other telecommunication operator networks via the GRX.”

Companies are engaged in a seemingly endless cat-and-mouse game when it comes to cybersecurity and cyber threats. As organizations put up one defensive block after another, malicious actors kick their game up a notch to get around those blocks. Part of the challenge is to coordinate the defensive abilities of disparate security tools, even as organizations have limited resources and a dearth of skilled cybersecurity experts.

XDR, or Extended Detection and Response, addresses this challenge. XDR platforms correlate indicators from across security domains to detect threats and then provide the tools to remediate incidents.

While XDR has many benefits, legacy approaches have been hampered by the lack of good-quality data. You might end up having a very good view of a threat from events generated by your EPP/EDR system but lack events about the network perspective (or vice versa). XDR products will import data from third-party sensors, but data comes in different formats. The XDR platform needs to normalize the data, which then degrades its quality. As a result, threats may be incorrectly identified or missed, or incident reports may lack the necessary information for quick investigation and remediation.

Cato’s Unique Approach to Reducing Complexity

All of which makes Cato Networks’ approach to XDR particularly intriguing. Announced in January, Cato XDR is, as Cato Networks puts it, the first “SASE-based” XDR product. Secure Access Service Edge (SASE) is an approach that converges security and networking into the cloud. SASE would seem to be a natural fit for XDR as there are many native sensors already in a SASE platform. Gartner who defined SASE in 2019 talks about a SASE platform including “SD-WAN, SWG, CASB, NGFW and zero trust network access (ZTNA)” but those are only the required capabilities. SASE may also include advanced security capabilities such as remote browser isolation, network sandboxing, and DNS protection. With so many native sensors already built into the SASE platform, you could avoid the biggest problem with XDR – the lack of good data.

Cato SASE Cloud is the prototypical example of what Gartner means by SASE and, on paper at least, Cato XDR would tap the full power of what SASE has to offer goal. The Cato SASE Cloud comes with a rich set of native sensors spanning the network and endpoint — NGFW, advanced threat prevention (IPS, NGAM, and DNS Security), SWG, CASB, DLP, ZTNA, RBI, and EPP/EDR. The latter, EPP/EDR, is just as new as Cato XDR. Cato EPP is built on Bitdefender’s malware prevention technology and stores customer and endpoint data in the same data lake as the rest of the Cato SASE network data. XDR users end up with an incredibly rich “surround sound” view (pardon the mixed metaphor) of an incident with detailed data gathered from many native sensors. Cato’s capabilities are instantly on and always available at scale, providing a single shared context to hunt for, detect, and respond to threats. For those who have their own EPP/EDR solutions in place, Cato can work for them as well. Cato XDR integrates with leading EDR providers such as Microsoft Defender, CrowdStrike, and SentinelOne.

The Cato SASE Cloud Platform architecture. Cato XDR (1) taps the many native sensors (2) built into the Cato SASE cloud to deliver rich, detailed threat analysis. All sensors run across all 80+ Cato PoPs worldwide, interconnected by Cato’s global private backbone (3). Access to the Cato SASE Cloud for sites is through Cato’s edge SD-WAN device, the Cato Socket (4); remote users through the Cato Client or Clientless access (5); multi-cloud deployments and cloud datacenters through Cato vSocket, Cross Connect or IPsec (6); and SaaS applications through Cato’s SaaS Optimization (7).

Testing Environment

The review is going to focus on a day in the life of a security analyst using Cato XDR. We’ll learn how an analyst can see a snapshot of the security threats on the network and the process for investigating and remediating them. In our scenario, we’ve been informed of malware at 10:59 PM. We’ll investigate and then remediate the incident.

It’s important to understand that Cato XDR is not sold as a standalone product, but as part of the larger Cato SASE Cloud. It leverages all capabilities – sensors, analytics, UI and more – of the Cato SASE Cloud. So, to fully appreciate Cato XDR, one should be familiar with the rest of the Cato platform to best appreciate the simplicity and – what Cato calls “elegance” – of the platform. But doing so would make it difficult, if not impossible, to have room to review Cato XDR. We chose to take a cursory look at Cato overall but then focus on Cato XDR. (You can see a more complete albeit outdated review of the platform from back in 2017.)

Getting into Cato XDR

As we enter the Cato SASE Cloud platform, they’re greeted with a customized view of the enterprise network. Security, access, and networking capabilities are available from pull-down menus across the top and dashboards and specific capabilities for investigation, detection, and response, and practices assessments down the vertical. Accessing Cato XDR is under the Detection & Response section. To explore Cato XDR capabilities, visit Cato XDR.

Cato XDR is accessible from the left-hand side of the screen (indicated by the red box). Note: topology shown does not reflect our test environment.

Putting Cato XDR to the Test

Clicking on the Stories Dashboard of Cato XDR gives us an overall view of the stories in the enterprise (see below). A “story” for Cato is a correlation of events generated by one or multiple sensors. The story tells the narrative of a threat from its inception to resolution. The first thing we noticed is that the Stories Dashboard has an intuitive and easy-to-use interface, making it simple to navigate and understand for security analysts of varying skill levels. We feel this is crucial for efficient investigations and decision-making.

To get a quick understanding of the overall risk score of the account, we looked at the AI-powered Account Risk Score widget. In this case, the overall risk score is 75—so, fairly high. This tells us we need to dig in and see what’s leading to such a high score. There are 55 incidents stories in all, 24 of which are open and 30 of which are closed.

The Cato XDR Stories Dashboard summarizes the state of stories across the enterprise. Across the top, AI is used to evaluate the overall risk of the account (1) with the status of the various stories and additional counters across vertical (2).

Below the overall summary line, we have widgets help us understand our stories from different perspectives. The highest priority stories are sorted by an AI-powered criticality store (1). The score is based on all the story risk scores for the selected time range and is calculated using a formula developed by the Cato research and development team. This is helpful in telling us which stories should be addressed first. We can also quickly see the hosts (Top 5 Hosts) and sites (Top 5 Sites) involved in the most stories (2). Scrolling down we see additional graphs capturing the story breakdown by criticality (3); Indicator of Attack (IoA) such as Malware Activity, Domain Generation Algorithm (DGA), and Suspicious Network Activity (4); and MITRE ATT&CK techniques, such as Application Layer Protocol, Exfiltration Over C2 Channel, and Automated Exfiltration Mitigation (5).

Widgets help tell the threat story from different perspectives by criticality (1), the hosts and sites involved in the most stories (2), story breakdown by criticality (3), by IoAs (4), and by Mitre ATT&CK techniques (5).

As analysts, we want to see which stories are open. A click on the 24 open stories in the summary line of the Stories Dashboard brings us to the Stories Workbench page (also accessible from the navigation on the left-side of the screen), which displays a prioritized list of all stories for efficient triage and better focus. Cato uses an AI-powered Criticality score to rank the stories (1). We can also add more filters and narrow down the list even further to enable better focus in the filter row (2). Grouping options also enable easier analysis (3).

The Stories Workbench lists the available Stories, which in this case is filtered to show the Open stories ranked by criticality (1). Further filtering (2) and grouping (3) options allow for efficient triage and investigation.

We decided to examine the distribution of threats in the Stories Workbench screen by grouping threats by their Unique Indications. Now, we can see threats by category — Malware Activity, Suspicious Network Activity, Domain Generation Algorithm (DGA), and so on. DGA is a technique used by malware authors to dynamically generate many domain names. This is commonly employed by certain types of malware, such as botnets and other malicious software, to establish communication with command-and-control servers. We went to the final story at 10:59 PM and opened it for investigation.

The Stories Workbench screen grouped by indications, showing the stories with domain generation algorithms (DGAs). We investigated the final DGA story.

The investigation screen shows a methodological process with tools for analyzing threats from the top down, gaining a high-level understanding of situation and then delving deeper into the investigation. First is the summary line of the story (1). We can see that the type of attack detected is Domain Generation Algorithm, that this is a threat-hunting story, and that the number of Associated Signals, which are the network flows that make up the story, is 26. Threat hunting stories contain correlated security events and network flows and using AI/ML and Threat Hunting heuristics to detect elusive signatureless and zero-day threats that cannot be blocked by prevention tools.

We can see that the story duration is nine days, indicating that we found Associated Signals within a time span of nine days, and of course, that the status of the story is open. Next, we see the status line, which records the actions that took place in the story (2). Currently, we see that the status was “created.” Additional actions will be added as we work on the story. Moving on to the details, we can quickly see that the Domain Generation Algorithm, or DGA, was found on Robin’s Host 7. We see that the attack direction is outbound, and the AI-powered criticality score is 5.

The investigation screen provides all the details an analyst needs to investigate the story. Here we’re seeing the opening part of the screen with further detail below. The details of the story are summarized above (1) with actions that have been taken to remediate the incident below (2). This line will be updated as the investigation progresses.

For an easy-to-read understanding of the story, we can click on the “See Summary” button. Cato’s Gen AI engine summarizes the results of the screen in easy-to-read text. Details include the type of communication, the IP source, the targets, why the story was detected, and if any actions were taken automatically, such as blocking the traffic.

Clicking on the “Story Summary” button (1) generates a textual summary of the screen using Cato’s Gen AI engine.

Closing the Story Summary and staying on the investigation screen, we gain additional insights about the story. Cato’s machine learning-powered Predicted Verdict analyzes the various indicators in the story and based on previous knowledge provides an expected verdict (1). Another smart insight is the “Similar Stories,” which is also powered by AI and, when relevant, will link to stories with similar characteristics. There’s also the Playbook Knowledge Base (highlighted) to guide us on how to investigate stories of Malicious Target Communication.

On the right side of the screen, we can see the source details (2): the IP, the OS, and the client. We see that this is a Tor browser, which can be suspicious. Tor is a web browser specifically designed for privacy and anonymity, and attackers often use it to conceal their identity and activity online.

We can see the attack geolocation source (3), which communicates with different countries on different parts of the map. This can also be suspicious. Next, we look at the Target Actions box (4) where we can see actions that relate to every target involved in this story. Since this is a threat-hunting story, we can see a correlation between a broad set of signals.

The investigation screen provides further details about the story. Similar stories (1) indicate relates stories in the account (none are present in this case). Details about the source of the attack are shown (2), including the geolocation (3). The actions related to the target are also shown (4).

Scrolling down we examine the attack distribution timeline. We can see here that the communication to the targets has been going on for nine days.

The attack distribution timeline provides a chronological list of the attacks on the various targets. Clicking on the targets allows analysts to add or remove them from the graphic to better see the attack pattern.

By filtering out some of the targets, we can see patterns of communications, which are easily observable. We clearly see a periodic activity that is indicative of bot- or script- initiated communication. Under the attack timeline, the Targets table (1) provides additional details about the targets, including their IPs, domain names, and related threat intelligence. The targets are sorted by malicious score. This is a smart score powered by AI and ML that takes all of Cato’s threat intelligence sources, both proprietary and third party, and calculates the score between zero and one to indicate whether the IP is considered highly malicious or not.

Removing all but four of the targets show a periodic communication pattern, which is indicative of a bot or script. Below the attack distribution timelines is the Targets table with extensive information about the targets in the investigation.

The popularity column shows if the IP is “popular” or “unpopular” as determined by Cato’s proprietary algorithm measuring how often an IP or domain is visited according to Cato internal data. Unpopular IPs or domains are often indicative of suspicious IPs or domains. We can gain external threat intelligence information about the target by clicking third-party threat intelligence links such as VirusTotal, WhoIs, and AbusePDB.

External threat intelligence sources are just a click away from within the Targets table.

Scrolling down to the Attack Related Flows table, we can view more granular details about the raw network flows that compose the story, such as the start time of the traffic and the source and destination ports. In this particular case, the destination ports are unusually high (9001) and less common, which raises a red flag.

Documenting What We Found with Cato

Let’s summarize our findings from our test case. We found suspicious network activity related to domain generation algorithm that uses the Tor client. The IP has low popularity, high malicious scoring, and the communication follows a specific pattern in distinct times. So, we can now reach a conclusion. We suspect that there is a malware installed on the source endpoint, Robin’s Host 7, and that it’s trying to communicate outside using Tor infrastructure.

Now let’s set up the verdict in the screen below. We’ll classify the story as malicious. The analyst severity would be medium. The type is anonymizer. We can see the details in the image below. The classification would be DGA. Then we can save the verdict on this incident story.

The security analyst can document a verdict to help others understand the threat.

Once saved, we can see that that opening threat hunting screen has been updated. The second row now shows that the analyst has set the severity to Medium, and the verdict is set to malicious. Now the response would be to mitigate the threat by configuring a firewall rule.

The updated Detection & Response story now reflects that the analyst has taken action. The severity is set to “Medium” with a verdict of “Malicious” and type has been changed to “Anonymizer.” Beneath we not only see that the story was created (1) but that the analyst set severity to “medium” (2) and the Verdict has been set to “Malicious.”

Mitigate The Threat with Cato

Normally, analysts would need to jump to another platform to take action, but in the case of Cato it can all be done right in the XDR platform. A block rule can be easily created in Cato’s Internet firewall to prevent the spread of the malware. We copy the target domain that appears in the attack network flows, add the domain to the App/Category section of the firewall rule, and hit apply. Worldwide the DGA domain is now blocked.

The updated Cato firewall screen with the rule blocking access to the DGA-generated domain.

Conclusion

With its introduction of SASE-based XDR, Cato Networks promised to vastly simplify threat detection, incident response, and endpoint protection. They appear to uphold the promise. The test case scenario we ran through above should take an experienced security analyst less than 20 minutes from start to mitigation. And that was with no setup time or implementation or data collection efforts. The data was already there in the data lake of the SASE platform.

Cato Networks has successfully extended the security services of its unified networking and security platform with XDR and related features. This is a huge benefit for customers who are determined to up their game when it comes to threat detection and response. Want to learn more about Cato XDR? Visit the Cato XDR page.

Jan 30, 2024NewsroomVulnerability / Network Security

Juniper Networks has released out-of-band updates to address high-severity flaws in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems.

The vulnerabilities, tracked as CVE-2024-21619 and CVE-2024-21620, are rooted in the J-Web component and impact all versions of Junos OS. Two other shortcomings, CVE-2023-36846 and CVE-2023-36851, were previously disclosed by the company in August 2023.

• CVE-2024-21619 (CVSS score: 5.3) – A missing authentication vulnerability that could lead to exposure of sensitive configuration information
• CVE-2024-21620 (CVSS score: 8.8) – A cross-site scripting (XSS) vulnerability that could lead to the execution of arbitrary commands with the target’s permissions by means of a specially crafted request

Cybersecurity firm watchTowr Labs has been credited with discovering and reporting the issues. The two vulnerabilities have been addressed in the following versions –

• CVE-2024-21619 – 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1, and all subsequent releases
• CVE-2024-21620 – 20.4R3-S10, 21.2R3-S8, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3-S1, 23.2R2, 23.4R2, and all subsequent releases

As temporary mitigations until the fixes are deployed, the company is recommending that users disable J-Web or restrict access to only trusted hosts.

It’s worth noting that both CVE-2023-36846 and CVE-2023-36851 were added to the Known Exploited Vulnerabilities (KEV) catalog in November 2023 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), based on evidence of active exploitation.

Earlier this month, Juniper Networks also shipped fixes to contain a critical vulnerability in the same products (CVE-2024-21591, CVSS score: 9.8) that could enable an attacker to cause a denial-of-service (DoS) or remote code execution and obtain root privileges on the device.