Apr 11, 2024NewsroomVulnerability / Threat Mitigation

Fortinet has released patches to address a critical security flaw impacting FortiClientLinux that could be exploited to achieve arbitrary code execution.

Tracked as CVE-2023-45590, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.

“An Improper Control of Generation of Code (‘Code Injection’) vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website,” Fortinet said in an advisory.

The shortcoming, which has been described as a case of remote code execution due to a “dangerous nodejs configuration,” impacts the following versions –

• FortiClientLinux versions 7.0.3 through 7.0.4 and 7.0.6 through 7.0.10 (Upgrade to 7.0.11 or above)
• FortiClientLinux version 7.2.0 (Upgrade to 7.2.1 or above)

Security researcher CataLpa from Dbappsecurity has been credited with discovering and reporting the vulnerability.

Fortinet’s security patches for April 2024 also address an issue with FortiClientMac installer that could also lead to code execution (CVE-2023-45588 and CVE-2024-31492, CVSS scores: 7.8).

Also resolved is a FortiOS and FortiProxy bug that could leak administrator cookies in certain scenarios (CVE-2023-41677, CVSS score: 7.5).

While there is no evidence of any of the flaws being exploited in the wild, it’s recommended that users keep their systems up-to-date to mitigate potential threats.

Apr 04, 2024NewsroomNetwork Security / Vulnerability

Ivanti has released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS).

The list of flaws is as follows –

• CVE-2024-21894 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack. In certain conditions, this may lead to execution of arbitrary code.

• CVE-2024-22052 (CVSS score: 7.5) – A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack.

• CVE-2024-22053 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.

• CVE-2024-22023 (CVSS score: 5.3) – An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in order to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.

The company, which has been grappling with a steady stream of security flaws in its products since the start of the year, said it’s not aware of “any customers being exploited by these vulnerabilities at the time of disclosure.”

Late last month, Ivanti shipped patches for critical shortcoming in its Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6) that could permit an unauthenticated threat actor to execute arbitrary commands on the underlying operating system.

It also resolved another critical flaw impacting on-premises versions of Neurons for ITSM (CVE-2023-46808, CVSS score: 9.9) that an authenticated remote attacker could abuse in order to perform arbitrary file writes and obtain code execution.

In an open letter published on April 3, 2023, Ivanti’s CEO Jeff Abbott said the company is taking a “close look” at its own posture and processes to meet the requirements of the current threat landscape.

Abbott also said “events in recent months have been humbling” and that it’s executing a plan that essentially changes its security operating model by adopting secure-by-design principles, sharing information with customers with complete transparency, and rearchitecting its engineering, security, and vulnerability management practices.

“We are intensifying our internal scanning, manual exploitation and testing capabilities, engaging trusted third parties to augment our internal research and facilitating responsible disclosure of vulnerabilities with increased incentives around an enhanced bug bounty program,” Abbott said.

Mar 22, 2024NewsroomAmazon Web Services / Vulnerability

Cybersecurity researchers have shared details of a now-patched security vulnerability in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA) that could be potentially exploited by a malicious actor to hijack victims’ sessions and achieve remote code execution on underlying instances.

The vulnerability, now addressed by AWS, has been codenamed FlowFixation by Tenable.

“Upon taking over the victim’s account, the attacker could have performed tasks such as reading connection strings, adding configurations and triggering directed acyclic graphs (DAGS),” senior security researcher Liv Matan said in a technical analysis.

“Under certain circumstances such actions can result in RCE on the instance that underlies the MWAA, and in lateral movement to other services.”

The root cause of the vulnerability, per the cybersecurity firm, is a combination of session fixation on the web management panel of AWS MWAA and an AWS domain misconfiguration that results in a cross-site scripting (XSS) attack.

Session fixation is a web attack technique that occurs when a user is authenticated to a service without invalidating any existing session identifiers. This permits the adversary to force (aka fixate) a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.

By abusing the shortcoming, a threat actor could have forced victims to use and authenticate the attacker’s known session and ultimately take over the victim’s web management panel.

“FlowFixation highlights a broader issue with the current state of cloud providers’ domain architecture and management as it relates to the Public Suffix List (PSL) and shared-parent domains: same-site attacks,” Matan said, adding the misconfiguration also impacts Microsoft Azure and Google Cloud.

Tenable also pointed out that the shared architecture – where several customers have the same parent domain – could be a goldmine for attackers looking to exploit vulnerabilities like same-site attacks, cross-origin issues, and cookie tossing, effectively leading to unauthorized access, data leaks, and code execution.

The shortcoming has been addressed by both AWS and Azure adding the misconfigured domains to PSL, thus causing web browsers to recognize the added domains as a public suffix. Google Cloud, on the other hand, has described the issue as not “severe enough” to merit a fix.

“In the case of same-site attacks, the security impact of the mentioned domain architecture is significant, with heightened risk of such attacks in cloud environments,” Matan explained.

“Among these, cookie-tossing attacks and same-site attribute cookie protection bypass are particularly concerning as both can circumvent CSRF protection. Cookie-tossing attacks can also abuse session-fixation issues.”

Mar 18, 2024NewsroomVulnerability / Threat Mitigation

Fortra has released details of a now-patched critical security flaw impacting its FileCatalyst file transfer solution that could allow unauthenticated attackers to gain remote code execution on susceptible servers.

Tracked as CVE-2024-25153, the shortcoming carries a CVSS score of 9.8 out of a maximum of 10.

“A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request,” the company said in an advisory last week.

“In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.”

The vulnerability, the company said, was first reported on August 9, 2023, and addressed two days later in FileCatalyst Workflow version 5.1.6 Build 114 without a CVE identifier. Fortra was authorized as a CVE Numbering Authority (CNA) in early December 2023.

Security researcher Tom Wedgbury of LRQA Nettitude has been credited with discovering and reporting the flaw. The company has since released a full proof-of-concept (PoC) exploit, describing how the flaw could be weaponized to upload a web shell and execute arbitrary system commands.

Also resolved by Fortra in January 2024 are two other security vulnerabilities in FileCatalyst Direct (CVE-2024-25154 and CVE-2024-25155) that could lead to information leakage and code execution.

With previously disclosed flaws in Fortra GoAnywhere managed file transfer (MFT) coming under heavy exploitation last year by threat actors like Cl0p, it’s recommended that users have applied the necessary updates to mitigate potential threats.

Mar 06, 2024NewsroomSoftware Security / Vulnerability

VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws that could lead to code execution.

Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs in the XHCI USB controller. They carry a CVSS score of 9.3 for Workstation and Fusion, and 8.4 for ESXi systems.

“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company said in a new advisory.

“On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”

Multiple security researchers associated with the Ant Group Light-Year Security Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Security researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.

Also patched by the Broadcom-owned virtualization services provider are two other shortcomings –

• CVE-2024-22254 (CVSS score: 7.9) – An out-of-bounds write vulnerability in ESXi that a malicious actor with privileges within the VMX process could exploit to trigger a sandbox escape.
• CVE-2024-22255 (CVSS score: 7.9) – An information disclosure vulnerability in the UHCI USB controller that an attacker with administrative access to a virtual machine may exploit to leak memory from the vmx process.

The issues have been addressed in the following versions, including those that have reached end-of-life (EoL) due to the severity of these issues –

As a temporary workaround until a patch can be deployed, customers have been asked to remove all USB controllers from the virtual machine.

“In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle, will not be available for use by the virtual machine,” the company said. “In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS.”

Feb 14, 2024NewsroomPatch Tuesday / Vulnerability

Microsoft has released patches to address 73 security flaws spanning its software lineup as part of its Patch Tuesday updates for February 2024, including two zero-days that have come under active exploitation.

Of the 73 vulnerabilities, 5 are rated Critical, 65 are rated Important, and three and rated Moderate in severity. This is in addition to 24 flaws that have been fixed in the Chromium-based Edge browser since the release of the January 24 Patch Tuesday updates.

The two flaws that are listed as under active attack at the time of release are below –

• CVE-2024-21351 (CVSS score: 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability
• CVE-2024-21412 (CVSS score: 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability

“The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both,” Microsoft said about CVE-2024-21351.

Successful exploitation of the flaw could allow an attacker to circumvent SmartScreen protections and run arbitrary code. However, for the attack to work, the threat actor must send the user a malicious file and convince the user to open it.

CVE-2024-21412, in a similar manner, permits an unauthenticated attacker to bypass displayed security checks by sending a specially crafted file to a targeted user.

“However, the attacker would have no way to force a user to view the attacker-controlled content.” Redmond noted. “Instead, the attacker would have to convince them to take action by clicking on the file link.”

CVE-2024-21351 is the second bypass bug to be discovered in SmartScreen after CVE-2023-36025 (CVSS score: 8.8), which was plugged by the tech giant in November 2023. The flaw has since been exploited by multiple hacking groups to proliferate DarkGate, Phemedrone Stealer, and Mispadu.

Trend Micro, which detailed an attack campaign undertaken by Water Hydra (aka DarkCasino) targeting financial market traders by means of a sophisticated zero-day attack chain leveraging CVE-2024-21412, described CVE-2024-21412 as a bypass for CVE-2023-36025, thereby enabling threat actors to evade SmartScreen checks.

Water Hydra, first detected in 2021, has a track record of launching attacks against banks, cryptocurrency platforms, trading services, gambling sites, and casinos to deliver a trojan called DarkMe using zero-day exploits, including the WinRAR flaw that came to light in August 2023 (CVE-2023-38831, CVSS score: 7.8).

Late last year, Chinese cybersecurity company NSFOCUS graduated the “economically motivated” hacking group to an entirely new advanced persistent threat (APT).

“In January 2024, Water Hydra updated its infection chain exploiting CVE-2024-21412 to execute a malicious Microsoft Installer File (.MSI), streamlining the DarkMe infection process,” Trend Micro said.

Both vulnerabilities have since been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), urging federal agencies to apply the latest updates by March 5, 2024.

Also patched by Microsoft are five critical flaws –

• CVE-2024-20684 (CVSS score: 6.5) – Windows Hyper-V Denial of Service Vulnerability
• CVE-2024-21357 (CVSS score: 7.5) – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
• CVE-2024-21380 (CVSS score: 8.0) – Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
• CVE-2024-21410 (CVSS score: 9.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability
• CVE-2024-21413 (CVSS score: 9.8) – Microsoft Outlook Remote Code Execution Vulnerability

“CVE-2024-21410 is an elevation of privilege vulnerability in Microsoft Exchange Server,” Satnam Narang, senior staff research engineer at Tenable, said in a statement. “This flaw is more likely to be exploited by attackers according to Microsoft.”

“Exploiting this vulnerability could result in the disclosure of a targeted user’s Net-New Technology LAN Manager (NTLM) version 2 hash, which could be relayed back to a vulnerable Exchange Server in an NTLM relay or pass-the-hash attack, which would allow the attacker to authenticate as the targeted user.”

The security update further resolves 15 remote code execution flaws in Microsoft WDAC OLE DB provider for SQL Server that an attacker could exploit by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB.

Rounding off the patch is a fix for CVE-2023-50387 (CVSS score: 7.5), a 24-year-old design flaw in the DNSSEC specification that can be abused to exhaust CPU resources and stall DNS resolvers, resulting in a denial-of-service (DoS).

The vulnerability has been codenamed KeyTrap by the National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt.

“They demonstrated that just with a single DNS packet the attack can exhaust the CPU and stall all widely used DNS implementations and public DNS providers, such as Google Public DNS and Cloudflare,” the researchers said. “In fact, the popular BIND 9 DNS implementation can be stalled for as long as 16 hours.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

Feb 08, 2024NewsroomCyber Threat / Network Security

Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices.

The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks.

All the issues, which were found during internal security testing, stem from insufficient CSRF protections for the web-based management interface that could permit an attacker to perform arbitrary actions with the privilege level of the affected user.

“If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts,” Cisco said about CVE-2024-20252 and CVE-2024-20254.

On the other hand, successful exploitation of CVE-2024-20255 targeting a user with administrative privileges could enable the threat actor to overwrite system configuration settings, resulting in a denial-of-service (DoS) condition.

Another crucial difference between the two sets of flaws is that while the former two affect Cisco Expressway Series devices in the default configuration, CVE-2024-20252 only impacts them if the cluster database (CDB) API feature has been enabled. It’s disabled by default.

Patches for the vulnerabilities are available in Cisco Expressway Series Release versions 14.3.4 and 15.0.0.

Fortinet, for its part, has released a second round of updates to address what are bypasses for a previously disclosed critical flaw (CVE-2023-34992, CVSS score: 9.7) in FortiSIEM supervisor that could result in the execution of arbitrary code, according to Horizon3.ai researcher Zach Hanley.

Tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS scores: 9.8), the flaws “may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.”

It’s worth noting that Fortinet resolved another variant of CVE-2023-34992 by closing out CVE-2023-36553 (CVSS score: 9.3) in November 2023. The two new vulnerabilities are/will be plugged in the following versions –

• FortiSIEM version 7.1.2 or above
• FortiSIEM version 7.2.0 or above (upcoming)
• FortiSIEM version 7.0.3 or above (upcoming)
• FortiSIEM version 6.7.9 or above (upcoming)
• FortiSIEM version 6.6.5 or above (upcoming)
• FortiSIEM version 6.5.3 or above (upcoming), and
• FortiSIEM version 6.4.4 or above (upcoming)

Completing the trifecta is VMware, which has warned of five moderate-to-important severity flaws in Aria Operations for Networks (formerly vRealize Network Insight) –

• CVE-2024-22237 (CVSS score: 7.8) – Local privilege escalation vulnerability that allows a console user to gain regular root access

• CVE-2024-22238 (CVSS score: 6.4) – Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code into user profile configurations

• CVE-2024-22239 (CVSS score: 5.3) – Local privilege escalation vulnerability that allows a console user to gain regular shell access

• CVE-2024-22240 (CVSS score: 4.9) – Local file read vulnerability that allows a malicious actor with admin privileges to access sensitive information

• CVE-2024-22241 (CVSS score: 4.3) – Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code and take over the user account

To mitigate the risks, all users of VMware Aria Operations for Networks version 6.x are being recommended to upgrade to version 6.12.0.

Considering the history of exploitation when it comes to Cisco, Fortinet, and VMware flaws, patching is a necessary and crucial first step that organizations need to take to handle the shortcomings.

Jan 10, 2024NewsroomVulnerability / Windows Security

Microsoft has addressed a total of 48 security flaws spanning its software as part of its Patch Tuesday updates for January 2024.

Of the 48 bugs, two are rated Critical and 46 are rated Important in severity. There is no evidence that any of the issues are publicly known or under active attack at the time of release, making it the second consecutive Patch Tuesday with no zero-days.

The fixes are in addition to nine security vulnerabilities that have been resolved in the Chromium-based Edge browser since the release of December 2023 Patch Tuesday updates. This also includes a fix for a zero-day (CVE-2023-7024, CVSS score: 8.8) that Google said has been actively exploited in the wild.

The most critical among flaws patched this month are as follows –

• CVE-2024-20674 (CVSS score: 9.0) – Windows Kerberos Security Feature Bypass Vulnerability
• CVE-2024-20700 (CVSS score: 7.5) – Windows Hyper-V Remote Code Execution Vulnerability

“The authentication feature could be bypassed as this vulnerability allows impersonation,” Microsoft said in an advisory for CVE-2024-20674.

“An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MitM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server.”

However, the company noted that successful exploitation requires an attacker to gain access to the restricted network first. Security researcher ldwilmore34 has been credited with discovering and reporting the flaw.

CVE-2024-20700, on the other hand, neither requires authentication nor user interaction to achieve remote code execution, although winning a race condition is a prerequisite to staging an attack.

“It isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur,” Adam Barnett, lead software engineer at Rapid7, told The Hacker News.

Other notable flaws include CVE-2024-20653 (CVSS score: 7.8), a privilege escalation flaw impacting the Common Log File System (CLFS) driver, and CVE-2024-0056 (CVSS score: 8.7), a security bypass affecting System.Data.SqlClient and Microsoft.Data.SqlClient.

“An attacker who successfully exploited this vulnerability could carry out a machine-in-the-middle (MitM) attack and could decrypt and read or modify TLS traffic between the client and server,” Redmond said.

Microsoft further noted that it’s disabling the ability to insert FBX files in Word, Excel, PowerPoint, and Outlook in Windows by default due to a security flaw (CVE-2024-20677, CVSS score: 7.8) that could lead to remote code execution.

“3D models in Office documents that were previously inserted from an FBX file will continue to work as expected unless the ‘Link to File’ option was chosen at the insert time,” Microsoft said in a separate alert. “GLB (Binary GL Transmission Format) is the recommended substitute 3D file format for use in Office.”

It’s worth noting that Microsoft took a similar step of disabling the SketchUp (SKP) file format in Office following ZScaler’s discovery of 117 security flaws in Microsoft 365 applications.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including –