Mar 26, 2024NewsroomCyber Attack / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerabilities added are as follows –

• CVE-2023-48788 (CVSS score: 9.3) – Fortinet FortiClient EMS SQL Injection Vulnerability
• CVE-2021-44529 (CVSS score: 9.8) – Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
• CVE-2019-7256 (CVSS score: 10.0) – Nice Linear eMerge E3-Series OS Command Injection Vulnerability

The shortcoming impacting Fortinet FortiClient EMS came to light earlier this month, with the company describing it as a flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.

Fortinet has since revised its advisory to confirm that it has been exploited in the wild, although no other details regarding the nature of the attacks are currently available.

CVE-2021-44529, on the other hand, concerns a code injection vulnerability in Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) that allows an unauthenticated user to execute malicious code with limited permissions.

Recent research published by security researcher Ron Bowes indicates that the flaw may have been introduced as an intentional backdoor in a now-discontinued open-source project called csrf-magic that existed at least since 2014.

CVE-2019-7256, which permits an attacker to conduct remote code execution on Nice Linear eMerge E3-Series access controllers, has been exploited by threat actors as early as February 2020.

The flaw, alongside 11 other bugs, were addressed by Nice (formerly Nortek) earlier this month. That said, these vulnerabilities were originally disclosed by security researcher Gjoko Krstic in May 2019.

In light of the active exploitation of the three flaws, federal agencies are required to apply the vendor-provided mitigations by April 15, 2024.

The development comes as CISA and the Federal Bureau of Investigation (FBI) released a joint alert, urging software manufacturers to take steps to mitigate SQL injection flaws.

The advisory specifically highlighted the exploitation of CVE-2023-34362, a critical SQL injection vulnerability in Progress Software’s MOVEit Transfer, by the Cl0p ransomware gang (aka Lace Tempest) to breach thousands of organizations.

“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk,” the agencies said.

Feb 08, 2024NewsroomCyber Threat / Network Security

Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices.

The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks.

All the issues, which were found during internal security testing, stem from insufficient CSRF protections for the web-based management interface that could permit an attacker to perform arbitrary actions with the privilege level of the affected user.

“If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts,” Cisco said about CVE-2024-20252 and CVE-2024-20254.

On the other hand, successful exploitation of CVE-2024-20255 targeting a user with administrative privileges could enable the threat actor to overwrite system configuration settings, resulting in a denial-of-service (DoS) condition.

Another crucial difference between the two sets of flaws is that while the former two affect Cisco Expressway Series devices in the default configuration, CVE-2024-20252 only impacts them if the cluster database (CDB) API feature has been enabled. It’s disabled by default.

Patches for the vulnerabilities are available in Cisco Expressway Series Release versions 14.3.4 and 15.0.0.

Fortinet, for its part, has released a second round of updates to address what are bypasses for a previously disclosed critical flaw (CVE-2023-34992, CVSS score: 9.7) in FortiSIEM supervisor that could result in the execution of arbitrary code, according to Horizon3.ai researcher Zach Hanley.

Tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS scores: 9.8), the flaws “may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.”

It’s worth noting that Fortinet resolved another variant of CVE-2023-34992 by closing out CVE-2023-36553 (CVSS score: 9.3) in November 2023. The two new vulnerabilities are/will be plugged in the following versions –

• FortiSIEM version 7.1.2 or above
• FortiSIEM version 7.2.0 or above (upcoming)
• FortiSIEM version 7.0.3 or above (upcoming)
• FortiSIEM version 6.7.9 or above (upcoming)
• FortiSIEM version 6.6.5 or above (upcoming)
• FortiSIEM version 6.5.3 or above (upcoming), and
• FortiSIEM version 6.4.4 or above (upcoming)

Completing the trifecta is VMware, which has warned of five moderate-to-important severity flaws in Aria Operations for Networks (formerly vRealize Network Insight) –

• CVE-2024-22237 (CVSS score: 7.8) – Local privilege escalation vulnerability that allows a console user to gain regular root access

• CVE-2024-22238 (CVSS score: 6.4) – Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code into user profile configurations

• CVE-2024-22239 (CVSS score: 5.3) – Local privilege escalation vulnerability that allows a console user to gain regular shell access

• CVE-2024-22240 (CVSS score: 4.9) – Local file read vulnerability that allows a malicious actor with admin privileges to access sensitive information

• CVE-2024-22241 (CVSS score: 4.3) – Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code and take over the user account

To mitigate the risks, all users of VMware Aria Operations for Networks version 6.x are being recommended to upgrade to version 6.12.0.

Considering the history of exploitation when it comes to Cisco, Fortinet, and VMware flaws, patching is a necessary and crucial first step that organizations need to take to handle the shortcomings.

Feb 06, 2024NewsroomCybersecurity / Vulnerability

A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation.

The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others.

The attacks exploit CVE-2024-21893 (CVSS score: 8.2), an SSRF flaw in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA that allows an attacker to access otherwise restricted resources without authentication.

Ivanti had previously divulged that the vulnerability had been exploited in targeted attacks aimed at a “limited number of customers,” but cautioned the status quo could change post public disclosure.

That’s exactly what appears to have happened, especially following the release of a proof-of-concept (PoC) exploit by cybersecurity firm Rapid7 last week.

The PoC involves fashioning an exploit chain that combines CVE-2024-21893 with CVE-2024-21887, a previously patched command injection flaw, to achieve unauthenticated remote code execution.

It’s worth noting here that CVE-2024-21893 is an alias for CVE-2023-36661 (CVSS score: 7.5), an SSRF vulnerability present in the open-source Shibboleth XMLTooling library. It was fixed by the maintainers in June 2023 with the release of version 3.2.4.

Security researcher Will Dormann further pointed out other out-of-date open-source components used by Ivanti VPN appliances, such as curl 7.19.7, openssl 1.0.2n-fips, perl 5.6.1, psql 9.6.14, cabextract 0.5, ssh 5.3p1, and unzip 6.00, thus opening the door for more attacks.

The development comes as threat actors have found a way to bypass Ivanti’s initial mitigation, prompting the Utah-based company to release a second mitigation file. As of February 1, 2024, it has begun releasing official patches to address all the vulnerabilities.

Last week, Google-owned Mandiant revealed that several threat actors are leveraging CVE-2023-46805 and CVE-2024-21887 to deploy an array of custom web shells tracked as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.

Palo Alto Networks Unit 42 said it observed 28,474 exposed instances of Ivanti Connect Secure and Policy Secure in 145 countries between January 26 and 30, 2024, with 610 compromised instances detected in 44 countries as of January 23, 2024.