Weekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, Microsoft Dark Web Exploits
Key Takeaways
- Cyble researchers have identified high-priority vulnerabilities in products from Ivanti, Microsoft, Qualcomm, Zimbra, and the Common Unix Printing System (CUPS).
- Microsoft’s Patch Tuesday included five new zero-day vulnerabilities, two of which are being actively exploited – and Cyble researchers have observed threat actors discussing the other three zero-days on cybercrime forums.
- Cyble also detected 14 vulnerability exploits discussed on dark web forums, suggesting that they may soon be under attack, if not already.
Overview
Cyble Research and Intelligence Labs (CRIL) investigated 22 vulnerabilities during the week of Oct. 2-8 and identified six products that security teams should prioritize for patching and mitigation.
Additionally, Cyble researchers detected 14 vulnerabilities and exploits shared on cybercrime forums that security analysts should also prioritize – including the three Microsoft zero-days not yet under active exploitation.
Cyble’s weekly IT vulnerability report covering the period of Oct. 2-8 also offered best practices that all security teams should follow.
Top IT Vulnerabilities This Week
CRIL researchers identified eight vulnerabilities in six products that security teams should prioritize; three affect Ivanti Cloud Services Appliances (CSA).
CVE-2024-9379, CVE-2024-9380, CVE-2024-9381: Ivanti CSA
These three critical vulnerabilities impact Ivanti Cloud Services Appliance (CSA), an internet appliance designed to facilitate secure communication and management of devices over the internet. It serves as a bridge between the core server and managed devices, enabling them to communicate even when they are behind firewalls or using proxies.
CVE-2024-9379 is an SQL injection flaw that a remote authenticated attacker with admin privileges can trigger. CVE-2024-9380 is an OS command injection vulnerability that allows a remote authenticated attacker with admin privileges to achieve remote code execution. CVE-2024-9381 is a path traversal vulnerability that allows a remote authenticated attacker with admin privileges to bypass restrictions. In a recent advisory, Ivanti disclosed attackers’ exploitation of CVE-2024- 9379, CVE-2024-9380, or CVE-2024-9381, chained with CVE-2024-8963. CISA also issued an advisory urging security teams to patch the flaws.
CVE-2024-47176: CUPS
This vulnerability impacts the Common Unix Printing System, an open-source printing system designed for Linux and other Unix-like operating systems, providing a standardized framework for managing and controlling printers, enabling computers to act as print servers that accept print jobs from client machines, process them, and send them to the appropriate printer. Recently, researchers disclosed that threat actors can exploit vulnerabilities to launch distributed denial-of-service (DDoS) attacks with a 600x amplification factor. Under certain conditions, attackers can chain the set of vulnerabilities in multiple components of CUPS to execute arbitrary code remotely on vulnerable machines. Cyble researchers had warned about the CUPS vulnerability the previous week and reiterated the warning as new exploits emerged.
CVE-2024-45519: Zimbra
This 9.8-severity vulnerability impacts Zimbra Collaboration Suite (ZCS), an integrated communication and collaboration platform designed for businesses and organizations, integrating various tools for email, calendaring, contact management, and document sharing. Unauthenticated users can exploit the flaw to execute commands. Recently, researchers disclosed that attackers are actively exploiting the RCE vulnerability that can be triggered simply by sending specially crafted emails with commands to execute in the CC field, which are then executed when the postjournal service processes the email. Cyble researchers also observed multiple discussions of the vulnerability on the dark web (see Dark Web section below).
CVE-2024-43047: Qualcomm
This zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of Qualcomm chipsets can also be leveraged in spyware campaigns targeting Android devices. Cyble published a report and has highlighted the exploitation of CVE-2024-43047 in targeted attacks. OEMs are encouraged to apply the provided patches immediately. Users concerned about their devices should reach out to manufacturers for specific patch details.
CVE-2024-43572 and CVE-2024-43573: Microsoft
Microsoft’s October 2024 Patch Tuesday included security updates for 118 flaws, including five publicly disclosed zero-days, two of which are being actively exploited: CVE-2024-43572, a Remote Code Execution vulnerability in Windows Management Console, and CVE-2024-43573, a spoofing vulnerability in the Windows MSHTML Platform.
Cyble researchers observed cybercrime exploit discussions on the other zero days reported by Microsoft (see Dark Web section below): CVE-2024-38200, a Microsoft Office Spoofing vulnerability; CVE-2024-29050, a Remote Code Execution (RCE) flaw in Windows 10 for x32- and x64-based Systems; and CVE-2024-6769, a Privilege Escalation vulnerability in Windows 10, Windows 11 – 10.0.0, Windows Server 2016, Windows Server 2019 – 10.0.0.
Dark Web and Cybercrime Forum Exploits
CRIL observed multiple Telegram channels and cybercrime forums sharing or discussing exploits weaponizing different vulnerabilities. The vulnerabilities under discussion included:
- CVE-2024-38200: A critical vulnerability affecting multiple versions of Microsoft Office that arises from improper handling of certain document properties within Microsoft Office applications. It could potentially expose sensitive information such as NTLM hashes.
- CVE-2024-29050: A Windows Cryptographic Services Remote Code Execution (RCE) vulnerability that arises from truncation errors that occur when a primitive data type is cast to a smaller size, resulting in potential data loss during conversion.
- CVE-2024-6769: A vulnerability affecting multiple versions of Microsoft Windows, including Windows 10, Windows 11, and various Windows Server editions. The vulnerability exploits a combination of DLL Hijacking and Activation Cache Poisoning, allowing an attacker to elevate privileges from a medium to a high-integrity process without triggering a User Account Control (UAC) prompt.
- CVE-2024-7479: A critical security vulnerability affecting TeamViewer’s Remote Client and Remote Host products for Windows. The vulnerability arises from improper verification of cryptographic signatures during the installation of VPN drivers, allowing attackers with local, unprivileged access to escalate their privileges and execute arbitrary code.
- CVE-2024-7481: A critical security vulnerability affecting TeamViewer’s Remote Client and Remote Host products for Windows. The vulnerability arises from improper verification of cryptographic signatures during the installation of printer drivers, allowing attackers with local, unprivileged access to escalate their privileges and execute arbitrary code.
- CVE-2024-36435: A critical vulnerability in the Baseboard Management Controller (BMC) firmware of several Supermicro enterprise products. The vulnerability allows unauthenticated attackers to exploit a buffer overflow, leading to remote code execution (RCE).
- CVE-2024-38816: A high-severity path traversal vulnerability discovered in the Spring Framework and VMWare Tanzu Spring platform, affecting multiple versions. This vulnerability allows attackers to exploit improper handling of static resources, potentially gaining unauthorized access to sensitive files on the server.
- CVE-2024-45519: Proofs of Concept (PoCs) of this widely reported Zimbra vulnerability are shared on multiple Telegram channels. It is a critical Remote Code Execution (RCE) vulnerability that was discovered in the postjournal service of the Zimbra Collaboration Suite, a widely used email and collaboration platform.
- CVE-2024-45409: A critical vulnerability affecting the Ruby SAML and OmniAuth SAML libraries. This flaw allows unauthenticated attackers to bypass Security Assertion Markup Language (SAML) authentication mechanisms by exploiting weaknesses in the signature verification process of SAML responses. Cyble honeypot sensors detected active attacks on this vulnerability.
- CVE-2024-26304: A critical vulnerability affecting HPE Aruba Devices, classified as an unauthenticated buffer overflow vulnerability in the L2/L3 Management Service accessed via the PAPI Protocol. The vulnerability allows attackers to send specially crafted packets to the PAPI UDP port (8211), potentially enabling them to execute arbitrary code as a privileged user on the affected system.
- CVE-2024-5830: A critical security vulnerability was discovered in Google Chrome’s V8 JavaScript engine, affecting versions prior to 126.0.6478.54. This vulnerability is a type confusion bug, which an attacker can exploit to execute arbitrary code within the Chrome renderer sandbox simply by enticing a victim to visit a malicious website.
- CVE-2024-44193: This is a vulnerability affecting Apple iTunes for Windows, specifically versions prior to 12.13.3. The vulnerability allows local attackers to elevate their privileges on affected systems, posing significant security risks.
- CVE-2024-8275: A threat actor (TA) shared a PoC on a forum for a critical SQL injection vulnerability discovered in the Events Calendar Plugin for WordPress. The vulnerability affects all versions up to and including 6.6.4 and arises from insufficient input validation in specific functions.
- CVE-2024-43363: A TA on a forum shared a PoC for a high-severity vulnerability affecting Cacti, a fault management framework. The vulnerability allows attackers to exploit the system remotely, potentially compromising sensitive data and system integrity.
Cyble Recommendations
To protect against these vulnerabilities and exploits, organizations should implement the following best practices:
- To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
- Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
- Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
- Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
- Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
- Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
- Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.
Conclusion
These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.
The post Weekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, Microsoft Dark Web Exploits appeared first on Cyble.
React to this headline: