Patch Tuesday February 2024 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday:
- Internet Shortcut Files Security Feature Bypass Vulnerability (CVE-2024-21412)
- Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2024-21351)
- The Remote Code Execution Vulnerability in Microsoft Outlook (CVE-2024-21413)
- The Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2024-21410)
- Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability (CVE-2024-21357)
- Windows EventLog Crasher ZeroDay
- Third-party application vulnerabilities:
Microsoft Vulnerabilities
Welcome to the latest Vulnerability Digest by Action1, offering you an overview of the February Patch Tuesday release. As usual, we focus on the most critical vulnerabilities to ensure your systems remain updated and protected against potential threats.
This Patch Tuesday, Microsoft has addressed 73 vulnerabilities, marking an increase from last month’s figures. Among these, five are classified as critical, slightly up from January’s count. Notably, this month includes patches for two zero-day vulnerabilities, although there are no vulnerabilities with available proofs of concept (PoCs). Below, you’ll find the details of the most significant critical updates.
Internet Shortcut Files Security Feature Bypass Vulnerability
A newly discovered zero-day vulnerability in Microsoft Windows 10 and later, as well as Microsoft Windows Server 2008 and later, involves a Security Feature Bypass related to Internet Shortcut Files, identified as CVE-2024-21412. This vulnerability holds an “important” impact rating, with a severity score of 8.1 on the CVSS scale. Characterized by low complexity, it does not demand any special privileges to exploit but does require user interaction to be successful.
In the exploitation scenario, an attacker must send a specifically crafted file to a target user and persuade them to open it, since the attacker cannot compel the user to engage with the malicious content directly. Despite the vulnerability not being publicly disclosed, it has been found to be exploitable. It is crucial organizations to implement the official patches and updates released by Microsoft to address this vulnerability effectively.
Windows SmartScreen Security Feature Bypass Vulnerability
A new zero-day vulnerability in Windows 10 and later, as well as Windows Server 2016 and later, involves bypassing the SmartScreen security feature, identified with CVE-ID 2024-21351. This vulnerability is deemed to have a moderate impact, receiving a maximum severity rating of 7.6 on the CVSS scale. It is considered a low complexity attack vulnerability that doesn’t require special privileges for exploitation, although user interaction is essential for a successful attack.
The vulnerability exploits the interaction between the Mark of the Web and the SmartScreen feature. Normally, Windows tags files downloaded from the Internet with a zone identifier, known as the Mark of the Web, as an NTFS stream. SmartScreen checks this zone identifier Alternate Data Stream (ADS) when executing a file. If the ADS shows ZoneId=3, indicating an Internet download, SmartScreen assesses the file’s reputation for safety.
For this vulnerability, an attacker must distribute a malicious file to a user and persuade them to open it, allowing them to circumvent the SmartScreen checks and potentially compromise the system’s security.
Currently being exploited in the wild, though without any proof of concept (PoC) published, the seriousness of this vulnerability underscores the importance of promptly applying Microsoft’s official fixes and updates to safeguard systems against potential threats.
The Remote Code Execution Vulnerability in Microsoft Outlook
A critical Remote Code Execution (RCE) vulnerability in Microsoft Outlook, identified as CVE-2024-21413, carries a high risk for both users and organizations, with a severity rating of 9.8 on the CVSS scale. Characterized by its network-based attack vector, the vulnerability requires no special privileges or user interaction for exploitation and could significantly impact confidentiality, integrity, and availability.
An attacker can exploit this vulnerability via the preview pane in Outlook, allowing them to circumvent Office Protected View and force files to open in edit mode, rather than in the safer protected mode.
To mitigate this risk, Microsoft advises users of Office 2016 to install the latest updates specific to their system’s architecture (32-bit or 64-bit). Relevant security updates include 5002537, 5002467, 5002522, 5002469, and 5002519, designed to address this issue comprehensively.
The threat posed by this vulnerability is substantial, potentially enabling an attacker to achieve elevated privileges, including abilities to read, write, and delete data. Moreover, it could allow an attacker to craft malicious links that bypass Protected View Protocol, leading to the exposure of local NTLM credentials and facilitating remote code execution.
While Microsoft reports that this vulnerability has not been exploited in the wild and lacks a proof of concept (PoC), applying the provided updates is essential for safeguarding against potential exploitation.
The Microsoft Exchange Server Elevation of Privilege Vulnerability
A critical Elevation of Privilege vulnerability in Microsoft Exchange Server, identified as CVE-2024-21410, significantly endangers system security with a maximum CVSS severity rating of 9.8. This low complexity attack doesn’t require special privileges or user interaction for exploitation, posing a serious risk to confidentiality, integrity, and availability.
This vulnerability targets NTLM clients, like Outlook, exploiting NTLM credential leakage to relay these credentials against the Exchange server. This relay can elevate the attacker’s privileges to those of the victim, enabling them to execute operations on the Exchange server as the victim.
To mitigate this threat before applying the official fix, consulting the Exchange Extended Protection documentation and utilizing the ExchangeExtendedProtectionManagement.ps1 script to activate Extended Protection for Authentication (EPA) on Exchange servers is advisable. Additionally, for Exchange Server 2016 CU23 users, it’s crucial to install the latest security update prior to enabling Extended Protection.
For those on Exchange Server 2019 CU14 or earlier, it’s important to note that NTLM credential relay protections, or EPA, were not automatically active before Cumulative Update 14. Activating EPA by running the script is essential for safeguarding against this vulnerability, alongside installing the latest cumulative update for comprehensive protection.
Proactive measures and the prompt application of security updates are paramount in defending against such critical vulnerabilities. For proper configuration and protection against CVE-2024-21410, consulting Microsoft or a skilled IT professional may be necessary.
Although there are no reports of this vulnerability being exploited in the wild, Microsoft indicates a higher likelihood of future exploitation, underscoring the urgency for updates and protective measures.
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
A critical Remote Code Execution (RCE) vulnerability has been identified in Windows Server (2008 and later), known as the Windows Pragmatic General Multicast (PGM) vulnerability (CVE-2024-21357), representing a significant risk to affected systems. With a CVSS severity rating of 7.5, this vulnerability enables remote code execution but is confined to adjacent attack scenarios—meaning the attacker must be on the same network segment or connected to the same switch or virtual network as the target.
The complexity of exploiting this vulnerability is high, requiring attackers to meticulously prepare the target environment beforehand. Successful exploitation could severely impact confidentiality, integrity, and availability.
Although there’s currently no proof of concept or evidence of active exploitation, the likelihood of future exploitation remains a concern. As such, proactive security measures are crucial.
Organizations are advised to promptly apply Microsoft’s official fix for this vulnerability. Additionally, monitoring network environments and implementing robust security controls to restrict unauthorized network segment access are essential steps in reducing the vulnerability’s attack surface and safeguarding systems against potential exploits.
Windows EventLog Crasher ZeroDay
Researchers have developed unofficial fixes for a zero-day vulnerability named EventLogCrasher, which enables attackers to remotely crash the event log service on Windows devices within the same domain. This zero-day affects all Windows versions from Windows 7 to Windows 11 and server versions from Server 2008 R2 to Server 2022. Microsoft initially labeled it as a non-urgent, duplicate bug from 2022, despite the release of a Proof of Concept (PoC) exploit by the discoverer. Additionally, a similar unpatched vulnerability, LogCrusher, was disclosed by Varonis, allowing any domain user to exploit this flaw.
To exploit the zero-day, attackers only need a network connection and valid credentials, enabling them to crash the event log service across all domain Windows computers, including domain controllers. This could hide malicious activities from being recorded in the event logs. The crash is caused by sending an invalid UNICODE_STRING to the ElfrRegisterEventSourceW method, part of the RPC-based EventLog protocol, which also affects the functionality of SIEM and IDS systems. However, security and system events are queued in memory and will be logged once the service is restored, provided the queue does not overflow and the system remains operational. The vulnerability is confirmed by 0patch researchers but remains unpatched, with the community awaiting an official response from Microsoft.
Google Chrome
Google is releasing patches for a zero-day vulnerability in Chrome, marked as CVE-2024-0519, which has been exploited since the start of the year. This critical issue stems from an out-of-bounds memory access in the JavaScript V8 engine for versions of Chrome before 120.0.6099.224, allowing potential access to sensitive information or causing crashes. Additionally, it could bypass security features like ASLR, aiding in code execution through another exploit.
Google has not disclosed specific details about the attacks or evidence of compromise, noting only that the vulnerability was reported anonymously on January 11, 2024.
Other serious vulnerabilities addressed include write operations beyond bounds (CVE-2024-0517) and type confusion (CVE-2024-0518), which could lead to arbitrary code execution. Users are advised to update Chrome to the specified versions for Windows, macOS, and Linux to mitigate these risks. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to update their browsers as patches become available.
Mozilla Firefox
Firefox version 122 addresses 15 security vulnerabilities, with five classified as critical. Eight of these vulnerabilities stem from memory handling issues, including buffer overflows and access to previously freed memory areas. Such issues could potentially enable the execution of malicious code upon opening specially crafted web pages.
Opera
Researchers at Guardio Labs have identified a vulnerability in the Opera browser for Windows and MacOS, named MyFlaw, which allows the execution of any file on the operating system. This remote code execution flaw exploits the My Flow feature, designed for syncing messages and files between mobile and desktop devices via a built-in browser extension called Opera Touch Background.
The team discovered an outdated version of the My Flow page on the web.flow.opera.com domain. My Flow offers a chat-like interface for sharing notes and files, which can be opened through the web interface, thereby allowing files to be executed beyond the browser’s security limits. This vulnerability impacts both Opera and Opera GX versions released before November 22, 2023.
Despite Opera being based on the Chromium infrastructure, this bug underscores the necessity for Opera-specific internal enhancements and security measures.
Ivanti
Volexity discovered two zero-day vulnerabilities in Ivanti’s Connect Secure VPN and Policy Secure Network Access Control (NAC), now widely exploited. The vulnerabilities, CVE-2023-46805, an authentication bypass, and CVE-2024-21887, a command injection flaw, have been targeted in attacks globally, affecting a range of organizations, including Fortune 500 companies.
The attackers have used a modified GIFTEDVISITOR shell, impacting over 1,700 ICS VPN devices since January 14th. Victims span various sectors, such as government, military, telecommunications, defense, technology, finance, consulting, aerospace, and engineering. Despite this, Ivanti has yet to release patches for these vulnerabilities, recommending risk mitigation and integrity checking tools in the meantime.
Additionally, Ivanti’s Endpoint Manager Mobile (EPMM) faced an authentication bypass vulnerability, CVE-2023-35082, previously exploited in attacks against the Norwegian government. This was a workaround for another exploited vulnerability, CVE-2023-35078.
Ivanti discovered two more critical vulnerabilities, CVE-2024-21893, a server-side request forgery allowing authentication bypass, and CVE-2024-21888, enabling administrator privilege escalation. Both affect all supported versions of Connect Secure and Policy Secure VPN and Ivanti Neurons for ZTA, with CVE-2024-21893 already being exploited in targeted attacks.
Security patches have been released for some affected versions, but with multiple zero-days actively exploited and no security updates for some products, users are advised to disable all Ivanti VPN devices until they can be safely updated.
Moreover, a new critical vulnerability, CVE-2024-22024, related to an XXE vulnerability in the SAML component, allows remote attackers to access restricted resources on unpatched devices. Despite no current evidence of exploitation, the ongoing discovery of vulnerabilities and attacks underscores the importance of immediate patch application and the potential need for drastic measures such as disconnecting affected devices while awaiting comprehensive solutions from Ivanti.
Fortinet
Fortinet has issued a warning about a critical Remote Code Execution (RCE) vulnerability in FortiOS SSL VPN, identified as CVE-2024-21762 (FG-IR-24-015), with a CVSS score of 9.6. This out-of-bounds write issue allows remote, unauthenticated attackers to execute arbitrary code via specially crafted HTTP requests. Fortinet advises updating to the latest FortiOS versions to mitigate this vulnerability or, if immediate updating is not feasible, disabling SSL VPN.
While specific details about real-world exploitation or the discoverer of CVE-2024-21762 are not provided, Fortinet has also disclosed other vulnerabilities, including CVE-2024-23113 (rated 9.8) and two medium-rated CVEs, none of which have been reported as exploited.
Given the high severity and the likelihood of CVE-2024-21762 being targeted in attacks, Fortinet strongly recommends system updates as soon as possible.
Additionally, Fortinet has addressed two critical vulnerabilities in FortiSIEM, reflected in their October 2023 Security Advisory, without an official update. These vulnerabilities, CVE-2024-23108 and CVE-2024-23109, arise from improper command element neutralization and affect various FortiSIEM versions. They allow remote execution of arbitrary code via API requests in low complexity attacks without user interaction.
Although not explicitly updated in the advisory, cached versions show recent updates to the list of affected FortiSIEM products, suggesting these may be related to or variants of a previously disclosed vulnerability (CVE-2023-34992). Despite the lack of a public exploit, the severity of these issues warrants immediate action.
To address these vulnerabilities, Fortinet advises upgrading to FortiSIEM version 7.1.2, and for users of other affected versions, to await forthcoming updates promised by Fortinet, though no specific release dates have been provided.
Linux
A new vulnerability in the GNU C Library (glibc), CVE-2023-6246, allows attackers to gain root access on major Linux distributions. This issue, originating from a buffer overflow in glibc version 2.37 and inadvertently introduced to version 2.36, escalates local privileges through specially crafted input in applications utilizing syslog or vsyslog functions for logging. Qualys researchers confirmed its exploitability on Debian, Ubuntu, and Fedora versions under default settings. Additionally, they discovered three other vulnerabilities in glibc, with two affecting __vsyslog_internal() and one in the qsort() function, the latter being present in glibc for over three decades without evidence of exploitation.
Snyk reported multiple vulnerabilities in runC, a CLI tool for spawning and managing containers on Linux, with versions up to 1.1.11 being affected. These vulnerabilities, particularly severe ones like CVE-2024-21626, allow unauthorized access and potential escape from containers, posing risks of sensitive data exposure and follow-on attacks. Despite no known exploitation, Docker, AWS, and Google Cloud have issued alerts, emphasizing the need for caution and timely updates.
A significant vulnerability in Shim, CVE-2023-40547, discovered by a Microsoft researcher, compromises Linux systems by bypassing secure boot, enabling attackers to control the system before kernel loading. This vulnerability, due to improper HTTP response parsing in Shim’s httpboot.c, allows remote code execution. Red Hat released a patch, but distributions using Shim for secure boot must deploy their updates. Eclypsium advises updating the UEFI Secure Boot DBX with the hashes of vulnerable Shim versions and ensuring the patched version is signed with a valid Microsoft key.
VMware
VMware has addressed a critical automation flaw in Aria Automation (formerly vRealize Automation) that could potentially allow an authenticated attacker to gain unauthorized access. Identified as CVE-2023-34063 with a CVSS rating of 9.9, this vulnerability was discovered by CSIRO researchers and impacts versions 8.11.x through 8.14.x of VMware Aria Automation, as well as VMware Cloud Foundation versions 4.x and 5.x. VMware advises upgrading to version 8.16 as the sole remedy.
Additionally, VMware updated its security advisory for a previously disclosed vulnerability in VMware vCenter Server, CVE-2023-34048, now confirmed to be actively exploited. This vulnerability, related to the DCERPC protocol’s implementation, presents an out-of-range write issue allowing remote code execution via network access. VMware released patches for this critical issue, including for out-of-date product versions, upon discovery.
The Shadowserver Foundation reports hundreds of potentially vulnerable VMware vCenter Server instances worldwide. Given the availability of technical details since December and the lack of a public PoC, VMware urges all users to audit and update their systems in line with the developer’s recommendations.
VMware also highlighted vulnerabilities in Aria Operations for Networks (formerly vRealize Network Insight), including:
- CVE-2024-22237: A local privilege escalation vulnerability with a CVSS score of 7.8.
- CVE-2024-22238: An XSS vulnerability with a CVSS score of 6.4.
- CVE-2024-22239: Another local privilege escalation vulnerability with a CVSS score of 5.3.
- CVE-2024-22240: A local file read vulnerability with a CVSS score of 4.9.
- CVE-2024-22241: An XSS vulnerability with a CVSS score of 4.3.
VMware recommends users of Aria Operations for Networks version 6.x upgrade to version 6.12.0 to mitigate these vulnerabilities effectively.
Cisco
Cisco has issued a warning about a critical Remote Code Execution (RCE) vulnerability, CVE-2024-20253, affecting its Unified Communications Manager (CM) and Contact Center Solutions. These products offer advanced voice, video, messaging, and customer interaction services. Discovered by Synacktiv, this vulnerability is rated at a severity of 9.9 out of 10, enabling unauthenticated remote attackers to execute arbitrary code by sending a specially crafted message to a vulnerable device, potentially achieving root access through web service user privileges.
Cisco has stated that there is no direct workaround, urging the application of security updates for mitigation. In situations where immediate updating isn’t feasible, Cisco suggests configuring Access Control Lists (ACLs) as a temporary measure.
To date, there have been no public disclosures or known malicious exploitation of this vulnerability, but vigilance is advised.
Additionally, Cisco has addressed multiple vulnerabilities in the web-based management interface of Expressway gateways, including two critical ones: CVE-2024-20252 and CVE-2024-20254, both with a CVSS score of 9.6, and a third, CVE-2024-20255, rated at 8.2. These vulnerabilities could allow an attacker to execute unauthorized actions on behalf of an authenticated user, including adding new user accounts or gaining administrator privileges, through CSRF attacks. While CVE-2024-20254 and CVE-2024-20255 impact Cisco Expressway Series devices with default settings, CVE-2024-20252 targets systems with the Cluster Database API enabled. Cisco recommends updating to Expressway Series Release 14.3.4 or 15.0.0 for protection.
However, the Cisco TelePresence Video Communication Server (VCS) will not receive updates due to its end-of-life (EOL) status as of December 31, 2023. Despite this, Cisco’s PSIRT has not observed any exploitation attempts or publicly available proofs of concept for these vulnerabilities.
JetBrains
JetBrains has addressed a critical authentication bypass vulnerability in TeamCity On-Premises, identified as CVE-2024-23917, with a CVSS score of 9.8. This vulnerability affects versions from 2017.1 to 2023.11.2 and could enable attackers to carry out Remote Code Execution (RCE) attacks without user interaction. To mitigate this risk, JetBrains urges TeamCity On-Premises users to upgrade to version 2023.11.3. TeamCity Cloud servers have already been secured, and there are no reports of attacks against them.
For customers who cannot upgrade immediately, a patch plugin is available for versions 2018.2 onwards and for the 2017.1, 2017.2, and 2018.1 versions. Despite Shadowserver tracking over 2,000 TeamCity servers online, the exact number of vulnerable servers remains uncertain, though it’s expected to be significant.
Given the past interest of attackers in a similar vulnerability (CVE-2023-42793) for preparing software supply chain attacks, CVE-2024-23917 is likely to attract significant attention from cybercriminals. JetBrains’ platform is widely used by over 30,000 organizations globally, including major companies such as Citibank, Ubisoft, HP, Nike, and Ferrari, underscoring the potential impact of this vulnerability.
Apple
Apple has issued security updates for a zero-day vulnerability used in targeted attacks against devices like iPhones, Macs, and Apple TVs across iOS, macOS, and tvOS platforms. This vulnerability, identified as CVE-2024-23222, is located in WebKit and allows the execution of arbitrary malicious code upon visiting a malicious web page. While the discloser of CVE-2024-23222 remains unnamed, Apple has confirmed its exploitation in recent attacks.
To mitigate this issue, Apple recommends updating to iOS 16.7.5, iPadOS 16.7.5, macOS Monterey 12.7.3, and tvOS 17.3 or later. The vulnerability impacts a wide range of devices, including various iPhone models starting from iPhone 8, several iPad generations, Mac computers on macOS Monterey and later, and all models of Apple TV HD and Apple TV 4K.
Additionally, Apple patched two other WebKit zero-day vulnerabilities from November (CVE-2023-42916 and CVE-2023-42917) for older iPhone and iPad models.
Just days before unveiling the Vision Pro VR headset, Apple released its first security update for VisionOS, addressing CVE-2024-23222 within the VR platform. Although initially not seen as a direct threat to VR headsets, the inclusion of WebKit components in many Apple products prompted a broad advisory. VisionOS, designed to run iPad and iPhone apps with minimal adjustments, shares many of the same vulnerabilities as iOS and iPadOS due to shared components.
In a surprising turn, a Massachusetts Institute of Technology (MIT) student hacked the Apple Vision Pro a day after its release, exploiting a kernel vulnerability in visionOS. This exploit could enable malware creation, unauthorized access, or general misuse of the headset. Apple has yet to officially respond to this discovery, but it has updated the Vision Pro’s user manual to caution users about potential service disruptions and the effects on third-party apps due to such hacks. This incident highlights the ongoing challenges even major tech companies face in balancing rapid innovation with cybersecurity.
Tal Beri, ZenGo’s co-founder and CTO, discovered a WhatsApp vulnerability that lets attackers learn about the devices associated with a user’s account just by knowing their phone number. This issue is particularly relevant for users accessing WhatsApp on desktop or web platforms, as the vulnerability exploits WhatsApp’s multi-device support feature. Since each connected device generates its own cryptographic keys for end-to-end encryption, the WhatsApp web client stores these keys in local browser memory, accessible to attackers. This flaw could potentially expose users to privacy risks by allowing attackers to track device configurations over time. Despite reporting this to Meta, Beri’s concerns were dismissed as being inherent to the protocol’s design, leading him to make his findings public. This revelation underscores the importance of being cautious when using WhatsApp on desktop and web platforms.
ModSecurity
Andrea Menin of SicuraNext has uncovered a critical vulnerability in ModSecurity, identified as CVE-2024-1019, allowing attackers to bypass the firewall by exploiting how URLs are decoded. This flaw, present in both ModSecurity versions 2 and 3, facilitates a straightforward WAF bypass, with version 3.0.12 fixing the issue for v3 but leaving v2 still vulnerable. The exploit involves using a percent-encoded question mark (“%3F”) in the request URL, misleading ModSecurity and enabling rule evasion. Administrators are urged to upgrade to version 3.0.12 to protect against this exploit, with further security measures suggested on SicuraNext’s blog.
Vinchin Backup & Recovery
Researchers from LeakIX have unveiled five critical vulnerabilities in Vinchin Backup & Recovery, ranging from CVE-2024-22899 to CVE-2024-22903, which can be exploited in a chain for Remote Code Execution (RCE) attacks. These vulnerabilities include two related to default and hardcoded credentials, allowing root access via SSH and unauthorized database modifications. Other vulnerabilities involve command injection in functions for updating network card information, synchronizing system time with an NTP server, and deleting files without proper sanitization, enabling attackers to execute commands remotely.
The report details technical specifics and sample exploits for these vulnerabilities, highlighting a significant risk of full system compromise. Despite prior disclosures, such as CVE-2022-35866, Vinchin has not released patches for these issues, raising concerns over the product’s cybersecurity certification and the safety of its users. The discovery of these vulnerabilities, particularly the default MySQL credentials, underscores the urgent need for users to to monitor and apply any future updates or patches from Vinchin immediately to mitigate risks.
Android
A Proof of Concept (PoC) exploit for CVE-2023-45779, a vulnerability in Android discovered by Meta’s Red Team X, is now available on GitHub. This issue, patched in the December 2023 Android update, stems from the insecure signing of APEX modules with public test keys, allowing attackers to push malicious updates for local privilege escalation. It affects several OEMs including ASUS, Microsoft, Nokia, Nothing, VIVO, Lenovo, and Fairphone, though some manufacturers like Google, Samsung, Xiaomi, OPPO, Sony, Motorola, and OnePlus are not vulnerable due to their use of unique private keys. The existence of a PoC exploit highlights the need for awareness among vendors and users, despite the requirement for physical device access for exploitation.
Jenkins
The Jenkins team has fixed a critical vulnerability, CVE-2024-23897, with a severity rating of 9.8/10, that allowed for Remote Code Execution (RCE) through arbitrary file access in the CLI. This issue, along with eight others, has been patched in versions 2.442 and LTS 2.426.3. Users are advised to update immediately or disable CLI access as a temporary measure to mitigate risk. Additionally, a second vulnerability, CVE-2024-23898, involves cross-site WebSocket hijacking. Publicly available PoC exploits for these vulnerabilities, especially CVE-2024-23897, highlight the need for swift action to secure Jenkins servers against potential attacks.
GitLab
GitLab has issued security updates to tackle two critical vulnerabilities within its DevSecOps platform. The more severe bug, CVE-2023-7028, scores a perfect 10/10 on the CVSS scale, enabling attackers to hijack accounts without needing user interaction by sending password reset requests to arbitrary emails. This flaw raises significant concerns for potential account compromises and supply chain attacks by allowing unauthorized code insertion into repositories.
The second critical vulnerability, CVE-2023-5356, rated at 9.6/10, affects Slack/Mattermost integration, permitting unauthorized execution of slash commands.
Although there has been no observed exploitation, GitLab has provided indicators of compromise (IOC) and strongly recommends updating the platform immediately. The updates address these issues along with other vulnerabilities of lesser severity but still crucial for security.
Despite the availability of a patch for CVE-2023-7028, over 5,300 web-facing GitLab instances remain exposed, risking supply chain attacks and leaks of sensitive information. The vulnerability impacts a wide range of GitLab Community and Enterprise Edition versions. Following the update’s release, ShadowServer discovered thousands of still vulnerable instances, underlining the urgency for unpatched systems to apply the fix and follow GitLab’s incident response guidelines.
Additionally, GitLab has announced a fix for another critical issue, CVE-2024-0402, with a 9.9/10 CVSS rating, affecting versions 16.0 through 16.8.1. This vulnerability allows authenticated users to write files to arbitrary locations on the server, posing a risk of further exploitation. GitLab has also remedied four moderate severity bugs related to regular expression DoS, HTML injection, and email address disclosure.
GitLab.com and GitLab Dedicated environments have been updated to the latest versions, ensuring protection against these vulnerabilities. Users are urged to upgrade their installations to safeguard against potential security threats.
Atlassian
Atlassian has issued patches for a series of vulnerabilities, including a critical Remote Code Execution (RCE) issue within legacy versions of Confluence Data Center and Server, designated as CVE-2023-22527. This vulnerability, receiving the highest CVSS score of 10.0, can be exploited without authentication and affects versions 8.0.x through 8.5.3, while versions 7.19.x LTS remain unaffected.
The vulnerability has been fixed in subsequent releases, including versions 8.5.4, 8.5.5 for both Confluence Data Center and Server, and versions 8.6.0, 8.7.1, and 8.7.2 for Confluence Data Center. Atlassian urges users to update to the latest versions to mitigate the risk.
The critical nature of CVE-2023-22527 has caught the attention of hackers, with the Shadowserver Foundation reporting thousands of exploitation attempts from over 600 unique IP addresses. These attempts often involve using the “whoami” command to identify system access levels and privileges. Shadowserver’s data reveals more than 39,000 exploitation attempts against 11,100 online instances of Atlassian Confluence. Despite the absence of specific indicators of compromise from Atlassian, the company advises updating to versions released after December 5, 2023, as a precaution.
Given the active exploitation and the severity of this vulnerability, owners of outdated Confluence instances should assume potential compromise and take necessary security measures, including updating their systems and reviewing access controls.
SonicWall
Bishop Fox researchers have identified that 76% of Next-Generation SonicWall (NGFW) firewalls, totaling over 178,000 devices with online management interfaces, are at risk of DoS and potential RCE attacks due to vulnerabilities CVE-2022-22274 and CVE-2023-0656. The former also enables remote code execution. These vulnerabilities stem from the reuse of vulnerable code across three HTTP URIs, presenting a significant attack surface. Even without successful code execution, attackers can exploit these flaws to force devices into maintenance mode, disrupting firewall and VPN functionalities and necessitating administrative action to resume normal operations.
With Shadowserver reporting over 500,000 SonicWall firewalls online globally, including over 328,000 in the United States, the potential impact is vast. Despite no reported real-world exploits, the availability of a PoC for CVE-2022-22274 raises concerns. SSD Labs has also released a proof-of-concept, highlighting two specific URI paths for exploiting the bug.
Administrators managing SonicWall NGFW devices are urged to limit Internet access to the management interface and update their firmware immediately to protect against these vulnerabilities. Given the large number of devices at risk and previous instances of unpatched SonicWall products being targeted by cybercriminals, it’s crucial for administrators to act swiftly to secure their networks.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.
