Patch Tuesday March 2024

Patch Tuesday March 2024 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

In this issue, you will learn about patches for:

• ^ Microsoft vulnerabilities from Patch Tuesday:
  • ^ Windows Hyper-V Remote Code Execution Vulnerability (CVE-2024-21407)
  • ^ Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2024-26198)
  • ^ Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2024-21426)
  • ^ Remote Code Execution Vulnerability in Skype for Consumer (CVE-2024-21411)
• ^ Third-party application vulnerabilities:
  • • ^ Google Chrome
    • ^ Mozilla Firefox
    • ^ JetBrains TeamCity
    • ^ Zeek
    • ^ VMware
    • ^ Apple
    • ^ Smart Toys
    • ^ ConnectWise ScreenConnect
    • ^ Joomla
    • ^ SolarWinds
    • ^ ESET
    • ^ Linux
    • ^ Node.js

Microsoft Vulnerabilities

It is the second Tuesday of the month, which means we are bringing you the latest Vulnerability Digest from Action1, offering you an overview of the March Patch Tuesday release. As usual, we focus on the most critical vulnerabilities to ensure your systems remain updated and protected against potential threats.

This month’s Patch Tuesday presents a reduction in fixed vulnerabilities from Microsoft, totaling 60, a decrease from last month’s 74 updates. Remarkably, we’re seeing only two critical vulnerabilities addressed, fewer than in February, highlighting a positive trend. Notably absent this month are any zero-day vulnerabilities or Proof of Concepts (PoCs), underscoring a moment of relative calm. Dive into the details of the most noteworthy critical updates below.

Windows Hyper-V Remote Code Execution Vulnerability

The spotlighted vulnerability, CVE-2024-21407, is a critical Remote Code Execution (RCE) flaw in Windows Hyper-V. With a CVSS score of 8.1, the vulnerability poses a significant threat to Windows Hyper-V users.

An authenticated attacker operating from within a guest virtual machine (VM) could potentially execute arbitrary code on the host server. This is achieved by dispatching specially crafted file operation requests from the VM to hardware resources. The attack’s complexity is notably high, necessitating that the attacker acquires specific environmental information and undertakes preparatory actions to prime the target environment for exploitation.

According to CVSS metrics, a successful exploit could severely impact confidentiality, integrity, and availability, granting an attacker elevated privileges that include the ability to read, write, and delete.

As of this announcement, there have been no public disclosures or known exploitations of this vulnerability. Yet, given its critical severity and possible consequences, it is crucial for Windows Hyper-V users to promptly implement the provided updates to mitigate exposure.

This vulnerability is applicable to systems running Windows 10 and newer, as well as Windows Server 2012 and newer that are equipped with the Hyper-V role. Users are urged to apply Microsoft’s official patch to safeguard against this issue. Additionally, adhering to best practices for VM and host server security—like minimizing user privileges, narrowing network access, and vigilantly monitoring for unusual activities—is strongly advised.

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2024-26198 represents a Remote Code Execution (RCE) vulnerability in Microsoft Exchange Server, rated with a CVSS score of 8.8. Despite its high severity, it falls short of being critical due to the necessity for user interaction, yet it remains a substantial threat to Microsoft Exchange Server environments.

This vulnerability enables an unauthenticated attacker to remotely execute arbitrary code on the affected system. This is achieved by enticing a user to open a specially crafted file placed either online or within a local network location. The necessity for user interaction—convincing a user to engage with the file—plays a pivotal role in the exploitation process.

According to CVSS metrics, a successful exploit could severely compromise confidentiality, integrity, and availability, potentially granting an attacker privileges to read, write, and delete.

Although there have been no public disclosures or known exploits at the time of this announcement, the seriousness of this vulnerability mandates immediate action. Microsoft Exchange Server users, particularly those running version 2016 and later, are urged to promptly apply Microsoft’s official patch to mitigate risk.

In addition to patching, adopting security best practices for email servers is advisable. This includes limiting user privileges, tightening network access, and continuously scanning for anomalies. Users should exercise caution with files from unverified sources to further safeguard against this vulnerability.

Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2024-21426 is a notable Remote Code Execution (RCE) vulnerability within Microsoft SharePoint Server, carrying a CVSS score of 7.8, signaling a considerable security risk to its user base.

This vulnerability enables an attacker to execute arbitrary code on the affected system through a malicious file sent to the user, requiring the latter’s cooperation to open it. Despite its classification as a local attack vector—demanding the attacker have local system access—the potential for remote code execution exists if the user is persuaded to open the malicious file.

The CVSS metrics underscore the severity of a successful exploit, highlighting a complete compromise of confidentiality, integrity, and availability. An attacker leveraging this vulnerability could achieve full system control, enabling file manipulation and possibly causing significant downtime.

As of its disclosure, there were no known public exploits or disclosures of this vulnerability. Nonetheless, the critical nature of this issue necessitates prompt action from Microsoft SharePoint Server users, particularly those on versions 2016 and later. Immediate application of Microsoft’s official patch is crucial for mitigation.

To further enhance security, users are advised to adhere to best practices, including privilege limitation, network access control, and vigilant monitoring for unusual activities. Additionally, exercising caution with file sources and prioritizing trustworthiness can significantly reduce the risk posed by this vulnerability.

Remote Code Execution Vulnerability in Skype for Consumer

CVE-2024-21411 presents a Remote Code Execution vulnerability in Skype for Consumer with a CVSS score of 8.8, posing a considerable risk to users. This vulnerability can be exploited by an attacker sending a malicious link or image via instant message, requiring the user’s action to click on it for execution. The nature of this vulnerability allows for remote exploitation with significant potential impact on confidentiality, integrity, and availability, granting attackers the ability to read, write, and delete files on the compromised system.

Despite no known public disclosures or active exploits at the time of this notice, the seriousness of this vulnerability warrants prompt updates by Skype for Consumer users to the latest version to mitigate risk.

This issue affects all Skype versions prior to the latest release. Users are urged to update their Skype application by downloading the most recent version from the official website and adhering to the provided installation instructions. Additionally, adhering to system security best practices—restricting user privileges, limiting network access, and vigilant monitoring for unusual activities—is crucial. Users should also exercise caution with links or images from unverified sources, ensuring interactions only occur with trusted content.

Google Chrome

Google has unveiled Chrome 122, which introduces new features and bug fixes alongside the resolution of 12 security vulnerabilities. Many vulnerabilities were detected through automated testing tools such as AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL. Importantly, no critical vulnerabilities were found that could bypass all browser protection layers, allowing external code execution outside the sandbox environment.

In the realm of security, Google’s vulnerability bounty program has rewarded contributors with a total of $28,000 across eight bounties for this release. The distribution includes individual bounties of $8,000, $7,000, $5,000, $3,000, $2,000, and three $1,000 bounties. The most significant rewards were given for identifying a bug in the site isolation implementation, a buffer overflow in the Blink engine, and a use-after-free vulnerability in the Mojo library.

Mozilla Firefox

Firefox 123 addresses 32 security vulnerabilities, with 24 categorized as dangerous. A notable portion of these vulnerabilities, specifically 23 (with 22 encapsulated within CVE-2024-1553 and CVE-2024-1557), stem from memory handling problems like buffer overflows and accessing previously freed memory areas. Such vulnerabilities could allow the execution of malicious code upon visiting specially crafted web pages. Additionally, CVE-2024-1547 exposes a vulnerability where an attacker’s warning dialog could be misrepresented as belonging to a different website.

It is strongly recommended to update your browser promptly to safeguard against these vulnerabilities.

JetBrains TeamCity

JetBrains has faced significant backlash from the information security community due to their mishandled disclosure and patching of two severe vulnerabilities in TeamCity, as reported by Rapid7 researchers in late February. These vulnerabilities are present in the TeamCity On-Premises CI/CD web component and impact all local installation versions before 2023.11.3.

The more critical vulnerability, CVE-2024-27198 with a CVSS score of 9.8, involves an authentication bypass resulting from an alternate path issue, allowing an unauthenticated remote attacker to assume control of the server with administrative rights. This compromise enables full control over projects, builds, agents, and artifacts, presenting a significant risk for supply chain attacks.

The other, CVE-2024-27199 with a CVSS score of 7.3, is a path traversal vulnerability in the TeamCity Web component. It permits authentication bypass and the alteration of a limited set of system settings, but the attacker must be on the victim’s network. This vulnerability could lead to DoS attacks or sniffing client connections via MiTM.

JetBrains has released TeamCity version 2023.11.4 to address these vulnerabilities, initially without detailing the security fixes. Subsequently, the company outlined the severity and potential exploitation consequences of these vulnerabilities. Rapid7 further highlighted the seriousness by creating a PoC that facilitated authentication and shell access (Meterpreter session) on the compromised TeamCity server. They also provided an in-depth technical explanation of the vulnerabilities, including methods for creating new administrator accounts or tokens to seize server control.

Administrators are urgently advised to update their servers to version 2023.11.4. For those unable to upgrade, a security patch plugin is available for TeamCity versions 2018.2 and newer, as well as 2018.1 and older.

The situation has escalated with researchers, including LeakIX, noting that mass exploitation of the critical authentication bypass vulnerability has started, with over 1,700 TeamCity servers remaining unpatched. Many of these servers, predominantly located in Germany, the United States, and Russia, have already been compromised, indicating the onset of a large-scale supply chain attack. The compromised servers have up to 300 illicit user accounts created, with a noticeable alphanumeric naming pattern.

GreyNoise and LeakIX have observed a significant uptick in exploitation attempts, particularly from DigitalOcean’s hosting infrastructure in the United States. These compromised TeamCity servers, crucial for software build and deployment, underscore the urgency for administrators to secure their instances against the ongoing active exploitation phase and potential supply chain attacks.

Zeek

A researcher from the University of Central Florida has uncovered critical vulnerabilities in the Ethercat plugin of Zeek, an open-source network security monitoring tool, posing risks to ICS networks. Zeek’s tool, with over 10,000 global installations and often bundled with security software like Security Onion, incorporates the Industrial Control System Network Protocol Analyzer (ICSNPP) plugins. These plugins enhance Zeek’s functionality, enabling it to detect malicious activity related to ACS-specific protocols, including Bacnet, Ethernet/IP, Modbus, OPC UA, S7comm, and Ethercat. The discovered vulnerabilities have been cataloged as CVE-2023-7244, CVE-2023-7243, and CVE-2023-7242.

Attackers exploiting these vulnerabilities can disrupt networks overseen by Zeek by sending specially crafted packets. While some attack vectors require access to the target organization’s network, others can be initiated directly from the Internet. In a straightforward attack scenario involving a single UDP packet, an attacker can trigger repeated crashes of the Zeek process.

A more intricate attack leveraging all three vulnerabilities could allow an attacker with limited access to execute arbitrary code with elevated privileges on the machine running Zeek.

The gravest threat emerges in systems lacking certain security measures like ASLR, where attackers can gain full network visibility, intercept sensitive data, and facilitate further attacks. This level of compromise is achievable by sending just two UDP packets to any machine on the network accessible from the WAN.

The patching of the Ethercat plugin vulnerabilities, which required substantial code logic modifications, took approximately six weeks. It was also noted that other platforms are inherently resistant to these types of vulnerabilities.

VMware

VMware has issued patches for four vulnerabilities impacting its ESXi, Workstation, and Fusion products, including two critical flaws that could allow for remote code execution (RCE).

The critical vulnerabilities, identified as CVE-2024-22252 and CVE-2024-22253, are use-after-free bugs in the XHCI USB controller, with CVSS scores of 9.3 for Workstation and Fusion, and 8.4 for ESXi systems. These flaws could enable an attacker with local administrative rights on a virtual machine to execute code as the VMX virtual machine process on the host.

Additionally, VMware disclosed two other vulnerabilities, CVE-2024-22254 and CVE-2024-22255, with CVSS scores of 7.9. CVE-2024-22254, an out-of-bounds write issue in ESXi, could allow an attacker with VMX process privileges to exit the sandbox. CVE-2024-22255, another out-of-bounds write vulnerability in the UHCI USB controller, could permit an attacker with administrative access to a virtual machine to leak memory from the VMX process.

The patched versions addressing these issues span across multiple releases, including those that are end-of-life (EoL): ESXi versions from 6.5 up to the latest; Workstation 17.x to 17.5.1; and Fusion 13.x (macOS) to 13.5.1. VMware also suggests a temporary workaround of removing all USB controllers from virtual machines until patches can be applied.

Furthermore, VMware has advised administrators to remove the legacy VMware Enhanced Authentication Plug-in (EAP), plagued by two unpatched vulnerabilities, CVE-2024-22245 (CVSSv3 base score 9.6) and CVE-2024-22250 (7.8). The plugin, which facilitates seamless vSphere management interface logins using Windows’ authentication and smart card capabilities, has been unsupported since the release of vCenter Server 7.0 Update 2 in March 2021. These vulnerabilities could allow attackers to manipulate Kerberos service tickets and hijack EAP sessions.

To mitigate the risks posed by CVE-2024-22245 and CVE-2024-22250, administrators are urged to remove the affected browser plug-in and disable the VMware Plug-in Service. VMware recommends adopting alternative authentication methods for vSphere 8, such as Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Microsoft Entra ID (formerly Azure AD), and Okta, in place of the vulnerable plugin.

Apple

Apple has deployed an emergency update for iOS, targeting fixes for two zero-day vulnerabilities that have been exploited in targeted attacks against iPhones, with indications pointing towards spyware use. This year, the count of zero-days affecting Apple’s products is on the rise, although it has yet to reach the record of 20 set last year. The pace, however, is notable.

The newly identified zero-day vulnerabilities reside in the iOS kernel (CVE-2024-23225) and RTKit (CVE-2024-23296), enabling attackers to circumvent kernel memory protection through arbitrary kernel read and write access. Apple has remedied these vulnerabilities in devices running iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6, enhancing input validation to safeguard against these exploits.

A broad range of Apple devices is impacted by these vulnerabilities, including but not limited to the iPhone XS, iPhone 8, iPhone X, 5th generation iPad, various models of the iPad Pro, the iPad Air 3rd generation, the iPad 6th generation, and the iPad mini 5th generation (and newer models).

Apple has maintained its usual stance of not disclosing the parties responsible for reporting these vulnerabilities, nor has it shared detailed insights into the attacks’ nature and context exploiting these zero-days. Nevertheless, the urgency for users to update their devices as swiftly as possible is emphasized to protect against potential exploitation.

Smart Toys

While the idea of DDoS attacks via toothbrushes might stay more in the territory of humor, the serious implications of Kaspersky Lab’s research into smart toy vulnerabilities demand attention. This study has highlighted potential risks in smart toys, particularly through their investigation of a learning robot provided by an unnamed manufacturer. The robot, designed to educate and entertain children, is equipped with features like a large screen, microphone, video camera, mobility, games, educational apps, a voice assistant, Wi-Fi connectivity, and integration with a smartphone app for parental control.

The research identified several vulnerabilities in the toy’s API, including issues related to obtaining valid access tokens, transmitting HTTP traffic in cleartext, disclosing access keys for external service APIs (e.g., QuickBlocks, Azure, Linode), and intercepting the Agora token for video communication. Moreover, the use of short, predictable IDs for API requests exposed the toy to a comprehensive search of unique identifiers, linking them to IP addresses, owner, and child information.

A significant threat arises if an attacker manages to compromise the update server, potentially replacing an archive file in the cloud with a malicious one. This would allow the execution of arbitrary commands on all connected robots with superuser privileges. Even less sophisticated attackers could exploit the checkAuthentication function and brute-force a device to link it to their account. Collectively, these vulnerabilities could enable unauthorized access to sensitive information, including a child’s data, city of residence, parent’s phone number, and email address, and control over the robot.

The implications of such breaches could extend to cyberbullying, social engineering, and other forms of manipulation of children without parental awareness. To mitigate these risks, Kaspersky Lab advises parents to exercise caution when selecting smart toys and to stay diligent with software updates to protect their children’s privacy and safety.

ConnectWise ScreenConnect

Software company ConnectWise has issued a security update for its ScreenConnect remote access tool, urgently requesting users to apply an emergency patch. This update addresses a critical vulnerability rated at maximum severity (10/10), which is an alternate path or channel authentication bypass that could allow access to sensitive data or enable remote code execution (RCE) on affected servers. These low-complexity attacks require no user interaction to be executed.

Furthermore, the patch resolves another critical issue, a path traversal vulnerability rated with a CVSS severity of 8.4/10, which previously allowed incorrect access to restricted directories.

The vulnerabilities, impacting ScreenConnect version 23.9.7 and earlier, were disclosed publicly a week ago. Despite the quick release of the patch, Huntress researchers reported that they could replicate the vulnerability’s exploitation within hours using the provided proof of concept (PoC).

ScreenConnect’s cloud servers have been secured against these potential threats. However, administrators of on-premises installations are strongly encouraged to update to ScreenConnect version 23.9.8 without delay.

The use of remote monitoring and management (RMM) software like ConnectWise ScreenConnect for malicious activities, including ransomware deployment, is on the rise. Huntress also uncovered instances where attackers leveraged local ScreenConnect instances for sustained access to compromised networks. Within less than a day of disclosure, these vulnerabilities began to be actively exploited, with several PoCs emerging.

ConnectWise has confirmed that attackers have compromised several ScreenConnect accounts, as detailed in their advisory updates. The vulnerabilities, identified as CVE-2024-1708 and CVE-2024-1709, have seen rapid development of exploits, deemed a relatively straightforward task by Huntress researchers, who have also provided indicators of compromise (IoC) and detection advice.

With an alarming 93% (or about 3,800) of ScreenConnect servers still vulnerable according to ShadowServer, the potential for further attacks remains high. The recently disclosed critical vulnerabilities, CVE-2024-1708 and CVE-2024-1709, have already been exploited to distribute ransomware. Huntress links these exploits, named SlashAndGrab, to the delivery of LockBit ransomware, Cobalt Strike, SSH tunnels, remote management tools, and cryptocurrency miners. Affected victims include government agencies and healthcare organizations. Sophos and Trend Micro have also observed these vulnerabilities being exploited by various ransomware gangs, including BlackBasta and Bl00dy, for network intrusion and data encryption.

Given the current pace of exploitation, the SlashAndGrab vulnerabilities pose a significant threat, potentially eclipsing previous zero-day exploits in impact.

Given the escalating threat posed by these vulnerabilities, Action1 has developed two scripts to assist in scanning systems for possible remote-control software as well as indicators of compromise specifically related to this vulnerability as reported by BitDefender. These scripts were designed to be used in Action1 (instructions below) but can be used stand alone or with any endpoint management/RMM system.

Joomla

Joomla has addressed five XSS vulnerabilities in its CMS, significantly mitigating the risk of RCE attacks across numerous sites. These vulnerabilities span various Joomla versions and were brought to light through the investigative efforts of SonarSource, which also provided a technical analysis.

The vulnerabilities identified are as follows:

• CVE-2024-21722: A flaw in the MFA management feature, where existing user sessions are not properly terminated upon changes to a user’s MFA methods.
• CVE-2024-21723: Issues stemming from improper URL parsing that could result in open redirects.
• CVE-2024-21724: A lack of sufficient input validation for media select fields, creating XSS vulnerabilities within various extensions.
• CVE-2024-21725: Inadequate email address escaping, leading to XSS vulnerabilities across several components.
• CVE-2024-21726: Insufficient content filtering in the filtering code, exposing the CMS to multiple XSS vulnerabilities.

Among these, CVE-2024-21725 is noted by Joomla’s advisory as the most critical, carrying the highest risk and likelihood of exploitation. On the other hand, CVE-2024-21726, which impacts Joomla’s core filtering component, is labeled as having moderate severity and exploitation probability. Despite this, SonarSource researchers highlight its potential for RCE exploitation, requiring that an attacker persuade an administrative user to click on a malicious link for successful exploitation.

As of now, SonarSource is withholding complete technical details about the vulnerabilities, providing Joomla administrators a window to implement the necessary patches and secure their sites.

SolarWinds

SolarWinds has addressed five critical Remote Code Execution (RCE) vulnerabilities in its Access Rights Manager (ARM), a solution designed for managing enterprise IT infrastructure rights. Notably, one of these vulnerabilities can be exploited without requiring authentication.

The vulnerabilities identified include CVE-2024-23476 and CVE-2024-23479, both path traversal flaws, and CVE-2023-40057, a critical issue involving untrusted data deserialization. These vulnerabilities could allow unauthenticated attackers to execute code on systems that are vulnerable.

Additionally, two other vulnerabilities, CVE-2024-23477 and CVE-2024-23478, have been patched. These bugs, also capable of facilitating RCE attacks, are considered high severity.

These security issues were discovered by the research team at Trend Micro’s Zero Day Initiative (ZDI) and have been resolved by SolarWinds in the Access Rights Manager version 2023.2.3. While the vendor has reported that there are no known instances of these vulnerabilities being exploited in the wild, SolarWinds’ history with cybersecurity incidents prompts a cautious approach to taking their claims at face value.

ESET

Slovakian researchers from ESET encountered a significant mishap with their antivirus software, which, due to a flaw, ended up facilitating privilege escalation on Windows systems instead of providing protection. This led to a swift release of recommendations and patches to address a serious vulnerability impacting a wide array of ESET products designed for Windows environments. These products include antivirus solutions, endpoint and server security tools, as well as email security solutions for Exchange Server, IBM Domino, SharePoint Server, and Azure.

The vulnerability, cataloged as CVE-2024-0353 and carrying a CVSS score of 7.8, was identified within the Real-Time File System Protection feature. It permits an attacker with minimal privileges to delete files with system-level permissions. In response, ESET has issued patches for its comprehensive product lineup, including NOD32, Internet Security, Smart Security Premium, Security Ultimate, Endpoint Antivirus, Endpoint Security for Windows, Server Security for Windows Server, Mail Security for Exchange Server and IBM Domino, and ESET Security for SharePoint Server.

Additionally, ESET has recommended that customers using File Security for Microsoft Azure transition to Server Security for Windows Server. However, it’s worth noting that customers with end-of-life (EoL) products should not expect these patches, as updates will not be provided for these versions.

ESET strongly advises its users to apply the available patches without delay to protect against the vulnerability and ensure system integrity and security.

Linux

Two critical vulnerabilities have been discovered in the ksmbd module, a component that offers SMB protocol support directly within the Linux kernel, enabling a file server implementation. These vulnerabilities could allow remote, unauthenticated users to either execute code with kernel privileges or access kernel memory on systems where the ksmbd module is active. These issues have been present since the introduction of the ksmbd module in Linux kernel version 5.15. Fixes have been applied in kernel updates 6.7.2, 6.6.14, 6.1.75, and 5.15.145. Users of distributions such as Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, and Arch should follow these updates closely.

The first vulnerability, CVE-2024-26592, involves the potential for executing code with kernel permissions through specially crafted, unauthenticated TCP requests to the ksmbd server. This vulnerability stems from improper object locking management during the establishment and termination of TCP connections to ksmbd, leading to use-after-free conditions.

The second vulnerability, CVE-2024-26594, could expose kernel memory contents through the processing of malformed mech tokens in session setup requests. It is caused by improper handling of SMB2 mech tokens, resulting in out-of-bounds data reads.

In addition to these, several other vulnerabilities within the Linux kernel have been identified:

• CVE-2023-52439: Use-after-free in the uio subsystem’s uio_open function, potentially allowing local code execution with kernel privileges.
• CVE-2024-26582: Use-after-free in the kernel’s TLS implementation (ktls), which could enable local privilege escalation during decryption tasks.
• CVE-2024-0646: Out-of-bounds write in the ktls subsystem, which could lead to privilege escalation through specific ktls socket manipulations.
• CVE-2023-6932: A race condition in the IGMP implementation within the IPv4 stack, leading to use-after-free memory access and potential local privilege escalation.
• CVE-2023-52435: MSS overflow in the skb_segment() function of the kernel network stack.
• CVE-2024-26601: A vulnerability in the ext4 filesystem’s block release code that can lead to buddy bitmap corruption.
• CVE-2024-26598: Use-after-free in the KVM hypervisor.

Users and administrators are urged to apply the necessary kernel updates promptly to mitigate these vulnerabilities and protect their systems from potential exploitation.

Node.js

The Node.js JavaScript platform has announced the release of patches 21.6.2, 20.11.1, and 18.19.1, addressing a total of 8 vulnerabilities, with 4 classified as high severity:

• CVE-2024-21892: This vulnerability allows an unprivileged user to execute code with the elevated privileges of a workflow due to a flaw in handling exceptions for environment variables exposed by unprivileged users. The exception, intended solely for the CAP_NET_BIND_SERVICE capability, was mistakenly applied to additional capabilities.
• CVE-2024-22019: A Denial of Service vulnerability results from the exhaustion of system resources (CPU and bandwidth) by processing specially crafted chunked requests in an embedded HTTP server, allowing unlimited byte reading in a single connection.
• CVE-2024-21896: This vulnerability, concerning Base Directory Overrun in File Paths, permits bypassing file path normalization in path.resolve() when paths are passed using the Buffer class. Despite validation, content replacement can occur after path.resolve() due to the misuse of Buffer.prototype.utf8Write.
• CVE-2024-22017: The setuid() system call fails to reset all privileges, specifically not affecting io_uring operations in libuv if they were initialized before the call to setuid().
• CVE-2023-46809: A vulnerability in the privateDecrypt() API that could enable a Marvin attack, exploiting transaction time measurements to decrypt RSA encryption.
• CVE-2024-21891: Allows bypassing the permissions model with custom file path normalization handlers.
• CVE-2024-21890: Incorrect handling of masks in –allow-fs-read and –allow-fs-write parameters, leading to broader access than intended due to the mishandling of the “*” mask.
• CVE-2024-22025: Denial of Service caused by resource exhaustion when decoding Brotli-compressed data received through a fetch() call.

Additionally, the release of the libuv 1.48.0 library, integral to Node.js for connection multiplexing and asynchronous I/O, addresses a server-side request forgery (SSRF) vulnerability (CVE-2024-24806). This flaw stems from the uv_getaddrinfo() function truncating hostnames to 256 characters before domain resolution, potentially leading to incorrect IP address resolution and bypassed checks. This issue affects not only Node.js but also projects like BIND 9, Knot DNS servers, H2O HTTP server, the Luvit Lua framework, MoarVM, the Julia language, and the uvloop Python framework.

Moreover, the Node.js HTTP client undici 5.28.3 has been updated to fix a vulnerability (CVE-2024-24758) that arose from failing to clear the Proxy-Authorization HTTP header during request redirections.

Node.js users are strongly encouraged to apply these patches as soon as possible to protect their systems and applications from potential exploitation.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: March 2024 Vulnerability Digest from Action1