Patch Tuesday May 2024

Patch Tuesday May 2024 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

For even more information, watch the recorded May 2024 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.

In this issue, you will learn about patches for:

• ^ Microsoft vulnerabilities from Patch Tuesday:
  • ^ Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2024-30051)
  • ^ Windows MSHTML Platform Security Feature Bypass Vulnerability (CVE-2024-30040)
  • ^ Remote Code Execution Vulnerability in Microsoft SharePoint Server (CVE-2024-30044)
  • ^ Remote Code Execution Vulnerability in Microsoft Excel (CVE-2024-30042)
• ^ Third-party application vulnerabilities:
  • • ^ Google Chrome
    • ^ Mozilla Firefox
    • ^ Intel, AMD Processors
    • ^ Aruba
    • ^ WordPress
    • ^ Artificial Intelligence
    • ^ Cisco
    • ^ Ivanti
    • ^ PuTTY
    • ^ GLPI
    • ^ Palo Alto
    • ^ LG WebOS

Microsoft Vulnerabilities

Today’s Patch Tuesday sees Microsoft addressing 61 vulnerabilities, a notable decrease from last month’s 151. Among these, only one critical vulnerability is associated with Microsoft SharePoint. This release also includes two zero-days, one of which has a proof of concept (PoC) available. Additionally, another vulnerability with a PoC has been identified but has not yet been exploited. Here are details on the most interesting critical updates.

Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2024-30051)

The newly identified zero-day, CVE-2024-30051, affects the Windows Desktop Window Manager (DWM) Core Library. This elevation of privilege vulnerability stems from a heap-based buffer overflow (CWE-122) within the library. It could allow an attacker to gain SYSTEM-level privileges on machines running vulnerable versions of Windows, starting with Windows 10 and above, including Windows Server 2016 and later.

CVSS:3.1 Score: 7.8 (High) – Microsoft rates this vulnerability as high, with a significant impact on confidentiality, integrity, and availability.

Key Vulnerability Metrics:

• • Attack Vector: Local – The vulnerability can only be exploited with local access to the system.
  • Attack Complexity: Low – The attack does not require complex strategies and can be carried out with minimal prerequisites.
  • Privileges Required: Low – Only low-level privileges are needed, making the vulnerability easier to exploit.
  • User Interaction: None – No user interaction is necessary once access is obtained.

Heap-based buffer overflow vulnerabilities are particularly severe due to the critical nature of heap management. If exploited, this vulnerability allows an attacker to inject and execute arbitrary code with the privileges of the target process, escalating to SYSTEM privileges. By altering heap structures, an attacker could redirect code execution toward malicious payloads.

This vulnerability can be exploited by a low-privileged local user on a shared system to gain SYSTEM-level access, which could allow them to install software, alter or delete data, and modify system settings destructively. Alternatively, malware utilizing a multi-stage payload might leverage this exploit to increase its privileges and further compromise the system.

Furthermore, an attacker might use a less severe vulnerability as an entry point to gain initial low-level access to a machine and then exploit CVE-2024-30051 to escalate their privileges from a low-privileged account to SYSTEM, thereby gaining extensive control over the machine. Such SYSTEM privileges could be used to disable security features, steal sensitive data, or conduct lateral movements across the network to compromise additional systems and spread malware.

Given its critical nature and the low complexity of the exploit, CVE-2024-30051 poses a significant risk, particularly in environments with numerous and diverse local users, such as corporate networks and academic institutions. The existence of functional exploit code and confirmed exploitation reports suggests that attackers are well-acquainted with this vulnerability and are actively exploiting it in campaigns. In light of the high level of privilege attainable through this exploit, it is crucial for organizations to prioritize deploying Microsoft’s official patch to mitigate potential damage.

Windows MSHTML Platform Security Feature Bypass Vulnerability (CVE-2024-30040)

A new zero-day, CVE-2024-30040, has been identified as a security feature bypass vulnerability in the MSHTML (Trident) platform, a crucial component used for rendering HTML content in various applications, including Microsoft 365 and Microsoft Office. This vulnerability stems from improper input validation (CWE-20), allowing attackers to circumvent Object Linking and Embedding (OLE) mitigations that protect against malicious COM/OLE controls.

Key Details:

• • CVSS:3.1 Score: 8.8 (High) – Reflecting significant potential impacts on confidentiality, integrity, and availability.
  • Attack Vector: Network – The vulnerability can be exploited remotely over a network.
  • Attack Complexity: Low – The attack requires minimal technical skill.
  • Privileges Required: None – No privileges are needed to execute the attack.
  • User Interaction: Required – The user must interact with a malicious document for exploitation to succeed.
  • Affected Systems: Windows 10 and above, Windows Server 2016 and above.

Exploitation and Impact:
This vulnerability specifically targets and bypasses OLE mitigations, rendering defenses against vulnerable COM/OLE controls ineffective. Typically, users are deceived into interacting with malicious files, which might be delivered via email or instant messaging. The incorrect input validation means that the system fails to properly validate and sanitize input, allowing attackers to create documents that bypass MSHTML’s OLE mitigations and execute arbitrary code upon user interaction.

Attack Scenarios Include:

Distributing malicious documents through emails that coax users into downloading and opening them, thereby bypassing OLE security features and executing arbitrary code.
Hosting compromised websites that exploit this vulnerability when visited using Internet Explorer or applications with embedded MSHTML rendering engines.
Sending deceptive messages that link to malicious files or embedded components, exploiting the vulnerability when interacted with by the user.

Potential Consequences:
Combining CVE-2024-30040 with an elevation of privilege vulnerability could allow attackers not only to gain initial access through a malicious document but also to elevate that access to higher privileges within the system, such as SYSTEM or root. Successful arbitrary code execution via CVE-2024-30040 could enable attackers to implement persistence mechanisms to maintain their presence within the system, even after attempts to remove the malicious document.

Once exploited, this vulnerability could allow attackers to extract sensitive information from secured environments and exploit additional vulnerabilities to move laterally within the network, further compromising internal systems.

In conclusion, the discovery of CVE-2024-30040 highlights a critical flaw in the Windows DWM Core Library that could have far-reaching implications, particularly in environments where local users are numerous and diverse. Given the low complexity and local vector of the exploit, it remains crucial that systems are patched to mitigate potential harm.

Remote Code Execution Vulnerability in Microsoft SharePoint Server (CVE-2024-30044)

CVE-2024-30044 represents a critical Remote Code Execution (RCE) vulnerability affecting Microsoft SharePoint Server, attributed to untrusted data deserialization (CWE-502). This high-risk programming error could allow attackers to execute arbitrary code on the server if they upload a specially crafted file that triggers the deserialization process.

Vulnerability Details:

• • Maximum Severity: Critical
  • CVSS:3.1 Score: 8.8 (high initial score) / 7.7 (adjusted environment score)
  • Attack Vector: Network – The vulnerability can be exploited remotely via API endpoints.
  • Attack Complexity: Low – The attack requires minimal technical skill and preparation.
  • Privileges Required: Low – Attackers need only Site Viewer or higher permissions on the target SharePoint site.
  • User Interaction: None – The attack does not require any user interaction beyond the attacker’s actions.
  • Affected Versions: SharePoint Server 2016, 2019.

Exploitation and Impact:
Untrusted Data Deserialization is particularly dangerous because it allows attackers to inject and execute arbitrary code during the deserialization process. Attackers exploiting CVE-2024-30044 can upload malicious serialized objects to a SharePoint Server, which the server then deserializes during normal operations, leading to arbitrary code execution.

An attacker with basic Site Viewer permissions could leverage this vulnerability to execute code remotely, enabling activities such as deploying web shells, installing malware, or extracting sensitive data. If an attacker gains initial access through other means, such as phishing or another vulnerability, they could use CVE-2024-30044 to establish a more persistent and powerful foothold within the network.

Further Risks and Remediation:
Combining this vulnerability with another that allows privilege escalation could enable attackers to transition from initial access to full administrative control. This can facilitate persistence within the network and make detection more challenging. Upon establishing control, attackers could use further tools to exfiltrate sensitive data from the SharePoint Server, potentially leading to significant data breaches. Additionally, once remote code execution is achieved, threat actors might deploy ransomware to encrypt critical files on the SharePoint Server, demanding a ransom for the decryption keys.

Given CVE-2024-30044’s network-based attack vector, low complexity, and critical impact on confidentiality, integrity, and availability, the risk is pronounced in environments where SharePoint Server is widely accessible. The vulnerability’s “Exploitation More Likely” rating indicates an urgent need for organizations to apply Microsoft’s official patch to mitigate this risk before threat actors develop and deploy reliable exploits.

Remote Code Execution Vulnerability in Microsoft Excel (CVE-2024-30042)

CVE-2024-30042 is a significant Remote Code Execution (RCE) vulnerability affecting Microsoft Excel. This issue arises from the improper deserialization of untrusted data (CWE-502), a common programming flaw that can lead to arbitrary code execution when a specially crafted Excel file is opened. While the vulnerability is classified as “remote,” it requires local execution initiated by user interaction on the victim’s machine.

Vulnerability Details:

• • CVSS:3.1 Score: 7.8 (high) / 6.8 (moderate adjusted score)
  • Attack Vector: Local – The vulnerability requires local execution following user interaction.
  • Attack Complexity: Low – The exploit does not necessitate advanced techniques or specific prerequisites.
  • Privileges Required: None – No prior access or elevated privileges are needed to carry out the attack.
  • User Interaction: Required – The user must open a specially crafted Excel file.
  • Affected Versions: Excel 2016 and above

Exploitation Mechanism and Impact:
The vulnerability triggers when Excel processes a malicious file containing serialized objects. Upon opening such a file, these objects are deserialized, potentially executing arbitrary code on the user’s system. This could allow an attacker to take control of the affected system.

Potential Attack Scenarios Include:

• • Email Distribution: Attackers could send malicious Excel files via email. Once the recipient opens the file, the embedded malicious code executes.
  • Compromised Websites: Files hosted on compromised or malicious websites could deliver the exploit. Downloading and opening such files would trigger the vulnerability.
  • Network Sharing in Corporate Environments: In environments where Excel documents are frequently shared, attackers with network access could replace legitimate files with malicious versions to propagate the exploit.

Broader Implications and Defensive Measures:
If successfully exploited, CVE-2024-30042 could serve as an initial access point for further attacks. Attackers could leverage additional vulnerabilities for privilege escalation to obtain greater control over the system. They could also deploy ransomware to encrypt files on the compromised system, demanding a ransom for decryption. Combining this vulnerability with network vulnerabilities could enable lateral movement across the network to access and exfiltrate sensitive data from other systems.

CVE-2024-30042 highlights the ongoing risks posed by client-side applications like Excel, which are frequent targets due to their widespread use and the valuable data they handle. The necessity for user interaction, such as opening a file, underscores the crucial role of user awareness and education in mitigating threats from such vulnerabilities.

Google Chrome

Google Chrome version 124 addresses 22 security vulnerabilities, many of which were detected through automated testing tools such as AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL. Fortunately, none of these issues were critical enough to circumvent all layers of browser protection or allow external code execution outside of the sandbox environment.

Recently, however, a new zero-day vulnerability, CVE-2024-4671, was discovered in the Visuals component of Google Chrome. This use-after-free (UAF) vulnerability is a type of memory corruption flaw that malicious actors could exploit to execute arbitrary code on a victim’s system. Specifically, it allows hackers to manipulate improperly managed memory to seize control of an affected device.

A UAF issue arises when an application continues to use memory after it has been freed, which can potentially enable an attacker to execute arbitrary code. In Chrome’s case, the compromised Visuals component, typically responsible for rendering graphical content, poses significant risks. Exploitation of such vulnerabilities could lead to system crashes, data corruption, or, in more severe cases, unauthorized system access and control.

Google has confirmed that an exploit for CVE-2024-4671 is currently being used in the wild, underlining the critical nature of this threat and the necessity for immediate remedial action. The following versions of Google Chrome have been updated to address this vulnerability:

• • 124.0.6367.201 for Mac and Windows (stable and extended stable channels)
  • 124.0.6367.202 for Windows (stable channel)
  • 124.0.6367.201 for Linux (stable channel)

The discovery and active exploitation of CVE-2024-4671 underscore the high-risk nature of this threat and highlight Google’s prompt response as a testament to the importance of a proactive security stance by software vendors.

Mozilla Firefox

Firefox 125 not only introduces new features and bug fixes but also addresses 18 security vulnerabilities, with 12 considered dangerous. Notably, 11 vulnerabilities are linked to memory handling issues—such as buffer overflows and accessing freed memory areas—which are identified in part by CVE-2024-3865. These vulnerabilities can lead to the execution of malicious code when users open specially crafted web pages.
Key vulnerabilities addressed in this update include:

• • CVE-2024-3852: A flaw in JIT optimization within ‘GetBoundName’ can lead to the incorrect object being returned, presenting a high-level threat.
  • CVE-2024-3853: A use-after-free error can occur if garbage collection is initiated during realm initialization, posing a significant exploitation risk.
  • CVE-2024-3854 & CVE-2024-3855: Both are due to JIT optimization errors, leading to out-of-bounds reads and compromising memory safety.
  • CVE-2024-3856: A use-after-free vulnerability associated with WebAssembly (WASM) garbage collection poses a potential vector for high-impact attacks.
  • CVE-2024-3857: Incorrect JIT compilation of arguments might trigger use-after-free issues during garbage collection operations.
  • CVE-2024-3858: Memory corruption can occur from dereferencing a corrupt pointer within a JavaScript object traced by the JIT compiler.
  • CVE-2024-3859: An integer overflow in 32-bit versions can lead to out-of-bounds reads when processing a malformed OpenType font, posing a moderate risk.
  • CVE-2024-3860 to CVE-2024-3862: These vulnerabilities involve moderate risks including potential crashes from an empty shape list during tracing, use-after-free from self-move semantics, and uninitialized memory usage in certain self-assignments.
  • CVE-2024-3863: .xrm-ms files can bypass download protections on Windows systems, circumventing executable file warnings.
  • CVE-2024-3864 & CVE-2024-3865: Reported by contributors including Mozilla’s Fuzzing Team, these memory safety bugs indicate potential for memory corruption and could be exploited for arbitrary code execution with sufficient effort.
  • CVE-2024-3302: A lower-impact vulnerability where unbounded processing of HTTP/2 CONTINUATION frames could lead to a DoS due to an Out of Memory state in the browser.

Mozilla’s comprehensive response with this update highlights the importance of a vigilant security posture. Users and system administrators are urged to update to the latest version of Firefox as a priority to mitigate these vulnerabilities. As always, maintaining up-to-date software is crucial for protection against known threats.

Intel, AMD Processors

Researchers from VUSec at the University of Amsterdam have disclosed a new variant of the Spectre v2 attack, designated CVE-2024-2201, which impacts Linux systems on modern Intel processors. This attack leverages the speculative side-channel execution vulnerability. Despite ongoing efforts by processor manufacturers to bolster hardware and software defenses since the original Spectre and Meltdown disclosures in 2018, new methods to execute these attacks continue to emerge.

Spectre-style attacks typically enable attackers with access to a target system to extract sensitive data, such as encryption keys and passwords, from memory. In 2022, VU Amsterdam researchers introduced a Spectre v2 extension known as Branch History Injection (BHI), revealing that the attack surface was broader than initially perceived by hardware vendors. The latest study from VUSec, partially funded by Intel, details the first Spectre v2 exploit targeting the Linux kernel, effectively leaking arbitrary kernel memory at a rate of 3.5 Kbps on Intel’s latest processors.

The exploit involves an unprivileged attacker manipulating the kernel to speculatively access a gadget that transmits data to the attacker. VUSec has also developed a new tool, InSpectre Gadget, to identify potential Linux kernel gadgets for such attacks. Their findings demonstrated a successful BHI attack extracting the root password hash from a system equipped with a 13th generation Intel Core processor.

Intel has responded by updating its BHI advisory with recommended mitigations, including disabling the unprivileged eBPF filter, enabling extended indirect branch restricted speculation (eIBRS), and supervisor mode execution protection (SMEP). Intel also advises inserting load fence (LFENCE) instructions at specific code locations and implementing software sequences to clear the branch history buffer (BHB) when transitioning between security domains. Future Intel processors will incorporate these measures to address BHI and other speculative execution vulnerabilities.

In a separate discovery, researchers led by the University of California, San Diego, identified a new side-channel attack targeting the Path History Register in Intel’s high-performance processors. Dubbed Pathfinder, this research revealed that the Path History Register not only tracks recent branches but also reconstructs a more extensive history of branch sequences, allowing for more precise information extraction. This insight into the branch predictor’s structure enables attackers to more accurately gauge past branch behaviors, enhancing the efficacy of control flow attacks.

The Pathfinder team conducted case studies demonstrating the extraction of a secret AES encryption key and the unauthorized retrieval of images processed by the libjpeg library. The findings were reported to Intel and AMD in November 2023, leading to advisories that existing patches for Spectre v1 were adequate for protection. Pathfinder represents the most sophisticated attack to date targeting microarchitectural mechanisms like those exploited by Spectre and BranchScope.

Aruba

HPE Aruba Networking has released patches for four critical remote code execution (RCE) vulnerabilities in ArubaOS, each assigned a CVSS v3.1 severity score of 9.8. These vulnerabilities impact various devices, including the HPE Aruba Networking Mobility Conductor, mobile controllers, WLAN gateways, and SD-WAN gateways managed by Aruba Central. The affected versions include ArubaOS 10.5.1.0 and below, 10.4.1.0 and above, 8.11.2.1 and below, 8.10.0.10 and above, and all versions of ArubaOS and SD-WAN that have reached their end of life (EoL).
The specific vulnerabilities are as follows:

• • CVE-2024-26305: This vulnerability exists in the ArubaOS utility daemon and allows an unauthenticated attacker to execute arbitrary code remotely by sending specially crafted packets to the PAPI UDP port.
  • CVE-2024-26304 and CVE-2024-33511: Both vulnerabilities are located in the L2/L3 management and automated reporting services. They can be exploited by an unauthenticated attacker sending specially crafted packets to the PAPI protocol port, enabling remote execution of arbitrary code.
  • CVE-2024-33512: This vulnerability results from a buffer overflow in the local user authentication database service, accessible via the PAPI protocol, allowing unauthenticated remote attackers to execute arbitrary code.

Additionally, HPE Aruba Networking has addressed six other medium-severity vulnerabilities that could allow unauthenticated attackers to cause a denial of service (DoS) on the affected devices.
While there are currently no known proofs of concept (PoC) exploits or releases in the wild, system administrators are urged to enable enhanced PAPI security features and install the provided updates immediately to mitigate these vulnerabilities.

WordPress

WPScan has reported the active exploitation of a vulnerability in the WP-Automatic plugin, designated as CVE-2024-27956. This SQL injection (SQLi) vulnerability, with a CVSS score of 9.9, affects all versions of the plugin back to 3.9.2.0. Attackers are exploiting this flaw to gain unauthorized access to websites, create admin accounts, upload malicious files, and potentially seize full control of affected WordPress sites. The vulnerability originates from the plugin’s user authentication mechanism, which attackers can bypass to execute arbitrary SQL queries against the database using specially crafted queries.

In documented attacks, attackers have used CVE-2024-27956 to execute database queries that create new admin accounts on compromised WordPress sites. These accounts can be used to install file upload plugins or modify site code. To ensure persistence and avoid detection, attackers are also creating backdoors, obfuscating code, and renaming the vulnerable WP-Automatic file from /wp-content/plugins/wp-automatic/inc/csv.php to wp-content/plugins/wp-automatic/inc/csv65f82ab408b3.php, a tactic also used to block competing attackers.

Separately, over 300,000 WordPress sites using the Forminator plugin are vulnerable to a critical flaw that could allow remote attackers to upload malware. This vulnerability, identified as CVE-2024-28890 with a CVSS v3 score of 9.8, was reported by Japan’s CERT. Forminator, developed by WPMU DEV, is a form builder with over 1,000 integrations used for creating various types of forms such as contact, reviews, quizzes, and feedback forms. Additionally, two other vulnerabilities were reported: CVE-2024-31077, a SQL injection flaw affecting versions up to Forminator 1.29.3, and CVE-2024-31857, an XSS vulnerability affecting versions up to Forminator 1.15.4.

Administrators using the Forminator plugin should urgently upgrade to version 1.29.3, which addresses these three vulnerabilities. Although there have been no reports of CVE-2024-28890 being exploited, the high download statistics of the plugin suggest that the risk of exploitation remains significant.

Artificial Intelligence

An April vulnerability report by Protect AI reveals alarming security issues within the realm of artificial intelligence and machine learning, highlighting the risks as these technologies increasingly depend on open source software. The report, discussed during a session with AI vulnerability researchers and cybersecurity group HUNTR, revealed a concerning trend: a 220% increase in vulnerabilities within the supply chain for building machine learning models, up from the initial report in November. A total of 48 vulnerabilities were identified.

These vulnerabilities are primarily found in popular tools such as PyTorch Serve, BerriAI/litellm, BentoML, and FastAPI, which are essential in the AI industry. The types of vulnerabilities detected include remote code execution, server-side template injection, deserialization issues, and denial of service attacks. These tools are not only widespread but are also used to construct mission-critical enterprise applications, underlining the potential impact of these security flaws.

Experts in the field are calling for a collaborative and proactive approach to enhance security measures, emphasizing the importance of safeguarding systems in a world increasingly driven by artificial intelligence and machine learning technologies.

Cisco

Cisco has announced the release of a patch addressing a high-severity vulnerability in the Cisco Integrated Management Controller (IMC), which is the motherboard management controller used on UCS C-Series Rack and UCS S-Series Storage servers. This vulnerability affects the command-line interface (CLI) of the Cisco IMC, which also includes multiple interfaces such as XML API and WebUI.

Identified as CVE-2024-20295, the vulnerability arises from inadequate validation of user input and can be exploited by locally authenticated attackers who can inject commands into the underlying operating system, potentially elevating their privileges to root. To exploit this vulnerability, an attacker would need either read-only or higher privileges on the affected device.

The vulnerability has a relatively low complexity for exploitation and involves specially crafted CLI commands. It impacts various Cisco products including Enterprise Network Computing Systems (ENCS) 5000 Series, Catalyst 8300 Series Edge uCPE, and UCS C and E Series servers. Additional products could also be vulnerable if they are configured to permit access to the affected Cisco IMC command-line interface.

Although a proof of concept (PoC) for this vulnerability has been made publicly available, there have been no reports of active exploitation yet. Cisco’s Product Security Incident Response Team (PSIRT) has issued warnings and recommends that administrators install the provided updates immediately to mitigate the risk posed by this vulnerability.

Ivanti

Ivanti has disclosed a series of vulnerabilities in its Avalanche Mobile Device Management (MDM) product, with 27 identified issues including two critical bugs that permit command execution. Notably, all Ivanti solutions maintain a high severity rating, with none scoring below 9 on the Common Vulnerability Scoring System (CVSS).

The critical vulnerabilities, CVE-2024-24996 and CVE-2024-29204, are heap overflow issues found in the WLInfoRailService and WLAvalancheService components of the MDM solution. These vulnerabilities are particularly severe as they can be exploited remotely without authentication and have been assigned a CVSS rating of 9.8.

In addition to these critical issues, Ivanti has also patched several high severity vulnerabilities. These include unauthenticated remote command execution vulnerabilities stemming from eight path traversal issues in the Avalanche web component, an unprivileged file upload bug, and two race condition vulnerabilities (TOCTOU) in the web component. Furthermore, another serious heap overflow vulnerability in the WLInfoRailService and an out-of-bounds read issue in the WLAvalancheService could both lead to remote code execution.

The updates also remedy several high severity DoS-related vulnerabilities and moderate severity issues that could allow unauthenticated remote attackers to extract sensitive information from memory. All supported versions of the Avalanche MDM solution, starting from version 6.3.1 and including older versions, are impacted by these vulnerabilities. The fixes are included in the latest release, version 6.4.3.

While Ivanti asserts that none of the patched vulnerabilities have been exploited in the wild, the critical nature of these vulnerabilities and the broad use of the Avalanche product suggest that users should apply the updates immediately without relying solely on vendor assurances. Given the serious potential for exploitation, it’s prudent for users to remain vigilant and ensure their systems are updated to mitigate these risks.

PuTTY

A critical vulnerability, designated as CVE-2024-31497, has been identified in the widely used SSH and Telnet client PuTTY, affecting versions from 0.68 to 0.80. This vulnerability allows an attacker to potentially recover a user’s secret key, posing significant security threats, particularly in environments where attackers have access to messages signed by the user using PuTTY or Pageant.

The vulnerability is especially concerning because signed messages can often be found publicly, such as in signed commits stored on public Git services. An attacker with access to these messages might have sufficient information to compromise the victim’s private key, regardless of whether the vulnerable versions of PuTTY are still in use. This poses a major threat as once the private key is compromised, an attacker could launch further attacks on the software supply chain managed through Git repositories.

Moreover, there exists a second scenario where the vulnerability could be exploited: if an attacker operates an SSH server and the victim authenticates to this server (for purposes like remote login or file transfer), even if the server is not fully trusted by the victim. The operator of this SSH server could potentially derive the victim’s private key and gain unauthorized access to other services, including Git services, thereby enabling them to carry out supply chain attacks.

The impact of this vulnerability extends beyond PuTTY, affecting other key tools such as FileZilla up to version 3.67.0, WinSCP up to version 6.3.3, TortoiseGit up to version 2.15.0.1, and TortoiseSVN up to version 1.14.6.

Given the severity of this vulnerability and its widespread implications, users are strongly urged not to delay updating their software to the latest versions that address this issue. Immediate action is necessary to safeguard against potential exploits that could compromise user privacy and the integrity of secure communications and operations.

Palo Alto

A critical zero-day vulnerability, dubbed UTA0218 or Operation MidnightEclipse, is currently being exploited in targeted attacks against Palo Alto Networks firewalls. This command injection flaw, rated a perfect 10 on the CVSS scale, affects the GlobalProtect VPN feature across several versions of PAN-OS, allowing unauthenticated attackers to execute arbitrary code with root privileges on PAN-OS 10.2, 11.0, and 11.1 firewalls. Patches for this vulnerability have already been issued by Palo Alto Networks.

The exploitation of this vulnerability was first detected by Volexity researchers, who noted that the attackers had likely developed and tested the zero-day as early as March 26 but did not deploy any payloads until April 10. The attacks commenced in April, with the threat actors deploying a Python-based backdoor named UPSTYLE on compromised devices. Additionally, the attackers have been observed deploying various payloads to execute reverse shells, steal configuration data from PAN-OS, delete log files, and utilize a Golang-based tunneling tool called GOST.

In a notable instance, the attackers leveraged a service account with elevated privileges from the compromised Palo Alto Networks firewall to conduct lateral movement across SMB and WinRM services. This enabled them to steal sensitive Windows files, including the Active Directory database (ntds.dit), Data Protection API (DPAPI) key data, and Windows event logs, along with credentials, cookies, and browser data.

While Volexity has attributed these attacks to a single group, they have yet to link this activity to any previously known threat actors or operations. The extent of this exploitation campaign remains unclear, but reconnaissance activities suggest potential for widespread exploitation aimed at identifying vulnerable systems. Estimates indicate that the number of potentially vulnerable devices could range from 40,000 (according to Shodan) to 133,000 (according to Censys), suggesting the possibility of tens of thousands of victims.

LG WebOS

Bitdefender researchers have identified four critical vulnerabilities in WebOS, affecting over 91,000 LG Smart TVs, which make them susceptible to remote attacks. These vulnerabilities span various versions and models of LG’s smart TV lineup:

• • webOS 4.9.7-5.30.40 on LG43UM7000PLA,
  • webOS 04.50.51-5.5.0 on OLED55CXPUA,
  • webOS 0.36.50-6.3.3-442 on OLED48C1PUB,
  • webOS 03.33.85-7.3.1-43 on OLED48C1PUB and OLED55A23LA.

The vulnerabilities enable potential attackers to create arbitrary accounts on these devices through a service accessible via ports 3000 and 3001, which typically facilitate smartphone connections using a PIN.
The specific vulnerabilities are as follows:

• • CVE-2023-6317: This vulnerability allows attackers to circumvent the authorization mechanism using a variable setting, enabling the addition of an unauthorized user to the TV. When used in conjunction with CVE-2023-6318, it can grant root access.
  • CVE-2023-6318: This issue works in tandem with CVE-2023-6317 to facilitate root access on the device.
  • CVE-2023-6319: This vulnerability allows for the injection of operating system commands through manipulation of the library used for displaying lyrics, permitting the execution of arbitrary commands.
  • CVE-2023-6320: This enables the injection of authenticated commands using the com.webos.service.connectionmanager/tv/setVlanStaticAddress API, essentially providing root-like privileges.

Bitdefender notified LG of these findings in November of the previous year, but the manufacturer did not release a software update to address these vulnerabilities until March 22. Given the severity of these vulnerabilities and their potential to allow attackers to remotely execute commands, which could provide access to other sensitive devices on the same network, it is crucial that these updates be prioritized and applied immediately. Typically, software updates for TVs may not be deemed urgent, but in this scenario, prompt action is essential to mitigate the risk of broader network compromise.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: May 2024 Vulnerability Digest from Action1