NEW ACTION1 PLATFORM: NOW WITH MACOS SUPPORT

This Wednesday | 12 PM EST / 11 AM CET

Action1 5 Blog 5 Patch Tuesday October 2024

Patch Tuesday October 2024

October 8, 2024

By Mike Walters

Patch Tuesday October 2024 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

For even more information, watch the recorded October 2024 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.

In this issue, you will learn about patches for:

Microsoft Vulnerabilities

This Patch Tuesday, as we mark Cybersecurity Awareness Month, Microsoft has addressed 118 vulnerabilities, a notable increase from last month, with only three classified as critical. Interestingly, while there are only two zero-days addressed, both come with proof of concept. Additionally, there are three more proofs of concept that have not been exploited. Below are the details of the most critical updates from this batch.

Microsoft Management Console Remote Code Execution Vulnerability (CVE-2024-43572)

This zero-day vulnerability rated CVSS 7.8 represents a significant Remote Code Execution (RCE) threat. It arises due to the improper neutralization of elements within a Microsoft Management Console (MMC) environment, cataloged under CWE-707, for its potential to allow attackers to execute arbitrary code.

The core of the vulnerability is in how MMC processes Microsoft Saved Console (MSC) files, which are used to save console settings. These files, while typically benign, can be manipulated to contain malicious payloads. When such a crafted file is opened by unsuspecting users, it could execute the malicious code contained within.

Here are some specifics about the exploit:

    • Attack Vector: Local (the attack must be executed directly on the affected system)
    • Attack Complexity: Low (requires minimal technical skill to exploit once the crafted file is in place)
    • Privileges Required: None (any user on an affected system can execute the attack)
    • User Interaction: Required (the user must open a crafted MSC file)
    • Publicly Disclosed: Yes
    • Exploited in the Wild: Yes
    • Proof of Concept Available: Yes, enhancing the ease of exploitation.

Attack Scenarios & Potential Impact

This vulnerability’s potential impacts include data exfiltration, system compromise, and lateral movement within a network. It could allow attackers to establish persistent backdoors or pivot to more severe attacks within an organization’s infrastructure.

While exploitable on its own, this vulnerability’s impact can be amplified when combined with other vulnerabilities. For example:

    • Phishing attacks, tricking users into downloading and opening malicious MSC files.
    • Obtaining higher-level access to compromised systems, if combined with privilege escalation techniques.
    • Widespread attacks across an enterprise network, if paired with vulnerabilities that facilitate network propagation.

Given the widespread use of Windows-based systems in both corporate and government settings, CVE-2024-43572 poses a considerable risk. It’s estimated that millions of endpoints, particularly those in organizations using MMC for administrative tasks and policy enforcement, are vulnerable- especially those that have not installed the necessary security update to block execution from untrusted MSC files. This threat is especially acute in environments with less technically aware end-users or extensive digital footprints.

Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43573)

The second zero-day vulnerability, CVE-2024-43573, is a spoofing vulnerability rooted in the MSHTML platform of Microsoft Windows. It primarily stems from the improper neutralization of user input during web page generation, which is commonly associated with Cross-site Scripting (XSS) attacks and catalogued under CWE-79. This vulnerability is due to inadequate sanitization processes within the MSHTML engine, which allows attackers to inject and execute scripts.

This flaw enables malicious actors to deceive users into believing they are visiting a legitimate site, potentially capturing sensitive information such as login credentials or injecting malicious payloads. Microsoft has confirmed that this vulnerability impacts all supported versions of Windows, with the exception of Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012. The MSHTML platform is extensively used not only in Internet Explorer but also in the Internet Explorer mode within Microsoft Edge and through the WebBrowser control in various applications.

The potential impacts of this spoofing vulnerability include:

    • Unauthorized capture of data, such as login credentials and personal information.
    • Delivery of secondary payloads or malware.
    • Erosion of user trust in web applications.

Though typically less severe than execution vulnerabilities, the potential for phishing and widespread data compromise is significant. Details of the exploitation parameters include:

    • Attack Vector: Network (allowing remote exploitation over the internet).
    • Attack Complexity: Low (the attack can be executed without sophisticated methods).
    • Privileges Required: None (no special permissions are needed for exploitation).
    • User Interaction: Required (the user must interact with a crafted URL or email).
    • Publicly Disclosed: Yes.
    • Exploited in the Wild: Yes.
    • Proof of Concept: Indications suggest that PoC code is available, facilitating exploitation by potential attackers.

The spoofing nature of CVE-2024-43573 makes it a formidable tool in phishing campaigns:

    • Attackers can orchestrate sophisticated phishing operations that direct users to malicious sites masquerading as legitimate entities.
    • When combined with other vulnerabilities, such as those enabling data exfiltration or identity exploitation, it can significantly enhance an attacker’s capability to pivot and escalate attacks within networks.

The vulnerability scores a CVSS Base Score of 6.5 and a Temporal Score of 6.0, reflecting a moderate risk that, while not immediately compromising system integrity, poses a substantial threat in terms of potential widespread phishing and data breaches.

Given the extensive use of MSHTML within Windows environments and its integration into various web-centric applications, a significant number of enterprises, especially those in sectors like finance and e-commerce that rely heavily on web interactions, are potentially at risk. Organizations with less robust perimeter defenses are particularly vulnerable to these threats.

Open Source Curl Remote Code Execution Vulnerability (CVE-2024-6197)

The zero-day CVE-2024-6197 is a critical Remote Code Execution (RCE) vulnerability affecting the widely-used open-source tool and library, cURL. This vulnerability stems from CWE-590: Free of Memory not on the Heap, which involves improper memory deallocation. Specifically, the issue arises when memory not allocated on the heap is inappropriately freed, leading to undefined behavior that can be exploited to execute arbitrary code.

This vulnerability is particularly concerning because it impacts the fundamental architecture of memory management in cURL, a tool integral to data transfers across various network protocols.

The affected systems include those using cURL or libcurl, the underlying library that powers numerous applications on diverse platforms. Although Windows does not typically ship with libcurl, it does include the cURL command line tool, which is vulnerable. On other platforms, any application that incorporates libcurl directly is at risk, underscoring the extensive reach of this vulnerability.

Potential consequences of exploiting this vulnerability include:

    • Execution of remote code on the client system by an attacker.
    • Compromised systems becoming gateways for data exfiltration or further network infiltration.
    • Full control over the affected client, potentially leading to widespread malware distribution or misuse.

Here are the specifics of the exploit:

    • Attack Vector: Network (the attack is carried out remotely over a network)
    • Attack Complexity: Low (minimal effort is required once the vulnerable client connects to a malicious server)
    • Privileges Required: None (no special permissions are needed to launch the attack)
    • User Interaction: Required (the attack relies on user interaction with a malicious server)
    • Publicly Disclosed: Yes
    • Exploited in the Wild: No, as per the latest assessments
    • Proof of Concept Available: While currently assessed as less likely to be exploited, the publicly disclosed details suggest that PoCs may soon emerge.

Attackers could use this vulnerability to conduct man-in-the-middle (MitM) attacks by redirecting client requests to malicious servers. If combined with vulnerabilities that allow for network lateral movement, this could significantly enhance an attacker’s capability to infiltrate and control vast portions of an enterprise’s network.

    • CVSS Base Score: 8.8
      CVSS Temporal Score: 7.7

These high CVSS scores reflect the substantial risk posed by this vulnerability, especially given the network-based attack vector, low complexity, and no required privileges, indicating a potential for broad exploitation if not properly managed.

Organizations using applications that depend on cURL or libcurl are at significant risk. Given cURL’s prevalence across both open-source and proprietary systems, its footprint is vast. Any sector that relies on HTTP, HTTPS, or FTP for data transfers could face considerable exposure. Additionally, enterprises that utilize cURL in environments with weak memory management controls are particularly susceptible.

Winlogon Elevation of Privilege Vulnerability (CVE-2024-43583)

CVE-2024-43583, a zero-day Elevation of Privilege (EoP) vulnerability, has been identified within the Winlogon component of Microsoft Windows. Categorized under CWE-250: Execution with Unnecessary Privileges, this vulnerability originates from improper handling of processes during the system login phase. It allows an attacker to escalate privileges and gain SYSTEM level access, which represents the highest privilege level on Windows systems.

The exploitation of this vulnerability is facilitated by weaknesses in how Winlogon interacts with Input Method Editors (IMEs), particularly when a vulnerable third-party IME is active during the login process. This issue predominantly affects systems that use third-party IMEs during the login phase. According to Microsoft’s advisory, switching to a first-party IME may mitigate this risk by ensuring safer interactions with Winlogon.

Key Risks and Impacts:

    • Privilege Escalation: Attackers can escalate their privileges to SYSTEM level, granting them complete control over the affected machine.
    • Compromised System Integrity: With elevated privileges, attackers can disable security measures, install malware, and exfiltrate sensitive data unrestrictedly.

Exploitation Details:

    • Attack Vector: Local (the attacker needs local access to exploit this vulnerability)
    • Attack Complexity: Low (exploitation is straightforward once local access is achieved)
    • Privileges Required: Low (only low-level access is required to start the escalation process)
    • User Interaction: None (no user interaction is needed for the attack)
    • Publicly Disclosed: Yes
    • Exploited in the Wild: There is no current evidence of active exploitation
    • Exploitation More Likely: Given the nature and criticality of the vulnerability, it is considered highly likely to be exploited as attackers become aware of its existence.

Potential for Wider Exploitation:

    • This vulnerability could be used in a multi-step attack, where initial access might be obtained through another local exploit or social engineering tactics.
    • Once remote attackers gain local access, leveraging this EoP vulnerability could enable deeper penetration into secured environments.

CVSS Scores:

    • Base Score: 7.8
    • Temporal Score: 6.8

These scores underline the serious threat posed by this vulnerability, highlighting the potential for SYSTEM-level access exploitation.

Organizations using Windows systems are at significant risk, especially those that utilize third-party IMEs for linguistic or regional purposes. This vulnerability is particularly pertinent in diverse settings where multilingual support is crucial, such as in global enterprises or educational institutions.

Remote Desktop Protocol Server Remote Code Execution Vulnerability (CVE-2024-43582)

The final noteworthy vulnerability to discuss is CVE-2024-43582, a critical Remote Code Execution (RCE) vulnerability identified in the Remote Desktop Protocol (RDP) Server. This issue falls under CWE-416: Use After Free, which arises when a program attempts to use memory that has already been freed. Within the RDP server context, this flaw enables attackers to manipulate memory in a way that could allow them to execute arbitrary code, potentially compromising the server where RDP is active.

Systems with RDP servers enabled, especially those configured in various Windows server environments to provide remote access, are primarily at risk. Given the widespread use of RDP in enterprise and IT settings, a significant number of businesses and service providers could be affected if this vulnerability were exploited.

Impacts of Exploitation:

    • Remote Code Execution: Unauthenticated attackers could potentially execute arbitrary code on the server, gaining complete control over the system.
    • System Compromise: Successful exploitation would allow attackers to manipulate data, install malicious software, and possibly extend their reach to other networked systems.

Technical Details of the Vulnerability:

    • Attack Vector: Network (the vulnerability can be exploited remotely over a network)
    • Attack Complexity: High (exploitation requires sophisticated methods, including winning a race condition)
    • Privileges Required: None (the exploit does not require the attacker to have prior access or privileges)
    • User Interaction: None (the attack does not rely on victim interaction)
    • Publicly Disclosed: No
    • Exploited in the Wild: There are no known instances of exploitation at the time of reporting
    • Exploitation Less Likely: The high complexity of this exploit means that the window for successful exploitation is narrower than for simpler vulnerabilities.

Potential for Advanced Exploitation:

    • The complexity of this vulnerability makes it a potential target in advanced persistent threat (APT) scenarios, where sophisticated attackers possess the necessary resources to exploit intricate vulnerabilities.
    • Should attackers gain initial access through this vulnerability, they could use lateral movement techniques to spread and escalate their presence across the network.

CVSS Scores:

    • Base Score: 8.1
      Temporal Score: 7.1

Despite the high attack complexity, the criticality of this vulnerability is highlighted by the potential for remote code execution without the need for user interaction or elevated privileges. This poses a serious concern for network security.

Given the role of RDP in facilitating remote work and system administration, many organizations—particularly those with inadequately secured or insufficiently monitored RDP services—could face significant risks. Entities in sectors such as IT services, healthcare, and finance, which rely heavily on remote connections, should exercise increased vigilance.

Mozilla Firefox

Firefox 131 addresses 24 security vulnerabilities, with 18 classified as high severity. Among these, 14 are linked to memory issues like buffer overflows and problems with garbage collection. Such vulnerabilities could potentially allow the execution of malicious code when users open specially crafted web pages.

Detailed Analysis of Top Three Security Vulnerabilities in Firefox 131:

    1. CVE-2024-9391: Prevent Users from Exiting Full-Screen Mode in Firefox Focus for Android. This vulnerability in Firefox Focus for Android prevents users from exiting full-screen mode on certain web pages, likely due to mishandling API calls related to full-screen transitions. This flaw can be exploited to spoof the browser’s user interface, concealing the address bar and creating opportunities for phishing by mimicking legitimate sites.
    2. CVE-2024-9392: Compromised Content Process Can Bypass Site Isolation. This issue allows a compromised content process to bypass site isolation, which is intended to keep sites of different origins in separate processes. The flaw, likely stemming from inadequate process communication checks, enables a compromised process to access data from other sites, posing risks of data theft and cross-site scripting (XSS) attacks.
    3. CVE-2024-9393: Cross-Origin Access to PDF Contents Through Multipart Responses. This vulnerability concerns the handling of multipart responses that can execute JavaScript to access cross-origin PDF content under the resource://pdf.js context. This bypasses certain same-origin policy safeguards, allowing attackers to read sensitive information within PDF documents across different origins. This could be exploited through phishing links or embedded web resources, potentially in combination with existing PDF or JavaScript vulnerabilities to extend unauthorized access.

Apple

Apple has released iOS 18, which addresses 33 vulnerabilities that left iPhones and iPads vulnerable to various malicious hacking attacks. This update rectifies issues across several components including Special Features, Bluetooth, Control Center, and Wi-Fi. Notably, the vulnerabilities previously allowed unauthorized access to sensitive data and full control of the device.

Among the critical fixes, Apple has resolved a vulnerability that allowed attackers with physical access to exploit Siri to control devices nearby, access sensitive data, or view recent photos without requiring authentication. A significant flaw in the Control Center, which could be exploited via an app to record the screen covertly, has also been patched.

iOS 18 also addresses a Bluetooth kernel vulnerability that previously allowed a malicious input device to bypass pairing protocols, along with a kernel bug that exposed network traffic from VPN tunnels, and a Wi-Fi issue that enabled attackers to forcibly disconnect devices from secure networks. Apple has also fixed several issues that compromised the privacy of Safari’s private browsing mode and sandboxing features. According to Apple, these vulnerabilities had not been exploited in the wild.

In conjunction with iOS 18, Apple also launched macOS Sequoia 15, which includes an extensive set of patches addressing vulnerabilities that could lead to unauthorized data access, elevation of privileges, system modifications, and application crashes.

Moreover, following demonstrations by researchers from the University of Florida and Texas Tech University, Apple has patched a vulnerability in Vision Pro, tracked as CVE-2024-40865. This flaw could be exploited using a technique named GAZEploit, which analyzes eye movements to infer passwords typed by users. This vulnerability, significantly accurate in trials involving 30 participants, has been addressed in the visionOS 1.3 update.

Additionally, Apple’s recent security bulletin highlights the release of iOS 18.0.1 and iPadOS 18.0.1, which include fixes for two bugs that potentially exposed passwords and audio snippets to attackers. The first bug, identified as CVE-2024-44207, allowed the capture of audio before the microphone indicator was activated. The second, CVE-2024-44204, involved a logic error that could enable VoiceOver to read stored passwords.

These updates also improve system stability, enhancing validation and verification processes, and addressing other issues like touchscreen responsiveness, camera freezes, unexpected closures of the Messages app, and various undocumented performance issues.

Zimbra

Researchers are alerting users to the active exploitation of a critical vulnerability in Zimbra, identified as CVE-2024-45519. This vulnerability allows attackers to execute commands on affected servers without authentication. Zimbra has released patches for this issue in versions 9.0.0 Patch 41, 10.0.9, 10.1.1, and 8.8.15 Patch 46.

This service is disabled by default. However, if enabled, the vulnerability can be exploited remotely on servers within authorized network ranges. Proofpoint reported the first attempts to exploit this vulnerability on September 28, one day after ProjectDiscovery released its findings. The exploitation involved spoofed Gmail emails with malicious CC fields that triggered command execution on the Zimbra servers through encoded base64 strings processed by the sh utility. These emails aimed to install a web shell on affected servers at “/jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp”.

This web shell, once installed, waits for incoming connections and executes commands embedded in cookies using Base64 encoding. It can run commands directly or download and execute files through a socket connection.

Additionally, Ivan Kwiatkowski from HarfangLab reported the originating IP address used in the mass exploitation of CVE-2024-45519. Although the same server was used to send exploit emails and deliver secondary payloads, the attackers have not been linked to any known threat group. Synacor recommends applying the patch to all systems, regardless of whether the Postjournal service is active.
For systems where the service is disabled and immediate patching is not feasible, deleting the postjournal binary is suggested as a temporary security measure until the patch can be applied.

NVIDIA

Researchers at Wiz Research are issuing a warning about a critical vulnerability in the NVIDIA Container Toolkit, which impacts AI applications in both cloud and on-premises environments. Identified as CVE-2024-0132, this vulnerability allows attackers to execute container egress attacks, gaining access to the host system to execute commands or extract sensitive information. The toolkit, a standard tool for accessing GPUs on NVIDIA hardware, comes pre-installed on many AI-focused platforms and virtual machine images. Currently, more than 35% of cloud environments are susceptible to attacks exploiting this flaw.

CVE-2024-0132 is rated as critical, with a severity score of 9.0. It affects the NVIDIA Container Toolkit up to version 1.16.1 and the GPU Operator up to version 24.6.1. The vulnerability stems from insufficient isolation between the containerized GPU and the host system. This issue allows containers to access or mount sensitive parts of the file system and runtime resources, such as Unix sockets used for interprocess communication. Notably, some Unix sockets—such as docker.sock and containerd.sock—are writable, which permits direct host communication and command execution.

An attacker could leverage a specially crafted container image to exploit this vulnerability at host boot time. According to Wiz Research, this attack can be conducted either directly, through shared GPU resources, or indirectly by running an image from a malicious source.
NVIDIA was notified about the vulnerability on September 1, confirmed the issue shortly thereafter, and released a patch on September 26. While the specific details of the exploit have not been disclosed to allow users time to implement the patch, NVIDIA advises upgrading to version 1.16.2 of the NVIDIA Container Toolkit and version 24.6.2 of the NVIDIA GPU Operator to mitigate this risk.

Cisco

Cisco has issued patches for 11 vulnerabilities, including seven of high severity, in its IOS and IOS XE products. The most critical among these are six denial-of-service (DoS) vulnerabilities that affect various components such as the Unified Threat Defense (UTD), Resource Reservation Protocol (RSVP), Protocol Independent Multicast (PIM), DHCP snooping, HTTP server, and IPv4 fragmentation reassembly. These vulnerabilities can be exploited remotely without authentication by sending specially crafted traffic or packets to an affected device.

Additionally, a high severity vulnerability in the IOS XE web-based management interface could lead to cross-site request forgery (CSRF) attacks if an unauthenticated remote attacker deceives an authenticated user into clicking a malicious link.

Cisco has also released patches for two critical vulnerabilities. The first, identified as CVE-2024-20350 in the Catalyst Center SSH server, involves a static SSH host key that could enable an unauthenticated remote attacker to intercept traffic between SSH clients and the Catalyst Center appliance, facilitating man-in-the-middle (MitM) attacks, command injection, and credential theft. The second, CVE-2024-20381, concerns improper authorization checks in the JSON-RPC API of the Crosswork Network Services Orchestrator (NSO) and ConfD. This vulnerability could allow a remote authenticated attacker to send malicious requests, create a new account, or escalate privileges. Notably, CVE-2024-20381 also impacts several products, including the RV340 Dual WAN Gigabit VPN Routers, which have reached end-of-life (EoL) and are no longer supported.

According to Cisco, none of these vulnerabilities have been exploited in the wild.

ESET

ESET has issued warnings about privilege escalation vulnerabilities in its security solutions for Windows and MacOS. A particularly severe vulnerability, designated as CVE-2024-7400 and discovered by Dmitry Zuzlov of Positive Technologies, impacts ESET’s Windows products. This vulnerability arises from how file operations are handled during the deletion of detected files. An attacker with low-level privileges on a system equipped with an affected ESET product could exploit this flaw to delete arbitrary files and escalate their privileges.

ESET has resolved this issue in the Cleaner 1251 module, which is automatically distributed to ESET customers through detection engine updates, requiring no additional action from users. This vulnerability impacts various consumer and enterprise products, including antivirus, internet security, and server security solutions. The updated cleaner module was released to all users on August 13. ESET advises those who do not regularly update their products to apply this fix promptly.

To date, there have been no known exploits targeting this vulnerability nor any detected exploitation attempts.

Additionally, ESET has patched CVE-2024-6654, a moderate vulnerability affecting ESET Cyber Security versions 7.0-7.4.1600.0 and Endpoint Antivirus for macOS (now Endpoint Security for macOS) versions 7.0-7.5.50.0. This vulnerability could allow a user with low privileges to create a symbolic link to a specific location, potentially disabling the company’s security tools. This flaw could enable a logged-in user to launch a denial of service (DoS) attack, disabling ESET’s security product protections and causing an overall system slowdown.

The issues have been addressed in Cyber Security version 7.5.74.0 and Endpoint Security for MacOS version 8.0.7200.0. ESET confirms that there are no known attempts to exploit this vulnerability.

Gitlab

GitLab has urgently released updates to address several vulnerabilities, including a particularly severe issue identified as CVE-2024-6678. This vulnerability, rated at 9.9 in criticality, allows an attacker to execute pipeline actions as arbitrary users under certain conditions. The updates apply to GitLab Community Edition (CE) and Enterprise Edition (EE) across versions 17.3.2, 17.2.5, and 17.1.7, and resolve a total of 18 vulnerabilities.

CVE-2024-6678 is noteworthy for its potential to allow attackers to shut down environments remotely, without user interaction and from a position of low privilege. GitLab has identified this issue as affecting versions from CE/EE 8.14 up to 17.3.2.

Additionally, the update addresses four high severity vulnerabilities with potential impacts ranging from service disruption to unauthorized command execution and data compromise:

    • CVE-2024-8640: This vulnerability stems from improper input filtering, where attackers could inject commands into a cube server via the YAML configuration, affecting GitLab EE from version 16.11 onwards.
    • CVE-2024-8635: An SSRF vulnerability in GitLab EE version 16.8 and later, allowing attackers to craft a custom Maven Dependency Proxy URL that could request access to internal resources.
    • CVE-2024-8124: Enables attackers to initiate a denial of service (DoS) by overloading the system with a large ‘glm_source’ parameter, affecting GitLab CE/EE from version 16.4 onwards.
    • CVE-2024-8641: This issue allows attackers to exploit the CI_JOB_TOKEN to access and hijack a victim’s GitLab session token, affecting GitLab CE/EE from version 13.7 onwards.

Moreover, GitLab has patched a critical vulnerability in SAML authentication for self-managed installations of both the Community and Enterprise Editions. Identified as CVE-2024-45409, this issue arises from vulnerabilities in the OmniAuth-SAML and Ruby-SAML libraries, which could be exploited by attackers submitting a manipulated SAML response to bypass authentication processes. This affects versions up to GitLab 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10, all of which now include updated libraries to address the flaw.

GitLab strongly advises all users of self-managed instances to update their installations immediately. For those unable to upgrade immediately, implementing 2FA for all accounts and adjusting the SAML 2FA bypass settings is recommended to enhance security. GitLab’s security bulletin also outlines signs of potential exploitation, such as unusual external user IDs in authentication logs and SAML responses from suspicious IP addresses, indicating that the vulnerability may already be under active exploitation.

VMware

Broadcom has issued a warning about a critical vulnerability in VMware vCenter that could permit remote code execution on unpatched servers through a network packet. VMware vCenter serves as the central hub for managing the virtualized infrastructure within the VMware vSphere suite.

The vulnerability, identified as CVE-2024-38812, was uncovered by TZL researchers during the Matrix Cup 2024, a Chinese hacking competition. It stems from a heap overflow in the DCE/RPC protocol implementation and affects key VMware products, including vSphere and VMware Cloud Foundation. This flaw enables unauthorized attackers to execute remote code execution (RCE) attacks with low complexity and without requiring user interaction, simply by sending a specially crafted network packet.

Mitigation strategies may differ based on an organization’s security posture, depth of defense strategies, and firewall configurations. Organizations are advised to conduct their own assessments of these protective measures. To achieve complete protection, installation of security updates as recommended in VMware security advisories is crucial. These patches are accessible through the standard update mechanisms of vCenter Server.

Currently, according to Broadcom, there is no evidence that this RCE vulnerability, CVE-2023-34048, is being actively exploited.

For administrators unable to apply the security updates immediately, it is recommended to strictly control access to vSphere management components and interfaces from the network perimeter, including access to storage and networking components. Additionally, Broadcom has addressed another significant elevation of privilege (EoP) vulnerability, designated as CVE-2024-38813, which could enable an attacker to gain root privileges on affected servers through a specially crafted network packet.

Adobe

Adobe’s latest Patch Tuesday has rolled out updates addressing a range of vulnerabilities across its suite of products, with a focus on critical issues that could enable attackers to execute arbitrary code on Windows and MacOS systems.

Among the most pressing concerns are two critical memory corruption flaws in Acrobat and PDF Reader: zero-day CVE-2024-41869, rated at a CVSS score of 7.8, and CVE-2024-45112, with a CVSS score of 8.6. The former is a Use After Free vulnerability, while the latter pertains to a Type Confusion issue. Exploitation of these vulnerabilities could lead to arbitrary code execution on compromised systems. Both vulnerabilities have been resolved in the latest updates to the software.

The zero-day in Acrobat Reader was discovered in June by researcher Haifei Li, utilizing the EXPMON platform. Currently, a proof of concept (PoC) exploit is in development. Detailed findings from this discovery are anticipated to be shared on the EXPMON blog soon, with further technical analysis to be featured in an upcoming Check Point Research report.

Ivanti

Ivanti has recently addressed a high-severity vulnerability in its EPM endpoint management software, which could have allowed an unauthorized attacker to execute code remotely on a primary server. The vulnerability, identified as CVE-2024-29847, was due to an issue with untrusted data deserialization in the agent portal. This has been rectified in the latest Ivanti EPM 2024 patches and the Ivanti EPM 2022 Service Update 6 (SU6).

Currently, Ivanti reports no known exploits of this vulnerability. However, given the company’s prominence in the field, the possibility of future exploitation should not be dismissed.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Setup in minutes to reduce your cyber risks and costs:

Webinar Recording: October 2024 Vulnerability Digest from Action1

See What You Can Do with Action1

 

Join our weekly LIVE demo “Patch Management That Just Works with Action1” to learn more

about Action1 features and use cases for your IT needs.

 

spiceworks logo
getapp logo review
software advice review
trustradius
g2 review
spiceworks logo

Related Posts