VULNERABILITY DIGEST FROM ACTION1

Patch Tuesday and third-party updates | This Wednesday | 12 PM EST / 6 PM CET

Action1 5 Blog 5 Top 6 Vulnerabilities: First Half of 2024 Review

Top 6 Vulnerabilities: First Half of 2024 Review

August 15, 2024

By Mike Walters

In today’s post, we’ll delve into six critical vulnerabilities from the first half of 2024 that are essential to monitor and mitigate in the months ahead.
These vulnerabilities are particularly noteworthy for several reasons. First, each of them has a critical nature, with high CVSS scores indicating the potential for significant impact if exploited. Second, they affect widely used systems and software, creating a broad attack surface and exposing millions of endpoints to attacks.

Additionally, the availability of ready-made exploits further amplifies the risk, as it lowers the barrier for attackers to leverage these vulnerabilities. Most importantly, each of them is characterized by slow patch adoption due to the challenges IT teams face in patching them in diverse and large environments, which leaves systems vulnerable for extended periods.
Given these factors, it is imperative for cybersecurity professionals to prioritize and address these vulnerabilities promptly.

1. Palo Alto Networks Firewalls RCE (CVE-2024-3400)

CVSS Rating: 10.0 (Critical)

Details:

    • What Is It? A remote code execution (RCE) vulnerability in Palo Alto Networks’ PAN-OS that allows attackers to execute arbitrary commands.
    • How It Works: Attackers can exploit two bugs in PAN-OS through a two-stage attack. First, they send a crafted shell command to GlobalProtect (a PAN-OS component). This command results in creating an empty file on the device in the name of the root user. In the second stage, a cron job on the device processes that file, executing the attacker’s command with elevated privileges.
    • Current Exploits: Available in Metasploit, facilitating easy and widespread exploitation.
    • Affected Systems: Over 149,000 devices with the vulnerable feature enabled.

Potential Reasons Why It Remains Unpatched:

    • Immediate High-Profile Exploit Releases: The release of public exploits coincides with patch releases, necessitating immediate updates that many organizations may delay.

Why Is It Still a Threat in H2 2024?
These firewalls are critical to protecting enterprise networks, and delays in patching can leave large attack surfaces open for extended periods. With the exploit readily available and the vulnerability affecting so many devices, the potential for widespread attacks remains high.
The high CVSS score, immediate availability of exploits, and presence in critical network infrastructure make this vulnerability particularly impactful and dangerous.

How To Address It?
The release date of a patch for a high-profile vulnerability is the same as the release date of a public exploit. Therefore, companies need to react quickly to such vulnerabilities and patch them immediately, without waiting for public exploits and script kiddies attacks. Perform PAN-OS system updates according to official Palo Alto Networks recommendations.

2. Windows Kernel Privilege Escalation (CVE-2024-21338)

CVSS Rating: 7.8 (High)

Details:

    • What Is It? A privilege escalation vulnerability in the Windows Kernel, exploited by the Lazarus Group.
    • How It Works: The vulnerability is used in conjunction with the FudModule rootkit to achieve stealthy privilege escalation. The rootkit manipulates kernel objects to disable defenses, hide malicious activity, and persistently infiltrate the system.
    • Current Exploits: Documentation of exploits by the Lazarus group.
    • Affected Systems: All users of outdated versions of Windows.

Potential Reasons Why It Remains Unpatched:

    • Complex Mitigation: Detailed and time-consuming fixes for kernel vulnerabilities complicate timely updates.

Why Is It Still a Threat in H2 2024?
Many organizations are slow to update operating systems, leaving this critical vulnerability exploitable for longer periods.
Also, Kernel vulnerabilities are particularly critical because they allow attackers to gain the highest level of privileges, making them extremely dangerous. Once exploited, implementing effective defensive measures becomes particularly challenging.

How To Address It?
Deploy patches as soon as possible.

3. Fortinet FortiOS and FortiProxy RCE (CVE-2024-21762)

CVSS Rating: 9.8 (Critical)

Details:

    • What Is It? An RCE vulnerability in Fortinet FortiOS and FortiProxy allowing unauthenticated attackers to execute arbitrary code.
    • How It Works: Attackers send specially crafted HTTP requests to exploit the vulnerability.
    • Current Exploits: Historical data shows mass exploitation with similar vulnerabilities.
    • Affected Systems: More than 465,000 devices running FortiOS with SSL VPN enabled.

Potential Reasons Why It Remains Unpatched:

    • Large Number of Deployments: The sheer number of devices and diverse environments make immediate patching complex.

Why Is It Still a Threat in H2 2024?
Given how widely Fortinet devices are used in enterprises, it is unlikely that companies manage to apply patches to each device immediately. At the same time, RCE vulnerabilities of this type allow attackers to infiltrate and control networked devices with ease. The ability to execute code without authentication opens up the potential for widespread exploitation across many critical systems in enterprise environments.

How To Address It?
Remediating the vulnerability requires a software update according to Fortinet’s recommendations. If it is not possible to download updates immediately, you can temporarily disable SSL VPN on FortiOS devices to reduce risks.

4. PHP Arbitrary Code Execution on Windows (CVE-2024-4577)

CVSS Rating: 9.8 (Critical)

Details:

    • What Is It? An RCE vulnerability in Fortinet FortiOS and FortiProxy allowing unauthenticated attackers to execute arbitrary code.
    • How It Works: Exploits involve character sequences that bypass protections and execute code.
    • Current Exploits: Exploits are available on GitHub and actively used to deliver malware like TellYouThePass.
    • Affected Systems: The vulnerability affects all versions of PHP installed on the Windows operating system.
      • PHP 8.3-8.3.8
      • PHP 8.2-8.2.20
      • PHP 8.1-8.1.29
      • Versions of PHP 8.0, PHP 7 and PHP 5 are also vulnerable, but they are deprecated and no longer supported.
        It should be noted that all XAMPP installations are vulnerable by default. XAMPP is a popular cross-platform local web server build that includes Apache, MariaDB, PHP, Perl and a large number of additional libraries.

Potential Reasons Why It Remains Unpatched:

    • Complex Configurations: Wide variety of PHP usage scenarios and locale-specific mitigations complicate comprehensive patching.

Why Is It Still a Threat in H2 2024?
PHP is widely used for web applications, making the potential impact of unpatched systems significant as it can result in broad access and control over affected systems.
The ability to execute arbitrary code can lead to full system compromises, data breaches, and malware infections.

How To Address It?
If upgrading to a current version of PHP is not possible, the DEVCORE researchers suggest configurations to counter the exploitation of the vulnerability. However, these recommendations only apply to installations on Windows with specific language locales (Traditional Chinese, Simplified Chinese, Japanese) for which exploitation of the vulnerability has been confirmed. In other locales, due to the wide range of PHP usage scenarios, it is currently impossible to fully enumerate and eliminate all potential exploitation scenarios.
Workarounds, mitigations: Versions 8.3.8, 8.2.20 and 8.1.29 can be downloaded from the official PHP site.

5. TeamCity Authentication Bypass Leading to RCE (CVE-2024-27198)

CVSS Rating: 9.8 (Critical)

Details:

    • What Is It? An issue in TeamCity allowing authentication bypass, leading to remote code execution.
    • How It Works: Attackers can bypass authentication mechanisms to gain unauthorized access and execute code on the system.
    • Current Exploits: Proof-of-concept exploit released just 22 minutes after vulnerability disclosure.
    • Affected Systems: Companies using TeamCity for continuous integration and deployment.

Potential Reasons Why It Remains Unpatched:

    • Rapid Exploit Publication: Fast release of exploits following vulnerability disclosure leaves minimal time for mitigation.

Why Is It Still a Threat in H2 2024?
Continuous integration tools are inherent to software development, and any vulnerability can significantly disrupt workflows. Unauthorized access to such systems can lead to significant data breaches and manipulation of software builds. The ability to bypass authentication and gain control over development pipelines has far-reaching implications, potentially compromising entire software development processes.

How To Address It?
On March 4, JetBrains released TeamCity version 2023.11.4, which includes the fix for CVE-2024-27198.

6. CosmicSting RCE in Adobe Commerce (CVE-2024-34102)

CVSS Rating: 9.8 (Critical)

Details:

    • What Is It? A critical RCE vulnerability in Adobe Commerce/Magento, allowing extensive file access and potential command execution.
    • How It Works: Attackers leverage the vulnerability to view private files and potentially escalate to RCE using additional bugs.
    • Current Exploits: Mass exploitation with three to five stores being hacked per hour.
    • Affected Systems: Adobe Commerce and Magento versions listed in vulnerability details; millions of e-commerce sites, nearly 75% of Adobe Commerce and Magento sites.

Potential Reasons Why It Remains Unpatched:

    • Severity and Adoption Rate: High severity combined with slow patch adoption in the e-commerce sector.

Why Is It Still a Threat in H2 2024?
E-commerce platforms are high-value targets for attackers due to the vast amount of transactions and personal and financial data they handle. Successful exploitation of tis vulnerability can lead to data theft, financial loss, and significant reputation damage.

How To Address It?
Sansec recommended platform administrators apply the patches for CVE-2024-34102 as soon as possible or follow the recommended mitigations.

However, at this stage, simply patching CosmicSting will likely not be enough. The stolen encryption key still allows attackers to generate web tokens after the update, so the encryption key should be considered compromised by default. Generating a new encryption key does not invalidate the old key, so it is recommended to manually update the old key in app/etc/env.php to the new value rather than deleting it.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Setup in minutes to reduce your cyber risks and costs:

See What You Can Do with Action1

 

Join our weekly LIVE demo “Patch Management That Just Works with Action1” to learn more

about Action1 features and use cases for your IT needs.

 

spiceworks logo
getapp logo review
software advice review
trustradius
g2 review
spiceworks logo

Related Posts

What is Endpoint Management?

Endpoint management is an essential part of modern and advanced IT security and device administration, providing every organization with the ability to identify, monitor, manage,...

read more