Protecting Organizations with Up-to-Date CVE Awareness
Reports from the National Institute of Standards and Technology (NIST) through its National Vulnerability Database (NVD) highlight critical cybersecurity vulnerabilities that demand immediate attention and underscore the persistent risks organizations face, including potential data breaches and system compromises if left unaddressed. Recent critical vulnerabilities emphasize the importance of timely patching and updates to safeguard against these high-severity threats. It is imperative for organizations to review vulnerabilities each month and to implement the necessary security measures to mitigate exposure to these evolving cyber risks. Here are some issues to prioritize in August:
CVE-2024-36401
Mechanism of the Threat: CVE-2024-36401 is a critical vulnerability in GeoServer, an open-source server for geospatial data management. The flaw arises from improper handling of OGC request parameters, allowing Remote Code Execution (RCE) through maliciously crafted inputs. This vulnerability stems from the unsafe evaluation of property names as XPath expressions in the GeoTools library API.
Execution and Exploitation: Unauthenticated attackers can exploit this vulnerability by sending crafted requests to a default GeoServer installation, leading to arbitrary code execution via the commons-jxpath library.
Impact and Potential Risks: Exploitation of CVE-2024-36401 can result in full system compromise, unauthorized data access, and operational disruptions across all affected GeoServer instances.
Mitigation and Response: GeoServer users should immediately update to versions 2.23.6, 2.24.4, or 2.25.2, which contain patches. Alternatively, removing the gt-complex-x.y.jar file can mitigate the issue, though this may disrupt GeoServer functionality.
For More Information:
CVE-2022-22948
Mechanism of the Threat: CVE-2022-22948 is a significant information disclosure vulnerability identified in VMware vCenter Server. The vulnerability arises from improper file permission settings that could allow unauthorized users to access sensitive information. Specifically, the flaw exists in the vCenter Server Appliance (VCSA), where non-administrative users can access files that contain sensitive data due to these misconfigured permissions.
Execution and Exploitation: Attackers with limited access to a vCenter Server instance can exploit this vulnerability by leveraging the incorrect file permissions to access files containing potentially sensitive information. This exploitation does not require high privileges or complex attack methods, making it accessible to attackers with basic access rights to the vCenter Server.
Impact and Potential Risks: The exploitation of CVE-2022-22948 primarily risks unauthorized access to sensitive information within the vCenter Server environment. This could include configuration files, logs, or other data that could be used for further exploitation, such as privilege escalation or reconnaissance activities.
Mitigation and Response: VMware has addressed this vulnerability in their advisory VMSA-2022-0009. Organizations using VMware vCenter Server are strongly advised to apply the provided patches immediately to correct the file permission settings and mitigate the risk associated with this vulnerability. In addition to applying patches, organizations should review their vCenter Server permissions and configurations to ensure that access controls are properly enforced.
For More Information:
CVE-2024-28995
Mechanism of the Threat: CVE-2024-28995 is a critical directory traversal vulnerability in SolarWinds Serv-U, a widely used file transfer software. The vulnerability is due to improper validation of file paths within the software, which can allow attackers to craft specific requests that bypass directory restrictions. This flaw enables unauthorized access to files and directories on the host machine that should normally be inaccessible.
Execution and Exploitation: An attacker can exploit CVE-2024-28995 by sending specially crafted directory traversal sequences, such as ../, within a file path request. These sequences allow the attacker to navigate the directory structure beyond the intended boundaries, leading to unauthorized access to sensitive files. This exploitation can be performed remotely and does not require prior authentication, significantly increasing its severity and potential impact.
Impact and Potential Risks: Successful exploitation of this vulnerability could result in the exposure of sensitive files, including configuration files, credentials, and other critical data stored on the host system. Such unauthorized access could enable further attacks, such as privilege escalation or data breaches, potentially compromising the entire network or infrastructure that relies on the affected Serv-U instance.
Mitigation and Response: SolarWinds has released security updates that address this vulnerability. It is strongly recommended that users apply these patches immediately to mitigate the risk. If patching is not feasible, consider disabling the Serv-U service temporarily or implementing workarounds as advised by SolarWinds. Regularly monitoring for unusual activity and tightening your network security strategy can also help reduce the risk of exploitation.
For More Information:
CVE-2024-34102
Mechanism of the Threat: CVE-2024-34102 is a critical vulnerability in Adobe Commerce and Magento Open Source, stemming from improper handling of XML External Entity (XXE) references. This flaw occurs when the affected software processes XML documents that include external entities. If exploited, this vulnerability allows an attacker to submit a maliciously crafted XML document, leading to potential arbitrary code execution or unauthorized data access.
Execution and Exploitation: Exploitation of this vulnerability occurs when the server processes a specially crafted XML input containing external entities. The vulnerability allows attackers to execute arbitrary code or access sensitive information without requiring user interaction. This makes the attack vector particularly dangerous, as it can be executed remotely and silently.
Impact and Potential Risks: The successful exploitation of CVE-2024-34102 can result in severe consequences, including full system compromise, data exfiltration, or even the disruption of services. Attackers could gain unauthorized access to critical system files, execute malicious code, or leverage the vulnerability to launch further attacks against the compromised environment.
Mitigation and Response: Adobe has released patches for all affected versions of Adobe Commerce and Magento Open Source to address this vulnerability. It is crucial for administrators to apply these updates immediately to mitigate the associated risks. Additionally, organizations should review their XML processing configurations and consider disabling external entity processing where possible to prevent similar vulnerabilities.
For More Information:
CVE-2024-39891
Mechanism of the Threat: CVE-2024-39891 is a critical vulnerability identified in Twilio’s Authy desktop application. The vulnerability arises from improper validation and handling of input during the authentication process. This flaw allows attackers to bypass the authentication mechanisms, enabling unauthorized command execution on the affected system. Specifically, the issue is related to how Authy handles certain authentication requests, which can be manipulated to gain elevated privileges.
Execution and Exploitation: Exploitation of CVE-2024-39891 occurs when an attacker crafts specific authentication requests designed to bypass standard security checks. By manipulating these requests, the attacker can gain unauthorized access to the system and potentially execute arbitrary commands. This type of attack could be carried out remotely and does not require user interaction, making it highly exploitable with minimal effort.
Impact and Potential Risks: The successful exploitation of this vulnerability could result in a full system compromise. This includes unauthorized access to sensitive user data, the ability to execute arbitrary commands, and the potential for further attacks within the network. The severity of the vulnerability is underscored by its potential to grant attackers control over critical systems or data, leading to significant security breaches.
Mitigation and Response: Twilio has addressed this vulnerability by releasing security patches for the Authy desktop application. Users and administrators are strongly urged to update to the latest version immediately to protect against potential exploitation. Additionally, it is advisable to review and reinforce security configurations, ensuring that all authentication processes are secure and properly validated.
For More Information:
CVE-2018-0824
Mechanism of the Threat: CVE-2018-0824 is a critical remote code execution (RCE) vulnerability in Microsoft’s SQL Server, specifically related to the SQL Server Database Engine. The vulnerability is rooted in how the SQL Server handles the processing of certain expressions, particularly within a query that involves a Scalar-Valued Function (SVF). The flaw arises due to the improper handling of data within these expressions, which can lead to memory corruption.
Execution and Exploitation: An attacker could exploit this vulnerability by crafting a specially designed query that, when processed by the SQL Server, could trigger memory corruption. This would allow the attacker to execute arbitrary code within the SQL Server process. Exploitation requires the attacker to execute queries on the SQL Server, but it could be accomplished by any authenticated user with the necessary permissions.
Impact and Potential Risks: If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code within the context of the SQL Server Database Engine. This can lead to full control over the database and potentially the underlying server. The impact includes unauthorized data access, data manipulation, or even complete database takeover, depending on the server’s configuration and the attacker’s privileges.
Mitigation and Response: Microsoft has released patches to address this vulnerability as part of its security updates. Administrators are advised to apply the relevant security updates to affected SQL Server versions immediately. Additionally, minimizing user privileges, adding layered security elements, and restricting access to SQL Server can help reduce the risk of exploitation.
For More Information:
CVE-2012-4792
Mechanism of the Threat: CVE-2012-4792 is a critical use-after-free vulnerability in Microsoft’s Internet Explorer versions 6 through 8. The vulnerability occurs due to improper handling of CMshtmlEd objects, leading to memory corruption. This flaw is triggered when Internet Explorer improperly frees memory that is still in use, creating an opportunity for an attacker to corrupt the memory space.
Execution and Exploitation: Attackers can exploit this vulnerability by convincing users to visit a maliciously crafted webpage designed to trigger the use-after-free condition. Once the vulnerability is exploited, the attacker can execute arbitrary code within the context of the affected Internet Explorer process. This could be achieved through techniques like drive-by downloads, where no further interaction from the user is required beyond visiting the malicious webpage.
Impact and Potential Risks: Successful exploitation of CVE-2012-4792 allows attackers to execute arbitrary code with the same privileges as the user running Internet Explorer. If the user has administrative privileges, the attacker could gain full control over the affected system, potentially leading to system compromise, data theft, or further propagation of malicious code within a network.
Mitigation and Response: Microsoft released a security update as part of MS13-008 to address this vulnerability. Applying this update is critical to protect systems from potential exploitation. Users should ensure that all security patches are up to date and consider upgrading to more recent versions of Internet Explorer or alternative browsers that are no longer affected by this vulnerability. Safe browsing habits and the limitation of administrative privileges can further mitigate the risk.
For More Information:
CVE-2023-45249
Mechanism of the Threat: CVE-2023-45249 is a critical vulnerability in Acronis Cyber Protect, a widely used data protection and cybersecurity solution. The vulnerability arises from improper input validation in the management interface. This flaw allows attackers to inject and execute arbitrary commands remotely, leading to severe security risks. The core issue is that the input fields do not adequately sanitize user-provided data, which can be manipulated to bypass security controls.
Execution and Exploitation: An attacker can exploit this vulnerability by sending specially crafted requests to the Acronis Cyber Protect management console. These crafted requests can manipulate the input validation process, enabling the execution of arbitrary commands on the underlying system. This exploitation can be carried out remotely, without needing physical access to the target, making it particularly dangerous.
Impact and Potential Risks: The successful exploitation of CVE-2023-45249 could lead to full system compromise. This includes unauthorized access to sensitive data, disruption of backup and recovery operations, and potential manipulation or deletion of critical files. The vulnerability’s impact extends to the entire infrastructure protected by Acronis, posing significant risks to the continuity of operations and data integrity.
Mitigation and Response: Acronis has released security patches to address this vulnerability. It is imperative that administrators apply these patches immediately to protect against potential exploitation. In addition to patching, reviewing and strengthening security configurations within the Acronis management interface is recommended to further mitigate the risk. Regular monitoring and adopting zero trust security principles can also help reduce exposure to such vulnerabilities.
For More Information:
CVE-2024-4879 and CVE-2024-5217
Mechanism of the Threat: CVE-2024-4879 and CVE-2024-5217 are recent critical vulnerabilities identified in ServiceNow’s MID Server components and the GlideExpression script processing engine.
- CVE-2024-4879 involves improper input validation in the processing of Jelly templates within the ServiceNow platform. The vulnerability occurs due to inadequate checks on user-supplied input in these templates, which can be manipulated to inject malicious code.
- CVE-2024-5217 relates to the improper handling of inputs within the GlideExpression script processing. This vulnerability allows attackers to craft specific expressions that can bypass security mechanisms, leading to arbitrary code execution.
Execution and Exploitation: Attackers can exploit these vulnerabilities by injecting malicious code into vulnerable Jelly templates (CVE-2024-4879) or by crafting specific expressions in GlideExpression scripts (CVE-2024-5217). These malicious inputs can then be processed by the server, resulting in unauthorized code execution with the same privileges as the affected service, potentially compromising the entire ServiceNow environment.
Impact and Potential Risks: Successful exploitation of these vulnerabilities could lead to severe consequences, including full system compromise, unauthorized access to sensitive data, and potential data breaches across environments using ServiceNow. Given that ServiceNow is often used for managing critical business operations, the impact of these vulnerabilities could extend to widespread operational disruptions and significant security breaches.
Mitigation and Response: ServiceNow has released patches to address both vulnerabilities. Administrators are strongly urged to apply these patches immediately to mitigate the risks associated with these flaws. In addition to patching, it is advisable to review and strengthen input validation processes and apply least privilege principles to limit the impact of any potential exploitation.
For More Information:
CVE-2024-37085
Mechanism of the Threat: CVE-2024-37085 is a critical authentication bypass vulnerability affecting VMware ESXi hypervisors that are integrated with Active Directory (AD). The vulnerability stems from the improper validation of an AD group named “ESX Admins,” which is not a default group but can be created or renamed by attackers with sufficient AD permissions. This flaw allows unauthorized users to gain full administrative access to ESXi hosts.
Execution and Exploitation: Ransomware operators have actively exploited this vulnerability by compromising domain administrator credentials and creating or renaming groups to “ESX Admins.” Once this group is in place, any user added to it can gain full administrative control over the ESXi hypervisor. This control enables attackers to exfiltrate data, deploy ransomware, and encrypt virtual machines (VMs) hosted on the compromised ESXi servers. Notably, this vulnerability has been exploited by several ransomware groups, including Storm-0506 and Black Basta, making it a significant threat to environments relying on VMware ESXi.
Impact and Potential Risks: The exploitation of CVE-2024-37085 can lead to the complete compromise of VMware ESXi hosts, resulting in data breaches, the deployment of ransomware, and severe operational disruptions. Given that ESXi servers often host critical VMs, the impact of this vulnerability can extend across an entire network, affecting multiple systems and services.
Mitigation and Response: VMware has released patches to address this vulnerability in ESXi 8.0 Update 3 and VMware Cloud Foundation 5.2. Administrators are strongly advised to apply these updates immediately. For environments where patching is not feasible, it is crucial to monitor AD group memberships closely, particularly for unauthorized “ESX Admins” groups, and to implement additional security measures to protect AD credentials.
For More Information:
CVE-2024-32113
Mechanism of the Threat: CVE-2024-32113 is a critical vulnerability in Apache OFBiz, an open-source ERP system widely used for automating enterprise processes. The vulnerability stems from improper limitation of a pathname to a restricted directory, commonly known as a Path Traversal vulnerability. This flaw allows an attacker to access and manipulate files outside the intended restricted directory, leading to unauthorized access to sensitive information and potentially enabling remote code execution (RCE).
Execution and Exploitation: An attacker can exploit this vulnerability by submitting a maliciously crafted input that includes directory traversal sequences (e.g., ../) into vulnerable fields within Apache OFBiz. This can allow the attacker to navigate to unauthorized directories and execute commands or access files that should be off-limits. The attack does not require authentication or user interaction, making it highly exploitable with low complexity.
Impact and Potential Risks: Successful exploitation of CVE-2024-32113 could lead to significant impacts, including unauthorized access to sensitive files, data leakage, manipulation, and the ability to execute arbitrary code in the context of the affected service account. Depending on the permissions of the compromised account, an attacker could perform actions such as installing programs, modifying data, or creating new user accounts with full privileges. The vulnerability has been classified as critical with a CVSS score of 9.8, emphasizing its potential to severely compromise affected systems.
Mitigation and Response: Apache has released a security update that addresses recent critical vulnerabilities in version 18.12.13 of OFBiz. Users are strongly advised to upgrade to this version immediately. Additional security measures include applying the principle of least privilege to limit the impact of any potential exploitation and ensuring that all system updates are applied promptly. Organizations should also monitor their systems for any signs of exploitation and consider conducting vulnerability assessments to identify any other potential security weaknesses.
For More Information:
CVE-2024-36971
Mechanism of the Threat: CVE-2024-36971 is a critical zero-day vulnerability in the Android kernel, specifically related to the Linux kernel’s network route management. The vulnerability arises from a use-after-free (UAF) condition, which occurs when the kernel attempts to use memory that has already been freed. This flaw can be exploited by attackers to execute arbitrary code with elevated privileges, potentially allowing them to take complete control of the affected device.
Execution and Exploitation: The vulnerability is particularly dangerous because it can be exploited remotely with system execution privileges, meaning that no user interaction is necessary. Exploitation of this flaw allows attackers to manipulate memory and execute malicious code, making it a potent tool for cyber espionage and targeted attacks. There is evidence that this vulnerability has been actively exploited in the wild, particularly in highly targeted attacks, likely by advanced persistent threat (APT) groups or commercial spyware vendors.
Impact and Potential Risks: Successful exploitation of CVE-2024-36971 could lead to full device compromise, allowing attackers to bypass security measures, access sensitive data, and perform actions such as installing malware or surveilling users. The high severity of this vulnerability, with a CVSS score of 7.8, highlights the significant risk it poses to Android devices, particularly those that are not regularly updated.
Mitigation and Response: Google has released patches to address this vulnerability as part of the August 2024 Android security updates. Users are strongly advised to update their devices to the latest version immediately. Additionally, employing comprehensive security solutions that include real-time threat detection and automatic response can help mitigate the risks posed by such vulnerabilities. Continuous monitoring for unusual activities and educating users about security best practices are also recommended.
For More Information:
Recent Critical Vulnerabilities Added in August
The following CVEs were added to the National Vulnerability Database in August 2024 and require attention ahead of the September disclosure deadline. These vulnerabilities span multiple Microsoft Windows components and other software platforms. They pose significant risks, including privilege escalation, remote code execution, and security feature bypasses. Prioritize these updates to mitigate potential threats in the weeks and months to come.
CVE-2024-38107 – Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability
CVE-2024-38106 – Microsoft Windows Kernel Privilege Escalation Vulnerability
CVE-2024-38193 – Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability
CVE-2024-38213 – Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2024-38178 – Microsoft Windows Scripting Engine Memory Corruption Vulnerability
CVE-2024-38189 – Microsoft Project Remote Code Execution Vulnerability
CVE-2024-28986 – SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
CVE-2024-23897 – Jenkins Command Line Interface (CLI) Path Traversal Vulnerability
Protect Your Organization from Recent Critical Vulnerabilities
Safeguard your organization against cybersecurity threats by staying updated on the latest CVE developments and promptly applying the recommended patches. Enhance your security posture by adopting best practices such as reinforcing lateral movement defenses, implementing microsegmentation, and integrating a multi-layered cybersecurity approach into your policies. Discover how TrueFort can support your organization’s security needs today.
