Recent cybersecurity vulnerabilities reported on the National Institute of Standards and Technology (NIST)’s National Vulnerability Database pose significant risks to organizations worldwide. Without mitigation, data breaches and system compromises are possible. July’s CVE news includes critical updates and patches for various high-severity vulnerabilities. Check out the vulnerabilities reported from last month to keep your organization informed and secure from potential cyber threats.
CVE-2024-4879, CVE-2024-5178, CVE-2024-5217
Mechanism of the Threat: These vulnerabilities in ServiceNow MID Server components stem from improper input validation and access control mechanisms, which lead to unauthorized code execution. Specifically, CVE-2024-4879 involves Jelly template injection, CVE-2024-5178 concerns the SecurelyAccess API, and CVE-2024-5217 relates to the GlideExpression script.
Execution and Exploitation: Attackers exploit these vulnerabilities by injecting malicious scripts or leveraging insecure API endpoints to gain unauthorized access. CVE-2024-4879 allows arbitrary code execution through template injection, CVE-2024-5178 can be exploited by bypassing input validation in the SecurelyAccess API, and CVE-2024-5217 involves exploiting the GlideExpression script to execute arbitrary code.
Impact and Potential Risks: Exploitation can lead to significant security breaches, including unauthorized access, data exfiltration, and system compromise. These vulnerabilities can cause operational disruptions and data loss, with CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217 each posing distinct risks related to their specific components.
Mitigation and Response: Organizations should promptly apply security patches provided by ServiceNow. Enhancing input validation and access control mechanisms is critical. For CVE-2024-4879, ensure Jelly template processing is secured; for CVE-2024-5178, validate inputs rigorously in the SecurelyAccess API; and for CVE-2024-5217, secure the GlideExpression script against unauthorized access and execution.
For more details, refer to Service Now’s articles:
CVE-2024-34102
Mechanism of the Threat: CVE-2024-34102 affects Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. It is caused by improper restriction of XML External Entity (XXE) references within the platform.
Execution and Exploitation: Attackers can exploit this cybersecurity vulnerability by sending a crafted XML document that references external entities, leading to arbitrary code execution without requiring user interaction.
Impact and Potential Risks: Exploitation can result in unauthorized access and control over affected systems, leading to significant data breaches and potential system compromise.
Mitigation and Response: Apply the latest security patches from Adobe. Specifically, update to versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, or 2.4.4-p9, which address this issue. Additionally, disable external entity processing and follow best practices for secure XML parsing.
For more details, visit Adobe’s website: https://helpx.adobe.com/security/products/magento/apsb24-40.html
CVE-2024-28995
Mechanism of the Threat: CVE-2024-28995 affects SolarWinds Serv-U versions up to and including 15.4.2. It involves a directory traversal vulnerability that permits unauthorized access to read sensitive files on the host machine.
Execution and Exploitation: An attacker can exploit this vulnerability by crafting a specific path in requests to the Serv-U server, enabling them to traverse directories and access restricted files. This vulnerability has been observed being actively exploited in the wild.
Impact and Potential Risks: Exploitation can lead to the exposure of sensitive information, potentially compromising the security and privacy of affected systems and data.
Mitigation and Response: SolarWinds users should immediately apply the hotfix 15.4.2 HF 2 and follow vendor mitigation guidelines, including monitoring for the attack behavior detailed by threat actors and blocking it in external firewalls.
For more information, visit SolarWinds’ website: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995
CVE-2022-22948
Mechanism of the Threat: CVE-2022-22948 affects VMware vCenter Server, resulting from improper permissions assigned to files within the server, leading to an information disclosure vulnerability.
Execution and Exploitation: A malicious actor with non-administrative access can exploit this vulnerability to gain unauthorized access to sensitive information stored on the vCenter Server.
Impact and Potential Risks: Exploitation of this vulnerability can compromise sensitive data, leading to potential data breaches and unauthorized information disclosure.
Mitigation and Response: Administrators should apply the latest security updates from VMware, such as vCenter Server versions 7.0 U3d, 6.7 U3p, and 6.5 U3r.
View more information here: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23623
CVE-2024-20399
Mechanism of the Threat: CVE-2024-20399 affects Cisco NX-OS Software due to insufficient validation of arguments passed to specific CLI commands, leading to a command injection vulnerability. This flaw allows attackers to inject malicious input into configuration CLI commands.
Execution and Exploitation: An attacker with authenticated access can exploit this vulnerability by sending crafted inputs via configuration CLI commands, allowing them to execute arbitrary commands with root privileges. This issue has been confirmed to affect various versions of Cisco NX-OS, particularly those used in Nexus 3000, 3500, 3600, 9000, 9500, and other series switches.
Impact and Potential Risks: Exploitation can result in full control over the underlying operating system, posing significant risks of unauthorized access and system compromise. The ability to execute commands as root can lead to extensive system control, data breaches, and further propagation of attacks within the network.
Mitigation and Response: Cisco has released software updates that address this vulnerability. Users should immediately upgrade to the fixed versions as listed in the Cisco Security Advisory. Additionally, administrators should review and monitor CLI command usage to detect any anomalous activities.
For more details, visit https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP
CVE-2024-23692
Note that guidance around this CVE was issued in May and updated in July.
Mechanism of the Threat: CVE-2024-23692 impacts Rejetto HTTP File Server (HFS) versions up to and including 2.3m due to a server-side template injection (SSTI) vulnerability that allows remote command execution.
Execution and Exploitation: A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to the HFS server, leading to arbitrary command execution on the affected system.
Impact and Potential Risks: Successful exploitation can lead to full control over the system, posing severe risks including unauthorized access, data theft, and complete system compromise.
Mitigation and Response: Users should immediately discontinue the use of unsupported HFS 2.3m and upgrade to a supported version or apply recommended mitigations, such as deploying security patches and utilizing firewall rules to block exploit attempts.
Get more information here: https://github.com/rapid7/metasploit-framework/pull/19240
CVE-2024-38080
Mechanism of the Threat: CVE-2024-38080 affects Microsoft Windows Hyper-V due to improper validation of user privileges, which leads to an elevation of privilege vulnerability.
Execution and Exploitation: Authenticated attackers can exploit this vulnerability by executing crafted commands within the Hyper-V environment, enabling them to escalate their privileges and gain unauthorized access to higher privilege levels.
Impact and Potential Risks: Successful exploitation can grant attackers complete control over the affected system, allowing them to perform unauthorized actions and potentially compromise the entire virtualized environment.
Mitigation and Response: Microsoft has released patches to address this vulnerability. Administrators should apply these updates without delay to secure their systems.
Learn more about this CVE on Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38080
CVE-2024-38112
This CVE will be reanalyzed soon. More details will be available then.
CVE-2024-38112 impacts the Microsoft Windows MSHTML platform due to a spoofing vulnerability within its user interface components. This vulnerability stems from the way the platform handles objects in memory, leading to potential spoofing attacks.
Execution and Exploitation: An attacker can exploit this vulnerability by crafting malicious web content that deceives users, potentially leading to the execution of arbitrary code when users interact with the spoofed content.
Impact and Potential Risks: Successful exploitation can result in unauthorized actions, such as privilege escalation or execution of malicious scripts, potentially compromising the entire system.
Mitigation and Response: Apply the latest security patches provided by Microsoft and follow recommended security practices to mitigate this vulnerability.
For more information, visit https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112
CVE-2024-36401
Mechanism of the Threat: CVE-2024-36401 impacts GeoServer up to versions 2.23.6, 2.24.4, and 2.25.2, due to a vulnerability in the GeoTools library. This vulnerability allows unsafely evaluating property names as XPath expressions, leading to remote code execution.
Execution and Exploitation: Unauthenticated attackers can exploit this vulnerability by sending specially crafted OGC requests, such as WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests. These requests can trigger the unsafe evaluation of property names, resulting in arbitrary code execution on the affected system.
Impact and Potential Risks: Successful exploitation allows arbitrary code execution, which can compromise the entire system and expose sensitive data. This could lead to unauthorized access, data theft, and further exploitation of the compromised system.
Mitigation and Response: Users should update to GeoServer versions 2.23.6, 2.24.4, or 2.25.2 to mitigate this vulnerability. As a workaround, the vulnerable gt-complex-x.y.jar file can be removed from the GeoServer installation. However, this may break some functionality or prevent deployment if the gt-complex module is required. Detailed instructions for applying patches or removing the vulnerable file are available in the GitHub Advisory Database.
Check out OSGeo for more information: https://osgeo-org.atlassian.net/browse/GEOT-7587
Protect Your Organization from the Latest Vulnerabilities in Cybersecurity
Keep your organization safe from cybersecurity vulnerabilities by staying informed on CVE news and promptly implement recommended patches. To support your efforts, follow the latest cybersecurity best practices by emphasizing lateral movement protection, implementing microsegmentation, and deploying a multi-layered cybersecurity stack in your policies. Learn more on how TrueFort can help your organization today.