Hear yea, hear yea!

I’ll be hosting the Qualys Cyber Risk Series on Wed, July 31, “To Be, Or Not to Be? Patch Is the Question”.

Join me and a whole host of industry experts as we chat about proactive, risk-based remediation, and how to balance operational and security risk.

Oddsbodkins! It sounds like quite the event.

Register today at https://qualys.brighttalk.com/?utm_source=infpost1&utm_medium=socialpost&utm_campaign=617611

Cisco IMC Command Injection Vulnerability Alert

Date: April 17, 2024
CVE: CVE-2024-20356
Vulnerability Type: Command Injection
CWE: [[CWE-78]]
Sources: Cisco Security Advisory

Issue Summary

A critical vulnerability has been identified in the Cisco Integrated Management Controller (IMC) web-based management interface. This flaw allows authenticated, remote attackers with Administrator-level privileges to perform command injection attacks, potentially gaining root access to the affected systems. Cisco has acknowledged the vulnerability and provided software updates to mitigate the issue.

Technical Key findings

The vulnerability results from inadequate input validation of command strings by the web-based management interface. Attackers can exploit this by sending specially crafted commands to the interface, which are then executed with elevated privileges.

Vulnerable products

• 5000 Series Enterprise Network Compute Systems (ENCS)
• Catalyst 8300 Series Edge uCPE
• UCS C-Series M5, M6, and M7 Rack Servers (standalone mode)
• UCS E-Series Servers
• UCS S-Series Storage Servers (standalone mode)

Impact assessment

Successful exploitation allows attackers to elevate privileges to root, leading to full system control. This can result in unauthorized access, data leakage, and potential interruption of operations.

Patches or workaround

No workarounds are available. Cisco recommends updating to the latest firmware versions provided in their security advisory to address this vulnerability.

Tags

#Cisco #CVE-2024-20356 #CommandInjection #CIMC #ITSecurity #PatchManagement

New blog post

The National Vulnerability Database (the NVD) appears to be in some sort of hiatus, no longer assigning CVSS information to CVEs. They’ve posted a note:

NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.

If you want to understand what’s happening, hackread says @joshbressers first drew attention to it, and Josh has a podcast on the episode. Me, I wonder if this has to do with the 12% budget reductions at NIST. Beyond the why, many people are quite concerned, because they’ve been using CVSS scores to reduce the amount of patching work they do, generally under a label like “risk management.” (I prefer to think of it as workload management when you’re letting someone else make “risk” decisions for you. And that’s fine. We do this outsourcing in all parts of life, work and personal.)

Full post:
https://shostack.org/blog/the-nvd-crisis/

#NVD #CVSS #patchmanagement
#riskmanagement

" Critical Security Alert: HikCentral Professional Vulnerabilities Exposed "

Hikvision's latest advisory reveals severe vulnerabilities in HikCentral Professional, identified by Michael Dubell and Abdulazeez Omar. CVE-2024-25063 and CVE-2024-25064, with CVSS scores of 7.5 and 4.3 respectively, highlight risks of unauthorized access due to insufficient server-side validation. Users are urged to upgrade to versions above V2.5.1 for enhanced security. Stay vigilant and prioritize updating to safeguard your systems!

CVE Summaries:

• CVE-2024-25063: Attackers could exploit server validation flaws to access restricted URLs, compromising confidentiality.
• CVE-2024-25064: Authenticated users could manipulate parameters to access unauthorized resources, posing a lower risk.

Source: Hikvision Security Advisory

Tags: #CyberSecurity #Hikvision #Vulnerability #CVE2024-25063 #CVE2024-25064 #ServerSecurity #InfoSec #PatchManagement

" Autodesk AutoCAD Vulnerabilities Exposed "

Autodesk's security advisory reveals critical vulnerabilities within AutoCAD products, impacting various versions with potential for arbitrary code execution. Highlighting CVEs such as CVE-2024-0446 through CVE-2024-23137, these flaws can be exploited through maliciously crafted files, posing significant risks to confidentiality, integrity, and availability. Mitigation includes avoiding the import feature and only importing files from trusted sources. Props to Mat Powell from Trend Micro Zero Day Initiative for uncovering these vulnerabilities. Stay vigilant and update accordingly!

Tags: #CyberSecurity #Vulnerability #AutoCAD #CVE #Autodesk #CodeExecution #InfoSec #PatchManagement

AUTODESK TRUST CENTER Security advisory

" Critical Vulnerabilities Alert in ConnectWise Software "

Two vulnerabilities have been identified in ConnectWise's remote desktop software, ScreenConnect, affecting versions 23.9.7 and prior. The first vulnerability (CVE-2024-1708) is a path-traversal issue allowing potential remote code execution or access to sensitive data, rated with a high severity score of 8.4.

The second (CVE-2024-1709) is an authentication bypass, considered critical with a severity score of 10.0, and is easily exploitable with existing proof-of-concept exploits. ConnectWise has issued updates for cloud-hosted instances, but self-hosted deployments need immediate patching. The exposure is global, with significant concentrations in the United States, and it's expected that cybercriminals and nation-state actors will actively exploit these vulnerabilities.

| ---- | ---- | ---- |
| CVE Number | Description | *CVSS Severity* |
| CVE-2024-1708 | ScreenConnect 23.9.7 and prior are affected by a path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. | 8.4 High |
| CVE-2024-1709 | ConnectWise ScreenConnect 23.9.7 and prior are affected by an authentication bypass using an alternate path or channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. | 10.0 Critical |

Professionals using ConnectWise must urgently patch their systems to mitigate these vulnerabilities. The discovery underscores the importance of rigorous security practices in protecting IT infrastructures.

Tags: #CyberSecurity #VulnerabilityAlert #ConnectWise #CVE2024_1708 #CVE2024_1709 #PatchManagement #ITSecurity #RemoteCodeExecution #PrivilegeEscalation

Source: Unit42 by Palo Alto Networks

" Critical EoP Flaw in Microsoft Exchange Server "

A Critical Elevation of Privilege (EoP) vulnerability, CVE-2024-21410, in the Microsoft Exchange Server, demands immediate attention. Rated 9.8 on the CVSSv3 scale and tagged "Exploitation More Likely," this flaw could let attackers use NTLMv2 hashes for relay or pass-the-hash attacks. Exchange Server versions up to 2019 CU14 lack NTLM Relay Protection by default. Microsoft advises enabling this protection via a provided script that can be found in Microsoft’s advisory and urges installation of the latest update as a defense measure.

While CVE-2024-21410 remains unexploited for now AFAIK, its potential risk cannot be underestimated.

Tags: #CyberSecurity #MicrosoftExchange #EoPVulnerability #CVE2024-21410 #PatchManagement #NTLMRelay #ThreatPrevention

Source: Microsoft Advisory

" Alert: New Exploit CVE-2024-21412 Unveiled "

An important vulnerability, CVE-2024-21412, with a CVSS score of 8.1, has been disclosed. This flaw in Internet Shortcut Files allows an unauthenticated attacker to bypass security features by sending a specially crafted file. The exploit relies on social engineering, as the attacker cannot force the user to click but must convince them to do so. This vulnerability is already being exploited in the wild, and Microsoft has released an official fix to counteract this security threat.

For a detailed breakdown of the attack vectors associated with CVE-2024-21412, visit the MITRE database to understand how this exploit works and the best practices to mitigate such risks.

Tags: #CyberSecurity #Vulnerability #CVE2024_21412 #InfoSec #PatchManagement #SocialEngineering #SecurityUpdate

Remember, cybersecurity is not just about the technology but also about understanding the human element. Educate your team and community on the importance of scrutinizing files before clicking, regardless of the source.

MITRE CVE-2024-21412 Summary and MS advisory

" #RoundCubeUnderSiege - CISA Alerts on Roundcube as a frequent attack vector. "

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about active exploitation of a vulnerability in the RoundCube webmail software. Attackers are leveraging this flaw to execute arbitrary code on vulnerable servers. This Medium vulnerability, identified as CVE-2023-43770 (CVSS score: 6.1), allows attackers XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior on Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 .

Tags: #CyberSecurity #CISA #RoundCube #EmailSecurity #VulnerabilityManagement #PatchManagement #ThreatIntelligence #InfoSec

Source: Cisa.gov

"AngularJS ReDoS Vulnerability Alert - Affecting EOL angular package, versions >=1.3.0 "

A newly disclosed vulnerability in AngularJS, identified as CVE-2024-21490, poses a risk to web applications by enabling Regular Expression Denial of Service (ReDoS) attacks. This flaw affects all AngularJS versions before 1.8.3, allowing attackers to cause a service disruption by crafting specific inputs that trigger excessive backtracking in regular expressions.

Developers should review their applications for vulnerable patterns and -as this package is EOL- migrate to @angular/core. Also an #PoC example of exploiting this vulnerability can be found in a live demo on StackBlitz, showing the attack's mechanics and potential impact on AngularJS applications.

Tags: #Cybersecurity #Vulnerability #AngularJS #ReDoS #PatchManagement #WebDevelopment #SecureCoding

Source: NVD - CVE-2024-21490, Snyk - SNYK-JS-ANGULAR-6091113, StackBlitz Demo - AngularJS Vulnerability

" 2x High Alert: Ivanti's CVE-2024-21888 - Privilege Escalation Vulnerability AND CVE-2024-21893 - Server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure"

A high-severity vulnerability, CVE-2024-21888, has been identified in Ivanti Connect Secure & Ivanti Policy Secure (versions 9.x, 22.x). This vulnerability permits privilege escalation, allowing a user to gain administrative privileges.

And also a high vulnerability, named CVE-2024-21893, has been discovered in Ivanti Connect Secure and Policy Secure up to versions 9.1R18/22.6R2. This vulnerability affects the SAML component and can be exploited remotely. It allows an attacker to manipulate unknown input, leading to a server-side request forgery issue. There is no publicly available exploit.

A patch has been released to address this vulnerability. Admins are advised to apply patches ASAP and consider a factory reset of devices as an extra precaution.

Tags: #CyberSecurity #VulnerabilityAlert #Ivanti #CVE202421888 #CVE2024221893 #PrivilegeEscalation #PatchManagement #InfosecCommunity #SystemAdmins

Source: Ivanti's Forums Tenable

" #HCLDomino Vulnerability Alert: CVE-2023-37518 - A Critical Code Injection Risk! "

Attention InfoSec community! HCL Domino's BigFix ServiceNow module has a critical vulnerability - CVE-2023-37518. This flaw allows arbitrary code injection by an authorized attacker, posing a substantial risk to system integrity and data confidentiality.

The vulnerability has a medium severity rating (CVSS v3: 6.4). Attack vector involves network access, with low complexity and low privilege requirements, making it a concerning security loophole. No user interaction is needed, amplifying the risk.

Stay vigilant and ensure systems are updated to mitigate this threat. For detailed insights, check Tenable and OpenCVE.

Tags: #CyberSecurity #Vulnerability #CodeInjection #CVE202337518 #BigFix #ServiceNow #InfoSec #PatchManagement

" Alert: Cisco Unity Connection XSS Vulnerability - Time to Patch! "

A recently disclosed vulnerability in Cisco Unity Connection's web-based management interface, identified as CVE-2024-20305, poses a significant XSS (Cross-Site Scripting) risk. This vulnerability allows an authenticated, remote attacker to execute arbitrary script code or access sensitive information by deceiving a user into clicking a crafted link. The vulnerability arises from inadequate validation of user-supplied input by the interface.

Cisco Unity Connection Release 14 and earlier will need to migrate to a fixed release. Cisco Unity Connection Release 15 is not vulnerable.

Cisco has taken swift action by releasing software updates to mitigate this vulnerability. Notably, there are no workarounds, emphasizing the urgency for users to update their systems.

Stay updated and secure!

Source: Cisco Security Advisory

Tags: #CyberSecurity #XSS #Vulnerability #Cisco #PatchManagement #InfoSec #NetworkSecurity

" Vulnerability in Postman up until 10.22 for macOS - CVE-2024-23738 "

A severe code injection vulnerability, CVE-2024-23738, affects Postman versions up to 10.22 on macOS, posing a significant threat. This flaw allows remote attackers to execute arbitrary code through specific settings (RunAsNode and enableNodeClilnspectArguments). Rated at a high CVSS v3 score of 9.8, it requires immediate attention. Postman is an API platform for building and using APIs. No current exploits or known active exploitation. Stay vigilant!

Source: PRIOn and V3x0r's Github

Tags: #CVE202423738 #CyberSecurity #CodeInjection #Postman #macOS #Vulnerability #InfoSec #PatchManagement

" Critical RCE Vulnerability in Cisco Unified Communications Products "

A significant remote code execution (RCE) vulnerability has been identified in multiple Cisco Unified Communications and Contact Center Solutions products. This vulnerability, due to improper processing of user-provided data, could enable unauthenticated attackers to execute arbitrary code with web service user privileges, potentially leading to root access on the affected device. Cisco has released software updates, as there are no workarounds for this vulnerability.

The vulnerability affects a range of Cisco products in their default configurations, including various versions of Unified Communications Manager, Unified Contact Center Enterprise, Unity Connection, and more.

For more details, check the Cisco advisory: Cisco Security Advisory

Additionally, CISA has released an alert urging users and administrators to review Cisco's advisories and apply necessary updates to affected systems.

Tags: #CiscoSecurity #RCE #VulnerabilityAlert #CyberSecurity #InfoSec #PatchManagement #CiscoUC

Source: Cisco Security Advisory, CISA Advisory

" Critical Zero-Day in Apache OFBiz - A Gateway to Confluence Server Exploits "

SonicWall's research team has uncovered a critical zero-day vulnerability in Apache OFBiz, a widely-used open-source enterprise resource planning system. The flaw, CVE-2023-49070, enables Pre-auth remote code execution (RCE), posing a severe risk to organizations. Attackers are leveraging this to find and exploit vulnerable Confluence servers. Users of Apache OFBiz are recommended to upgrade to version 18.12.11 as soon as possible.

This vulnerability, tagged as T1190 (Exploit Public-Facing Application) in the MITRE ATT&CK framework, allows adversaries to execute arbitrary code remotely, potentially leading to full system compromise.

Stay vigilant and patch immediately!

Sources: SonicWall Blog, BleepingComputer

Tags: #Cybersecurity #ZeroDay #ApacheOFBiz #RCE #Confluence #PatchManagement #VulnerabilityAlert #MITREATTACK #ExploitPublicFacingApplication

" curl Vulnerability Alert: SOCKS5 Heap Buffer Overflow "

A critical heap buffer overflow vulnerability has been identified in curl, specifically in the SOCKS5 proxy handshake. When curl is instructed to pass the hostname to the SOCKS5 proxy for resolution, a hostname exceeding 255 bytes should trigger local name resolving. However, due to a bug, a slow SOCKS5 handshake might erroneously copy an overly long hostname to the target buffer instead of just the resolved address, causing a potential overflow.

This flaw, tagged as CVE-2023-38545, affects libcurl versions 7.69.0 to 8.3.0 and has been assigned a high severity rating. The vulnerability was introduced when the SOCKS5 handshake code transitioned from a blocking function to a non-blocking state machine. The issue has been resolved in curl version 8.4.0, and users are urged to upgrade or apply patches to mitigate risks.

Source: curl - CVE-2023-38545

Tags: #curl #Vulnerability #Cybersecurity #CVE202338545 #BufferOverflow #InfoSec #PatchManagement #CyberHygiene

Credits: Reported and patched by Jay Satiro. A heartfelt thanks to Jay for enhancing the security of the digital realm!

MITRE CVE-2023-38545

Recommendations:

1. Upgrade: Update curl to version 8.4.0 or a newer release where the issue is fixed.
2. Patch: If upgrading is not feasible, consider applying the provided patch to your local version of curl.
3. Proxy Configuration: Avoid using CURLPROXY_SOCKS5_HOSTNAME proxies with curl.
4. Environment Variables: Do not set proxy environment variables to socks5h://.