09/11/2024-09/18/2024 GitLab Patches Critical Flaw, Critical ARM Vulnerability, Critical Ivanti RCE Flaw And More.

1. Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

GitLab has released security updates to fix 17 vulnerabilities, including a critical flaw (CVE-2024-6678, CVSS 9.9) that allows attackers to run pipeline jobs as arbitrary users. This issue affects versions 8.14 to 17.3.1 of GitLab CE/EE. The flaw, along with three high-severity and 13 medium- and low-severity bugs, has been patched in versions 17.3.2, 17.2.5, and 17.1.7. CVE-2024-6678 is the fourth major vulnerability GitLab has addressed this year, following others like CVE-2023-5009. Although there is no evidence of active exploitation, users are urged to apply the patches promptly to avoid potential risks.

2. Critical ARM Vulnerability That Could Have Allowed RCE Patched by SolarWinds

SolarWinds has patched a critical vulnerability in its Access Rights Manager (ARM) software, which could allow remote code execution (CVE-2024-28991, severity 9.0/10). The flaw stems from improper validation of user-supplied data, enabling attackers to exploit deserialization issues. Discovered by Trend Micro’s Zero Day Initiative (ZDI), the bug can bypass weak authentication mechanisms. SolarWinds urges users to update to version 2024.3.1, though no active exploitation has been reported. ARM is used to manage and audit user access rights across IT systems. Despite its prominence, SolarWinds faced scrutiny after a 2020 ransomware breach compromised many customers, leading to a lawsuit from the SEC.

3. Exploit Code Released For Critical Ivanti RCE Flaw, Patch Now 

A proof-of-concept (PoC) exploit for CVE-2024-29847, a critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager, has been publicly released. The flaw, caused by insecure deserialization in the AgentPortal.exe executable, affects versions before 2022 SU6 and EPM 2024. The exploit allows attackers to perform file operations like executing web shells. Ivanti released patches in September 2024, with no other mitigations or workarounds available. Users are urged to apply the update immediately. In related news, Ivanti’s Endpoint Manager and Cloud Services Appliance have been targeted by attackers, prompting CISA to add the vulnerabilities to its Known Exploited Vulnerabilities catalog.

4. Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution

Broadcom has released updates to fix a critical security flaw in VMware vCenter Server (CVE-2024-38812, CVSS 9.8) that could allow remote code execution. The vulnerability, a heap-overflow in the DCE/RPC protocol, can be triggered by sending a specially crafted packet to the server. It is similar to two other flaws (CVE-2024-37079, CVE-2024-37080) addressed in June 2024. Another issue, CVE-2024-38813 (CVSS 7.5), could allow privilege escalation to root. Security researchers zbl and srs discovered the flaws during the Matrix Cup competition in China. VMware has patched these vulnerabilities in the latest versions of vCenter Server and VMware Cloud Foundation. While no exploitation has been reported, customers are urged to update to protect against potential threats.

5. Google Fixes GCP Composer Flaw That Could’ve Led to Remote Code Execution

A critical security flaw in Google Cloud Platform (GCP) Composer, called CloudImposer, has been patched. Discovered by Tenable, this vulnerability could have enabled remote code execution via a supply chain attack technique known as dependency confusion.

The flaw involved Google’s Composer tool fetching a malicious package from a public repository instead of an internal one. Attackers could exploit this by uploading a fake package with a higher version number to the Python Package Index (PyPI), potentially gaining control over Composer instances. Google fixed the issue in May 2024 by ensuring packages are only installed from private repositories and verifying checksums to prevent tampering. Developers are now advised to use the “--index-url” argument to minimize risk.