09/18/2024-09/25/2024 CISA Flags Critical Ivanti vTM Vulnerability, Malware Hidden in Python Packages, Critical Ivanti Cloud Appliance Vulnerability And More.

1. CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns

CISA added a critical flaw in Ivanti Virtual Traffic Manager (vTM), CVE-2024-7593 (CVSS score: 9.8), to its Known Exploited Vulnerabilities catalog due to active exploitation. This vulnerability allows a remote, unauthenticated attacker to bypass authentication and create rogue admin accounts. Ivanti patched the issue in vTM versions 22.2R1 to 22.7R2 in August 2024. Although no specifics on real-world attacks were shared, a proof-of-concept (PoC) is publicly available. Federal agencies must address the flaw by October 15, 2024. Recent months have seen increased exploitation of Ivanti devices, with over 2,000 exposed instances identified online.

2. Hundreds of Millions of IoT Devices Affected by TCP/IP Security Flaws 

Researchers at JSOF discovered Ripple20, a collection of critical vulnerabilities in the Treck TCP/IP software library used in hundreds of millions of IoT devices. These flaws allow remote code execution, affecting products from major companies like Intel, HP, and Caterpillar. Ripple20 impacts various devices, including printers, IP cameras, UPS systems, and medical equipment. Two vulnerabilities, CVE-2020-11896 and CVE-2020-11897, score 10/10 in severity, posing serious risks like network takeover. The supply chain complexity worsens the issue, as many vendors are unaware they use the vulnerable library. Fixing these flaws is challenging, as they require firmware updates, especially for third-party hardware components. 

3. Software Developers Targeted By Malware Hidden in Python Packages 

North Korean hackers, linked to the Lazarus Group, are targeting Python developers on Mac devices, warns Unit 42. This attack is part of “Operation Dream Job,” where fake job ads lure developers into downloading malicious software. Hackers uploaded four weaponized Python packages—real-ids, coloredtxt, beautifultext, and minisound—on PyPI, which contained the PondRAT malware. PondRAT, a simplified version of POOLRAT (macOS backdoor), can upload/download files and run commands. Lazarus has also expanded its attacks to Linux systems through a sub-group called Gleaming Pisces. These malicious Python packages pose a significant threat to organizations, potentially compromising entire networks.

4. Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks

Ivanti has disclosed that a critical flaw in its Cloud Service Appliance (CSA), CVE-2024-8963 (CVSS score: 9.4), is being actively exploited. The vulnerability, addressed in CSA 4.6 Patch 519 and CSA 5.0, allows remote attackers to access restricted functionality. When combined with CVE-2024-8190 (CVSS score: 7.2), attackers can bypass admin authentication and execute commands. Ivanti acknowledged a limited number of customers have been affected. CISA  has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging agencies to apply patches by October 10, 2024. Ivanti recommends upgrading to CSA version 5.0 immediately.

5. GitLab Releases Fix For Critical SAML Authentication Bypass Flaw

GitLab has released security updates to fix a critical SAML authentication bypass vulnerability (CVE-2024-45409) affecting self-managed GitLab Community (CE) and Enterprise Editions (EE). The flaw, caused by issues in the OmniAuth-SAML and Ruby-SAML libraries, allows attackers to craft malicious SAML responses, bypassing authentication and gaining unauthorized access. The vulnerability impacts versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10, and earlier. GitLab has patched the issue in the latest versions and urges affected users to update immediately. For those unable to upgrade, enabling two-factor authentication (2FA) is recommended. While no confirmed exploitation has been reported, signs of potential attacks include unusual extern_uid values and suspicious IP addresses in authentication logs.