10/09/2024-10/16/2024 GitHub Patches Critical Flaw, CISA Warns of Three Vulnerabilities, WordPress Plugin Jetpack Patches Major Vulnerability And More.

1. GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access

GitHub has released security updates for Enterprise Server (GHES) to fix several vulnerabilities, including a critical flaw (CVE-2024-9487) with a CVSS score of 9.5/10. This issue allows attackers to bypass SAML single sign-on (SSO) authentication and gain unauthorized access by exploiting a cryptographic signature verification weakness. The flaw is a regression from CVE-2024-4985, a maximum severity bug (CVSS 10.0) patched in May 2024. Two other issues were also fixed: CVE-2024-9539 (CVSS 5.7), which exposes user metadata, and sensitive data exposure in HTML forms.The vulnerabilities are patched in GHES versions 3.14.2, 3.13.5, 3.12.10, and 3.11.16. GitHub urges organizations using affected versions to update immediately to prevent potential security risks.

2. CISA Warns of Three Vulnerabilities Actively Exploited in the Wild

CISA has issued an urgent alert about three critical vulnerabilities being actively exploited in the wild.These affect Microsoft, Mozilla, and SolarWinds products, posing serious risks. The first, CVE-2024-30088, is a race condition in the Microsoft Windows Kernel, potentially allowing privilege escalation. Users should apply mitigations or discontinue use by November 5, 2024. The second, CVE-2024-9680, is a use-after-free flaw in Mozilla Firefox that could allow arbitrary code execution. Mozilla users must also apply fixes by the same deadline. The third, CVE-2024-28987, impacts SolarWinds Web Help Desk, involving hardcoded credentials that could allow unauthorized access.CISA urges immediate patching or mitigation to prevent exploitation. 

3. WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites

Jetpack, a popular WordPress plugin by Automattic, has released a security update to fix a critical vulnerability. The flaw, present since version 3.9.9 (2016), allowed logged-in users to view forms submitted by others on the site. Discovered during an internal audit, the issue affects Jetpack’s Contact Form feature. Jetpack, used on 27 million sites, worked with the WordPress.org Security Team to automatically update affected sites. While there’s no evidence of exploitation, the vulnerability could be abused now that it’s public. The update addresses this flaw across 101 Jetpack versions. In related news, WordPress founder Matt Mullenweg has taken control of WP Engine’s Advanced Custom Fields (ACF) plugin, launching a fork called Secure Custom Fields (SCF) to fix a security issue. WP Engine disputes the action, claiming it was taken without consent.

4. Ransomware operators exploited Veeam Backup & Replication flaw CVE-2024-40711 in recent attacks

Sophos reports that ransomware operators are exploiting a critical flaw, CVE-2024-40711, in Veeam Backup & Replication software to create rogue accounts and deploy malware. Veeam addressed this remote code execution (RCE) vulnerability (CVSS 9.8) in September 2024, as part of a security update that fixed 18 high and critical flaws.The flaw affects Veeam Backup & Replication version 12.1.2.172 and earlier. Attackers have used compromised credentials and the vulnerability to deploy ransomware, including Fog and Akira. These attacks often target outdated VPN gateways without multifactor authentication. Sophos warns that attackers exploited Veeam’s URI trigger on port 8000 to create local admin accounts and deploy ransomware. One attack involved Fog ransomware on an unprotected Hyper-V server, using rclone for data exfiltration. Sophos emphasizes the importance of patching vulnerabilities, updating outdated VPNs, and using multifactor authentication to prevent attacks.

5. Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems

Cybersecurity researchers warn of an unpatched vulnerability (CVE-2024-9441, CVSS 9.8) in Nice Linear eMerge E3 access controllers that allows remote attackers to execute arbitrary OS commands. Despite public disclosure, no fix or workaround has been provided by the vendor.The flaw affects several versions of the Nortek Linear eMerge E3, including 0.32-03i through 1.00.07. Proof-of-concept exploits have been released, increasing the risk of malicious attacks. A similar flaw (CVE-2019-7256) was exploited in the past to recruit devices into the Raptor Train botnet, which raises concerns about the vendor’s slow response.

Nice recommends following security best practices, such as network segmentation, restricting internet access, and using firewalls to protect affected devices.