10/24/2024-10/30/2024 OS Downgrade Vulnerability, Vulnerabilities in ASA, FMC, and FTD Products, Malicious npm Packages And More.

1. Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

A new technique can bypass Microsoft’s Driver Signature Enforcement (DSE) on fully updated Windows systems, allowing attackers to load unsigned kernel drivers. This method, leverages a tool called Windows Downdate, which enables OS downgrades, undoing security patches to install custom rootkits for hiding activity and maintaining stealth. This exploit builds on previous findings involving Windows update vulnerabilities (CVE-2024-21302 and CVE-2024-38202), allowing attackers to roll back system components, including the critical DSE patch. Attackers can disable Virtualization-Based Security (VBS) using registry modifications, further enabling the downgrade. Microsoft notes that enabling VBS with a UEFI lock and “Mandatory” setting can prevent such attacks. Microsoft is working on a security update to revoke outdated VBS files, acknowledging SafeBreach for the discovery and pledging thorough testing to ensure user protection without disruptions.

2. Cisco Patched Vulnerabilities in ASA, FMC, and FTD Products

Cisco has patched multiple vulnerabilities in its ASA, Secure Firewall Management Center, and Firepower Threat Defense products, including a recently exploited flaw, CVE-2024-20481. This Denial of Service (DoS) vulnerability (CVSS score 5.8) affects the Remote Access VPN (RAVPN) service, allowing unauthenticated attackers to overload the system with VPN requests, potentially requiring a device reboot to restore service. Cisco’s advisory notes this flaw is actively exploited. Previously, Cisco Talos reported widespread brute-force attacks targeting VPN and SSH services, warning customers about password-spraying attacks on RAVPN services. Cisco has also addressed three critical vulnerabilities that are not yet exploited in the wild: CVE-2024-20412 (Static Credential Vulnerability in Firepower models), CVE-2024-20424 (Command Injection in Secure Firewall Management Center), and CVE-2024-20329 (SSH Remote Command Injection in ASA software).

3. BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

Three malicious npm packages were identified containing BeaverTail malware, a JavaScript downloader and information stealer associated with a North Korean campaign called Contagious Interview. Datadog Security, tracking the campaign as Tenacious Pungsan, noted that these packages—passports-js, bcrypts-js, and blockscan-api—were downloaded over 300 times before being removed. The Contagious Interview campaign, active since 2023, involves tricking developers into installing infected software as part of coding tests. Previously, similar packages mimicked popular libraries like etherscan-api, suggesting the attackers continue to target the cryptocurrency sector. Additional counterfeit packages detected recently (e. g., eslint-module-conf) aim to steal cryptocurrencies and maintain access to compromised systems. According to Palo Alto Networks, the campaign effectively exploits job seekers’ trust when applying online, underscoring the growing misuse of the open-source supply chain to spread malware and target developers.

4. FortiManager Critical Vulnerability Under Active Attack

Fortinet has disclosed a critical flaw in its FortiManager software platform, alerting users to a major vulnerability, CVE-2024-47575, with a CVSS score of 9.8. This flaw allows remote attackers to execute code on unpatched systems, potentially spreading across networks. Fortinet’s advisory states that a “missing authentication for critical function” could let attackers use crafted requests to access the system without permission.Exploitation of the flaw requires a valid Fortinet device certificate, which attackers could extract from a legitimate device to gain unauthorized access.  CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog, urging Federal IT administrators and others to apply fixes immediately,about 60,000 users may be at risk.

5. Researchers Uncover Vulnerabilities in Open-Source AI and ML Models

Over three dozen vulnerabilities have been disclosed across various open-source AI and ML models, potentially leading to remote code execution and data breaches. These flaws, discovered through Protect AI’s Huntr platform, affect tools like ChuanhuChatGPT, Lunary, and LocalAI. Key issues include two severe vulnerabilities in Lunary (CVE-2024-7474 and CVE-2024-7475, both CVSS 9.1), enabling unauthorized data access and user impersonation by manipulating user parameters and SAML configurations. Additionally, ChuanhuChatGPT has a critical path traversal flaw (CVE-2024-5982, CVSS 9.1) that allows arbitrary code execution. LocalAI is also impacted by vulnerabilities allowing attackers to execute arbitrary code (CVE-2024-6983, CVSS 8.8) and infer API keys through response timing (CVE-2024-7010, CVSS 7.5). A separate remote code execution flaw was identified in the Deep Java Library (CVE-2024-8396). Protect AI’s new tool, Vulnhuntr, uses LLMs to identify vulnerabilities in Python code, while Mozilla’s 0Din team recently highlighted a new jailbreak technique that bypasses ChatGPT safeguards using hex-encoded prompts. Users should update affected models to the latest versions.