11/13/2024-11/20/2024 High-Severity Flaw in PostgreSQL, Oracle Agile PLM Zero-Day Vulnerability, Critical WordPress Plugin Vulnerability And More.

1. Oracle Agile PLM Zero-Day Vulnerability Exploited In The Wild

Oracle has issued a security alert for a critical vulnerability (CVE-2024-21287) in its Agile Product Lifecycle Management (PLM) Framework, currently being actively exploited. The flaw, with a CVSS score of 7.5, affects version 9.3.6 and allows unauthenticated attackers to remotely access and download sensitive files via HTTP or HTTPS. Exploiting this vulnerability could grant attackers unauthorized access to critical data under the PLM application’s privileges.Oracle confirmed active exploitation and has released a security patch. Customers are urged to apply updates immediately and monitor for unauthorized activity.Organizations should act promptly to secure systems against this high-severity zero-day vulnerability.

2. Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites

A critical vulnerability (CVE-2024-10924, CVSS 9.8) in the Really Simple Security plugin for WordPress could allow attackers to gain full administrative access to affected sites. The flaw impacts versions 9.0.0 to 9.1.1.1 of the plugin, used by over 4 million websites. It stems from improper handling of user authentication in the “check_login_and_get_user” function, enabling unauthenticated attackers to bypass two-factor authentication. The vulnerability, disclosed by Wordfence on November 6, 2024, has been patched in version 9.1.2. To mitigate risks, WordPress collaborated with the plugin developers to force-update all affected sites. Separately, another flaw (CVE-2024-10470, CVSS 9.8) in the WPLMS Learning Management System plugin allows unauthenticated users to read or delete files, potentially enabling site takeovers.These incidents highlight the importance of immediate patching and maintaining updated WordPress plugins to protect against severe exploitation.

3. Palo Alto Networks Confirms Zero-Day Exploitation in PAN-OS Firewalls

Palo Alto Networks has confirmed active exploitation of a zero-day vulnerability in its PAN-OS firewall management interface, initially reported as a potential remote code execution flaw (CVSS 9.3). The zero-day is being exploited to deploy web shells for persistent remote access. A CVE is pending assignment. Threat actors target exposed management interfaces, emphasizing the need to restrict access to trusted internal IPs. The company recommends isolating the management interface on a VLAN, using jump servers, limiting inbound IPs, and allowing only secure protocols like SSH and HTTPS. Indicators of compromise (IoCs) include malicious activity from IPs such as `136.144.17[.]*` and a specific web shell checksum. Restricting interface access significantly reduces risk, dropping the CVSS score to 7.5. Palo Alto urges immediate application of these best practices. 

Additionally, CISA added two related vulnerabilities (CVE-2024-9463 and CVE-2024-9465) to its Known Exploited Vulnerabilities catalog.

4. Researchers Warn of Privilege Escalation Risks in Google’s Vertex AI ML Platform

Researchers from Palo Alto Networks Unit 42 uncovered two critical flaws in Google’s Vertex AI platform that could enable attackers to escalate privileges and exfiltrate machine learning (ML) models. The first vulnerability exploits Vertex AI Pipelines, a feature for automating ML workflows. By manipulating custom job permissions, attackers can escalate privileges, gain unauthorized access to restricted resources, and deploy a reverse shell for backdoor access. The second flaw involves deploying a poisoned model that abuses permissions to move laterally into Kubernetes clusters. This allows attackers to exfiltrate proprietary ML models, including fine-tuned large language models (LLMs). These vulnerabilities pose serious risks, as a single malicious model could compromise an entire AI environment. Google has since patched the issues.  

5. High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables

Researchers have disclosed a critical vulnerability (CVE-2024-10979) in PostgreSQL, rated CVSS 8.8, that allows unprivileged users to alter environment variables, potentially enabling code execution or information disclosure. The flaw affects PostgreSQL’s PL/Perl extension, where improper control of environment variables (e. g., PATH) can let attackers execute arbitrary code, even without access to the server’s operating system. This could lead to severe security risks, including malicious code execution or data extraction. The issue has been addressed in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Users are advised to apply the patch and restrict extension permissions, following the principle of least privilege, to minimize risk. The vulnerability was discovered by Varonis researchers Tal Peleg and Coby Abrams. More details are being withheld to allow time for users to secure their systems.

6. CISA Adds Palo Alto Networks Expedition Vulnerabilities to Exploited Catalog 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities in Palo Alto Networks’ Expedition tool to its Known Exploited Vulnerabilities (KEV) catalog. These flaws, affecting versions prior to 1.2.96, could allow attackers to access sensitive data, execute commands, and compromise firewall configurations.  

Key vulnerabilities include:  

• CVE-2024-9463 (CVSS 9.9): Unauthenticated command injection granting root access to sensitive data.  
• CVE-2024-9465 (CVSS 9.2):SQL injection enabling unauthorized database access and file manipulation.  
• CVE-2024-9464 (CVSS 9.3): Authenticated OS command injection exposing credentials and API keys.  

Researchers from Horizon3 shared proof-of-concept exploits and Indicators of Compromise (IOCs). Palo Alto recommends restricting Expedition’s access to trusted users and checking for compromise.  Federal agencies must address these flaws by December 5, 2024, per CISA’s Binding Operational Directive, and private organizations are advised to follow suit to protect their networks.