07/24/2024-07/31/2024 Flaw in Telerik, ConfusedFunction Flaw in Google Cloud, Critical Docker Engine Flaw And More.

1. Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk

Progress Software urges users to update their Telerik Report Server instances due to a critical security flaw (CVE-2024-6327) with a CVSS score of 9.9. This vulnerability affects versions 2024 Q2 (10.1.24.514) and earlier and can lead to remote code execution via insecure deserialization. The flaw has been fixed in version 10.1.24.709.
For temporary mitigation, change the user for the Report Server Application Pool to one with limited permissions. Check server vulnerability by logging into the Report Server web UI, opening the Configuration page, and checking the version number under the About tab.

This disclosure follows another critical flaw (CVE-2024-4358) patched nearly two months ago, which CISA added to its Known Exploited Vulnerabilities catalog on June 13.

2. Researchers Uncover ConfusedFunction Flaw in Google Cloud

Tenable researchers discovered a privilege escalation flaw in Google Cloud Platform’s (GCP) Cloud Functions service, named ‘ConfusedFunction’. This vulnerability allows attackers to gain higher privileges to the Default Cloud Build Service Account and access services like Cloud Build, storage, and container registry without authorization.

The exploit enables attackers to move laterally and upgrade privileges, accessing and modifying unauthorized data. Cloud Functions, a serverless environment, attaches a default Cloud Build service account with excessive permissions when a function is created or updated.

After Tenable reported the issue, Google partially fixed it for accounts created after mid-June 2024. However, existing accounts remain vulnerable. Google updated the default behavior for Cloud Build to use a Compute Engine default service account and released additional policies to control default service account usage.

 

3. Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

Docker warns of a critical flaw (CVE-2024-41110) in certain Docker Engine versions that allows attackers to bypass authorization plugins (AuthZ), carrying a CVSS score of 10.0. The flaw occurs when an API request with Content-Length set to 0 causes the Docker daemon to forward the request without the body to the AuthZ plugin, potentially approving it incorrectly. The issue, originally fixed in 2019, reappeared in later versions and has been resolved in Docker Engine versions 23.0.14 and 27.1.0 as of July 2024.

Affected versions include:

• <= v19.03.15
• <= v20.10.27
• <= v23.0.14
• <= v24.0.9
• <= v25.0.5
• <= v26.0.2
• <= v26.1.4
• <= v27.0.3, and
• <= v27.1.0

Docker Desktop up to version 4.32.0 is also affected, but a fix is expected in version 4.33.

Users should update to the latest version to mitigate potential threats.
 

4. CISA Warns of Exploitable Vulnerabilities in Popular BIND 9 DNS Software

The Internet Systems Consortium (ISC) has released patches for multiple vulnerabilities in the BIND 9 DNS software that could trigger denial-of-service (DoS) attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified four key vulnerabilities:

• CVE-2024-4076 (CVSS 7.5): Logic error in lookups could cause an assertion failure.
• CVE-2024-1975 (CVSS 7.5): Validating DNS messages with SIG(0) can overload CPU.
• CVE-2024-1737 (CVSS 7.5): Excessive resource record types slow down processing.
• CVE-2024-0760 (CVSS 7.5): Malicious queries over TCP can render the server unresponsive.

These flaws can cause unexpected termination, CPU resource depletion, and slow query processing. The issues are fixed in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1. There is no evidence of these vulnerabilities being exploited in the wild.

5. CrowdStrike Software Update Leads to Significant Global Tech Outage

CrowdStrike announced a major global outage caused by a recent update to its Falcon security software, impacting 8.5 million devices. The update, intended to gather telemetry on new threat techniques, inadvertently caused Windows systems to crash on July 19, 2024. The issue primarily affected Windows 10 and later versions, leaving Mac and Linux systems unaffected.

The outage disrupted airlines, banking, and media sectors worldwide. CrowdStrike quickly identified the problem, working with Microsoft to develop and deploy fixes. The recovery involved installing backups, booting into safe mode, and manually deleting files. Full restoration is expected to take several days. CrowdStrike and Microsoft provided recovery tools and support. The financial impact is estimated at $5.4 billion, with minimal insurance coverage. For continuous updates, visit CrowdStrike’s official website.