08/07/2024-08/14/2024 Microsoft Issues Patches for 90 Flaws, Rogue PyPI Library Solana, Patch Released for High-Severity OpenSSH Vulnerability And More.

1. Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits

Microsoft released fixes for 90 security flaws, including 10 zero-days, with six actively exploited. Among the 90 bugs, seven are Critical, 79 Important, and one Moderate. The updates also cover 36 Edge browser vulnerabilities.

Notably, six zero-days are addressed:

• CVE-2024-38189: Microsoft Project Remote Code Execution (CVSS 8.8)
• CVE-2024-38178: Windows Scripting Engine Memory Corruption (CVSS 7.5)
• CVE-2024-38193: WinSock Elevation of Privilege (CVSS 7.8)
• CVE-2024-38106: Windows Kernel Elevation of Privilege (CVSS 7.0)
• CVE-2024-38107: Power Dependency Coordinator Elevation of Privilege (CVSS 7.8)
• CVE-2024-38213: Mark of the Web Security Feature Bypass (CVSS 6.5)

Trend Micro’s Peter Girnus discovered CVE-2024-38213, leading CISA to add these flaws to its Known Exploited Vulnerabilities (KEV) catalog. Additionally, four CVEs are publicly known, including a Microsoft Office Spoofing Vulnerability (CVE-2024-38200, CVSS 7.5) that could expose NTLM hashes through phishing. Microsoft also fixed a Print Spooler privilege escalation flaw (CVE-2024-38198, CVSS 7.8) but has not released updates for CVE-2024-38202 and CVE-2024-21302. A separate report from Fortra highlighted a DoS flaw in the CLFS driver (CVE-2024-6768, CVSS 6.8), which Microsoft will address in a future update.

2. Rogue PyPI Library Solana Users, Steals Blockchain Wallet Keys

Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that masquerades as a library from the Solana blockchain platform but is actually designed to steal victims’ secrets. The malicious “solana-py” package attracted a total of 1,122 downloads since it was published on August 4, 2024. It’s no longer available for download from PyPI. The most striking aspect of the library is that it carried the version numbers 0.34.3, 0.34.4, and 0.34.5. The latest version of the legitimate “solana” package is 0.34.3. This clearly indicates an attempt on the part of the threat actor to trick users looking for “solana” into inadvertently downloading “solana-py” instead. The attack campaign poses a supply chain risk in that Sonatype’s investigation found that legitimate libraries like “solders” make references to “solana-py” in their PyPI documentation, leading to a scenario where developers could have mistakenly downloaded “solana-py” from PyPI and broadened the attack surface. If a developer using the legitimate ‘solders’ PyPI package in their application is mislead (by solders’ documentation) to fall for the typosquatted ‘solana-py’ project, they’d inadvertently introduce a crypto stealer into their application. 

3. Ivanti Virtual Traffic Manager Flaw Let Hackers Create Rogue Admin Accounts

Ivanti Virtual Traffic Manager has been discovered with a critical vulnerability which was associated with authentication bypass. This vulnerability has been assigned with CVE-2024-7593 and the severity was given as 9.8. However, Ivanti has patched this vulnerability and released a security advisory to address it. This vulnerability allows an unauthenticated remote threat actor to bypass the admin panel authentication and perform malicious actions.

Further, a threat actor can also create an administrator account on the vulnerable Ivanti instances as a backdoor. This particular vulnerability exists due to the incorrect implementation of the authentication algorithm in Ivanti vTM. Nevertheless, this vulnerability exists in all versions of Ivanti vTM other than versions 22.2R1 or 22.7R2. Ivanti also advises its users to restrict access to the management interface and ensure they are placed on a private IP with restricted access.

4. Urgent Patch Released for High-Severity OpenSSH Vulnerability on FreeBSD

On August 12, 2024, the FreeBSD Project released a critical update for a high-severity vulnerability in OpenSSH, identified as CVE-2024–7589, which has a CVSS score of 7.4.
This flaw could allow attackers to remotely execute arbitrary code with elevated privileges on affected systems. CVE-2024–7589 stems from a flaw in the signal handler of the sshd(8) daemon, used for handling SSH connections. The issue arises when a logging function, not async-signal-safe, is called within the signal handler, potentially leading to race conditions.

This vulnerability could give attackers complete control over the affected system, making it a severe security risk. Users should update FreeBSD to a version with the latest security patches and restart the sshd(8) daemon to mitigate this issue.

5. Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE

Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE). This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information.

The list of vulnerabilities is as follows:

• CVE-2024-27459: Stack overflow vulnerability causing DoS and LPE in Windows.
• CVE-2024-24974: Unauthorized access to the “\openvpn\service” named pipe in Windows, allowing remote operations.
• CVE-2024-27903: Plugin mechanism vulnerability leading to RCE in Windows and LPE/data manipulation in Android, iOS, macOS, and BSD.
• CVE-2024-1305: Memory overflow vulnerability causing DoS in Windows.

The first three of the four flaws are rooted in a component named openvpnserv, while the last one resides in the Windows Terminal Access Point (TAP) driver. An attacker could leverage at least three of the four discovered vulnerabilities to create exploits to facilitate RCE and LPE, which could then be chained together to create a powerful attack chain. 

6. CISA Warns of Hackers Exploiting Legacy Cisco Smart Install Feature

(CISA) has revealed that threat actors are exploiting the legacy Cisco Smart Install (SMI) feature to access sensitive data. Adversaries are using this method to acquire system configuration files by exploiting vulnerabilities in Cisco devices.

CISA has also noted the prevalence of weak password types on Cisco network devices, making them vulnerable to password-cracking attacks. The agency recommends using “type 8” password protection and suggests reviewing the NSA’s Smart Install Protocol Misuse advisory for configuration guidance. Cisco has also warned of critical flaws (CVE-2024-20419, CVE-2024-20450, CVE-2024-20452, CVE-2024-20454) in its Smart Software Manager and SPA Series IP Phones. These vulnerabilities could lead to unauthorized access, arbitrary command execution, or denial-of-service conditions.