10/09/2024-10/16/2024 GitHub Patches Critical Flaw, CISA Warns of Three Vulnerabilities, WordPress Plugin Jetpack Patches Major Vulnerability And More.

1. GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access

GitHub has released security updates for Enterprise Server (GHES) to fix several vulnerabilities, including a critical flaw (CVE-2024-9487) with a CVSS score of 9.5/10. This issue allows attackers to bypass SAML single sign-on (SSO) authentication and gain unauthorized access by exploiting a cryptographic signature verification weakness. The flaw is a regression from CVE-2024-4985, a maximum severity bug (CVSS 10.0) patched in May 2024. Two other issues were also fixed: CVE-2024-9539 (CVSS 5.7), which exposes user metadata, and sensitive data exposure in HTML forms.The vulnerabilities are patched in GHES versions 3.14.2, 3.13.5, 3.12.10, and 3.11.16. GitHub urges organizations using affected versions to update immediately to prevent potential security risks.

2. CISA Warns of Three Vulnerabilities Actively Exploited in the Wild

CISA has issued an urgent alert about three critical vulnerabilities being actively exploited in the wild.These affect Microsoft, Mozilla, and SolarWinds products, posing serious risks. The first, CVE-2024-30088, is a race condition in the Microsoft Windows Kernel, potentially allowing privilege escalation. Users should apply mitigations or discontinue use by November 5, 2024. The second, CVE-2024-9680, is a use-after-free flaw in Mozilla Firefox that could allow arbitrary code execution. Mozilla users must also apply fixes by the same deadline. The third, CVE-2024-28987, impacts SolarWinds Web Help Desk, involving hardcoded credentials that could allow unauthorized access.CISA urges immediate patching or mitigation to prevent exploitation. 

3. WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites

Jetpack, a popular WordPress plugin by Automattic, has released a security update to fix a critical vulnerability. The flaw, present since version 3.9.9 (2016), allowed logged-in users to view forms submitted by others on the site. Discovered during an internal audit, the issue affects Jetpack’s Contact Form feature. Jetpack, used on 27 million sites, worked with the WordPress.org Security Team to automatically update affected sites. While there’s no evidence of exploitation, the vulnerability could be abused now that it’s public. The update addresses this flaw across 101 Jetpack versions. In related news, WordPress founder Matt Mullenweg has taken control of WP Engine’s Advanced Custom Fields (ACF) plugin, launching a fork called Secure Custom Fields (SCF) to fix a security issue. WP Engine disputes the action, claiming it was taken without consent.

4. Ransomware operators exploited Veeam Backup & Replication flaw CVE-2024-40711 in recent attacks

Sophos reports that ransomware operators are exploiting a critical flaw, CVE-2024-40711, in Veeam Backup & Replication software to create rogue accounts and deploy malware. Veeam addressed this remote code execution (RCE) vulnerability (CVSS 9.8) in September 2024, as part of a security update that fixed 18 high and critical flaws.The flaw affects Veeam Backup & Replication version 12.1.2.172 and earlier. Attackers have used compromised credentials and the vulnerability to deploy ransomware, including Fog and Akira. These attacks often target outdated VPN gateways without multifactor authentication. Sophos warns that attackers exploited Veeam’s URI trigger on port 8000 to create local admin accounts and deploy ransomware. One attack involved Fog ransomware on an unprotected Hyper-V server, using rclone for data exfiltration. Sophos emphasizes the importance of patching vulnerabilities, updating outdated VPNs, and using multifactor authentication to prevent attacks.

5. Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems

Cybersecurity researchers warn of an unpatched vulnerability (CVE-2024-9441, CVSS 9.8) in Nice Linear eMerge E3 access controllers that allows remote attackers to execute arbitrary OS commands. Despite public disclosure, no fix or workaround has been provided by the vendor.The flaw affects several versions of the Nortek Linear eMerge E3, including 0.32-03i through 1.00.07. Proof-of-concept exploits have been released, increasing the risk of malicious attacks. A similar flaw (CVE-2019-7256) was exploited in the past to recruit devices into the Raptor Train botnet, which raises concerns about the vendor’s slow response.

Nice recommends following security best practices, such as network segmentation, restricting internet access, and using firewalls to protect affected devices.

10/02/2024-10/09/2024 Microsoft Issues Security Update Fixing 118 Flaws,Three More CSA Zero-Days Exploited, Critical Apache Avro SDK Flaw And More.

1. Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Microsoft has issued security updates addressing 118 vulnerabilities, two of which are actively exploited. The updates include fixes for three Critical, 113 Important, and two Moderate flaws, excluding 25 additional vulnerabilities in Edge. Five vulnerabilities were publicly known at release, with two under active exploitation as zero-days: CVE-2024-43572 (Remote Code Execution) and CVE-2024-43573 (Spoofing). Both are listed in CISA’s Known Exploited Vulnerabilities catalog, requiring fixes by October 29, 2024. The most severe flaw (CVE-2024-43468, CVSS score: 9.8) affects Microsoft Configuration Manager and could allow unauthenticated attackers to execute arbitrary commands. Other critical flaws involve Visual Studio Code (CVE-2024-43488) and Remote Desktop Protocol (CVE-2024-43582). Attack complexity for the latter is high, requiring a race condition to access memory improperly.

2. Ivanti Warns Of Three More CSA Zero-Days Exploited in Attacks

Ivanti has released security updates to patch three new Cloud Services Appliance (CSA) zero-day vulnerabilities actively exploited in attacks. These flaws, when chained with another zero-day (CVE-2024-8963) patched in September, allow attackers to perform SQL injection, execute arbitrary code, and bypass security restrictions on vulnerable CSA gateways. The vulnerabilities affect CSA versions 5.0.1 and earlier. Ivanti recommends users upgrade to version 5.0.2 and rebuild compromised systems. For detection, admins should review endpoint detection and response (EDR) alerts or check for new or modified admin users. While CSA 4.6 is end-of-life, Ivanti emphasized no exploitation has been seen in CSA 5.0. Ivanti is enhancing security practices, having signed the CISA Secure by Design pledge, and continues to improve its disclosure process for faster issue resolution.

3. Critical Apache Avro SDK Flaw Impacts Java Applications 

A critical vulnerability in the Apache Avro Java SDK, tracked as CVE-2024-47561, can allow arbitrary code execution on affected instances. This flaw impacts all versions of the software prior to 1.11.4. Apache Avro, a data serialization framework used in big data and distributed systems, is part of the Apache Hadoop project. The issue stems from the Java SDK’s schema parsing, which could be exploited by malicious actors. Users are advised to upgrade to versions 1.11.4 or 1.12.0, which address the vulnerability. Applications allowing user-provided Avro schemas for parsing are at risk. For those unable to update, mitigations include avoiding user-provided schema parsing or sanitizing schemas before processing.

4. WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks

A high-severity vulnerability (CVE-2024-47374, CVSS score: 7.2) has been identified in the LiteSpeed Cache plugin for WordPress, affecting versions up to 6.5.0.2. This stored cross-site scripting (XSS) flaw allows malicious actors to inject JavaScript, potentially leading to privilege escalation or sensitive data theft. The issue was resolved in version 6.5.1 on September 25, 2024, following responsible disclosure by researcher TaiYou from Patchstack Alliance. The vulnerability arises from improper parsing of the “X-LSCACHE-VARY-VALUE” HTTP header. The exploit requires the plugin’s “CSS Combine” and “Generate UCSS” options to be enabled. Stored XSS attacks are dangerous as they can execute malicious scripts whenever a site visitor accesses the affected page.This vulnerability is particularly concerning due to LiteSpeed Cache’s large user base, with over six million installations.

5. CISA Warns of Exploited Ivanti Flaw: Urgent Patch Needed

CISA warns of active exploitation of a critical vulnerability (CVE-2024-29824) in Ivanti Endpoint Manager, urging organizations to apply the May 2024 patch immediately. This flaw, which allows unauthorized access, could lead to data theft, ransomware, and other attacks. CISA has added the bug to its Known Exploited Vulnerabilities Catalog, citing evidence of ongoing exploitation. Ivanti confirmed that a limited number of customers have already been targeted. Government agencies must patch systems by October 23, 2024, and all organizations are advised to prioritize this fix. This follows a series of attacks exploiting multiple Ivanti security flaws, including zero-day vulnerabilities. Ivanti is working to improve its security processes to address threats faster. With over 40,000 companies using Ivanti’s tools, the widespread impact underscores the urgency of addressing this issue swiftly.

09/25/2024-10/02/2024 CUPS Flaws Enable Linux Remote Code Execution, Critical Zimbra Postjournal Flaw, WhatsUp Gold Has Some Critical Security Flaws And More.

1. CUPS Flaws Enable Linux Remote Code Execution

Attackers can exploit multiple vulnerabilities in the CUPS printing system to execute remote code on vulnerable machines  tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177. However, they do not affect systems with default settings. The issue arises when the cups-browsed daemon, which is typically disabled, is running. This daemon listens on UDP port 631 and can automatically install a malicious printer if advertised on the local network. When a user prints to this printer, a command is executed locally. While patches are in development, administrators can mitigate the risk by disabling the cups-browsed service. Red Hat has rated the impact as “Important” but not critical due to the multiple hurdles an attacker must overcome.

2. Researchers Sound Alarm on Active Attacks Exploiting Critical Zimbra Postjournal Flaw

Researchers are warning of active attacks targeting a severe flaw in Zimbra Collaboration. Proofpoint detected the exploitation of CVE-2024-45519 starting September 28, 2024. This flaw in Zimbra’s postjournal service allows unauthenticated attackers to execute arbitrary commands. The attacks involve spoofed Gmail emails with Base64 strings sent to Zimbra servers, which execute them using the sh utility. Zimbra patched the issue in versions released on September 4, 2024. Though the postjournal feature may be optional, applying the patch is essential. Proofpoint observed attempts to install a web shell on vulnerable servers, enabling command execution. Users are urged to update their systems for protection.

3. PyPI Repository Found Hosting Fake Crypto Wallet Recovery Tools That Steal User Data

A new set of malicious packages was discovered in the Python Package Index (PyPI) posing as cryptocurrency wallet recovery tools, stealing sensitive data and digital assets. Targeting wallets like Atomic, Trust Wallet, and Metamask, the packages claimed to help recover mnemonic phrases but instead siphoned private keys and transaction data. Named deceptively to attract developers, these packages included fake download stats and descriptions to appear legitimate. Each had hundreds of downloads before being removed. The malicious code activated when specific functions were called, with data sent to a remote server via a technique called “dead drop resolver,” allowing dynamic server updates.

This attack highlights the risks in open-source ecosystems and the ongoing threats to cryptocurrency users, echoing similar scams like CryptoCore, which used deepfakes and hijacked accounts to steal assets.

4. Progress Warns WhatsUp Gold Has Some Critical Security Flaws

Progress Software recently patched critical and high-severity vulnerabilities in its network monitoring tool, WhatsUp Gold, urging users to update immediately. A security advisory revealed six flaws affecting versions below 24.0.1, without specifying how they could be exploited. Progress warned users that failing to upgrade leaves systems vulnerable to cyberattacks. 

The flaws are listed as: 

• CVE-2024-46905: CVSS 8.8/10
• CVE-2024-46906: CVSS 8.8/10
• CVE-2024-46907: CVSS 8.8/10
• CVE-2024-46908: CVSS 8.8/10
• CVE-2024-46909: CVSS 9.8/10
• CVE-2024-8785: CVSS 9.8/10

Users are advised to download and install version 24.0.1, released on September 20, by visiting Progress’ product page. No reports have confirmed whether the vulnerabilities were exploited before the patch.

5. Critical NVIDIA Container Bug is An ‘Old School’ Risk to AI Workloads

NVIDIA has patched a critical bug (CVE-2024-0132) in its Container Toolkit, which could let attackers gain full root access to a host system. Rated a 9.0 on the CVSS scale, the vulnerability affects all versions up to v1.16.1, with a fix provided in v1.16.2, released on September 25. The bug allows attackers to exploit shared GPU resources via malicious containers, either directly or through supply chain or social engineering attacks.

Cloud security firm Wiz, who reported the issue, warned that such infrastructure vulnerabilities pose immediate risks to AI workloads, especially in environments where multiple customers share GPU devices. Attackers could gain control by accessing Container Runtime Unix sockets, executing commands on the host system.