09/25/2024-10/02/2024 CUPS Flaws Enable Linux Remote Code Execution, Critical Zimbra Postjournal Flaw, WhatsUp Gold Has Some Critical Security Flaws And More.

1. CUPS Flaws Enable Linux Remote Code Execution

Attackers can exploit multiple vulnerabilities in the CUPS printing system to execute remote code on vulnerable machines  tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177. However, they do not affect systems with default settings. The issue arises when the cups-browsed daemon, which is typically disabled, is running. This daemon listens on UDP port 631 and can automatically install a malicious printer if advertised on the local network. When a user prints to this printer, a command is executed locally. While patches are in development, administrators can mitigate the risk by disabling the cups-browsed service. Red Hat has rated the impact as “Important” but not critical due to the multiple hurdles an attacker must overcome.

2. Researchers Sound Alarm on Active Attacks Exploiting Critical Zimbra Postjournal Flaw

Researchers are warning of active attacks targeting a severe flaw in Zimbra Collaboration. Proofpoint detected the exploitation of CVE-2024-45519 starting September 28, 2024. This flaw in Zimbra’s postjournal service allows unauthenticated attackers to execute arbitrary commands. The attacks involve spoofed Gmail emails with Base64 strings sent to Zimbra servers, which execute them using the sh utility. Zimbra patched the issue in versions released on September 4, 2024. Though the postjournal feature may be optional, applying the patch is essential. Proofpoint observed attempts to install a web shell on vulnerable servers, enabling command execution. Users are urged to update their systems for protection.

3. PyPI Repository Found Hosting Fake Crypto Wallet Recovery Tools That Steal User Data

A new set of malicious packages was discovered in the Python Package Index (PyPI) posing as cryptocurrency wallet recovery tools, stealing sensitive data and digital assets. Targeting wallets like Atomic, Trust Wallet, and Metamask, the packages claimed to help recover mnemonic phrases but instead siphoned private keys and transaction data. Named deceptively to attract developers, these packages included fake download stats and descriptions to appear legitimate. Each had hundreds of downloads before being removed. The malicious code activated when specific functions were called, with data sent to a remote server via a technique called “dead drop resolver,” allowing dynamic server updates.

This attack highlights the risks in open-source ecosystems and the ongoing threats to cryptocurrency users, echoing similar scams like CryptoCore, which used deepfakes and hijacked accounts to steal assets.

4. Progress Warns WhatsUp Gold Has Some Critical Security Flaws

Progress Software recently patched critical and high-severity vulnerabilities in its network monitoring tool, WhatsUp Gold, urging users to update immediately. A security advisory revealed six flaws affecting versions below 24.0.1, without specifying how they could be exploited. Progress warned users that failing to upgrade leaves systems vulnerable to cyberattacks. 

The flaws are listed as: 

• CVE-2024-46905: CVSS 8.8/10
• CVE-2024-46906: CVSS 8.8/10
• CVE-2024-46907: CVSS 8.8/10
• CVE-2024-46908: CVSS 8.8/10
• CVE-2024-46909: CVSS 9.8/10
• CVE-2024-8785: CVSS 9.8/10

Users are advised to download and install version 24.0.1, released on September 20, by visiting Progress’ product page. No reports have confirmed whether the vulnerabilities were exploited before the patch.

5. Critical NVIDIA Container Bug is An ‘Old School’ Risk to AI Workloads

NVIDIA has patched a critical bug (CVE-2024-0132) in its Container Toolkit, which could let attackers gain full root access to a host system. Rated a 9.0 on the CVSS scale, the vulnerability affects all versions up to v1.16.1, with a fix provided in v1.16.2, released on September 25. The bug allows attackers to exploit shared GPU resources via malicious containers, either directly or through supply chain or social engineering attacks.

Cloud security firm Wiz, who reported the issue, warned that such infrastructure vulnerabilities pose immediate risks to AI workloads, especially in environments where multiple customers share GPU devices. Attackers could gain control by accessing Container Runtime Unix sockets, executing commands on the host system.

09/18/2024-09/25/2024 CISA Flags Critical Ivanti vTM Vulnerability, Malware Hidden in Python Packages, Critical Ivanti Cloud Appliance Vulnerability And More.

1. CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns

CISA added a critical flaw in Ivanti Virtual Traffic Manager (vTM), CVE-2024-7593 (CVSS score: 9.8), to its Known Exploited Vulnerabilities catalog due to active exploitation. This vulnerability allows a remote, unauthenticated attacker to bypass authentication and create rogue admin accounts. Ivanti patched the issue in vTM versions 22.2R1 to 22.7R2 in August 2024. Although no specifics on real-world attacks were shared, a proof-of-concept (PoC) is publicly available. Federal agencies must address the flaw by October 15, 2024. Recent months have seen increased exploitation of Ivanti devices, with over 2,000 exposed instances identified online.

2. Hundreds of Millions of IoT Devices Affected by TCP/IP Security Flaws 

Researchers at JSOF discovered Ripple20, a collection of critical vulnerabilities in the Treck TCP/IP software library used in hundreds of millions of IoT devices. These flaws allow remote code execution, affecting products from major companies like Intel, HP, and Caterpillar. Ripple20 impacts various devices, including printers, IP cameras, UPS systems, and medical equipment. Two vulnerabilities, CVE-2020-11896 and CVE-2020-11897, score 10/10 in severity, posing serious risks like network takeover. The supply chain complexity worsens the issue, as many vendors are unaware they use the vulnerable library. Fixing these flaws is challenging, as they require firmware updates, especially for third-party hardware components. 

3. Software Developers Targeted By Malware Hidden in Python Packages 

North Korean hackers, linked to the Lazarus Group, are targeting Python developers on Mac devices, warns Unit 42. This attack is part of “Operation Dream Job,” where fake job ads lure developers into downloading malicious software. Hackers uploaded four weaponized Python packages—real-ids, coloredtxt, beautifultext, and minisound—on PyPI, which contained the PondRAT malware. PondRAT, a simplified version of POOLRAT (macOS backdoor), can upload/download files and run commands. Lazarus has also expanded its attacks to Linux systems through a sub-group called Gleaming Pisces. These malicious Python packages pose a significant threat to organizations, potentially compromising entire networks.

4. Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks

Ivanti has disclosed that a critical flaw in its Cloud Service Appliance (CSA), CVE-2024-8963 (CVSS score: 9.4), is being actively exploited. The vulnerability, addressed in CSA 4.6 Patch 519 and CSA 5.0, allows remote attackers to access restricted functionality. When combined with CVE-2024-8190 (CVSS score: 7.2), attackers can bypass admin authentication and execute commands. Ivanti acknowledged a limited number of customers have been affected. CISA  has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging agencies to apply patches by October 10, 2024. Ivanti recommends upgrading to CSA version 5.0 immediately.

5. GitLab Releases Fix For Critical SAML Authentication Bypass Flaw

GitLab has released security updates to fix a critical SAML authentication bypass vulnerability (CVE-2024-45409) affecting self-managed GitLab Community (CE) and Enterprise Editions (EE). The flaw, caused by issues in the OmniAuth-SAML and Ruby-SAML libraries, allows attackers to craft malicious SAML responses, bypassing authentication and gaining unauthorized access. The vulnerability impacts versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10, and earlier. GitLab has patched the issue in the latest versions and urges affected users to update immediately. For those unable to upgrade, enabling two-factor authentication (2FA) is recommended. While no confirmed exploitation has been reported, signs of potential attacks include unusual extern_uid values and suspicious IP addresses in authentication logs.

09/11/2024-09/18/2024 GitLab Patches Critical Flaw, Critical ARM Vulnerability, Critical Ivanti RCE Flaw And More.

1. Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

GitLab has released security updates to fix 17 vulnerabilities, including a critical flaw (CVE-2024-6678, CVSS 9.9) that allows attackers to run pipeline jobs as arbitrary users. This issue affects versions 8.14 to 17.3.1 of GitLab CE/EE. The flaw, along with three high-severity and 13 medium- and low-severity bugs, has been patched in versions 17.3.2, 17.2.5, and 17.1.7. CVE-2024-6678 is the fourth major vulnerability GitLab has addressed this year, following others like CVE-2023-5009. Although there is no evidence of active exploitation, users are urged to apply the patches promptly to avoid potential risks.

2. Critical ARM Vulnerability That Could Have Allowed RCE Patched by SolarWinds

SolarWinds has patched a critical vulnerability in its Access Rights Manager (ARM) software, which could allow remote code execution (CVE-2024-28991, severity 9.0/10). The flaw stems from improper validation of user-supplied data, enabling attackers to exploit deserialization issues. Discovered by Trend Micro’s Zero Day Initiative (ZDI), the bug can bypass weak authentication mechanisms. SolarWinds urges users to update to version 2024.3.1, though no active exploitation has been reported. ARM is used to manage and audit user access rights across IT systems. Despite its prominence, SolarWinds faced scrutiny after a 2020 ransomware breach compromised many customers, leading to a lawsuit from the SEC.

3. Exploit Code Released For Critical Ivanti RCE Flaw, Patch Now 

A proof-of-concept (PoC) exploit for CVE-2024-29847, a critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager, has been publicly released. The flaw, caused by insecure deserialization in the AgentPortal.exe executable, affects versions before 2022 SU6 and EPM 2024. The exploit allows attackers to perform file operations like executing web shells. Ivanti released patches in September 2024, with no other mitigations or workarounds available. Users are urged to apply the update immediately. In related news, Ivanti’s Endpoint Manager and Cloud Services Appliance have been targeted by attackers, prompting CISA to add the vulnerabilities to its Known Exploited Vulnerabilities catalog.

4. Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution

Broadcom has released updates to fix a critical security flaw in VMware vCenter Server (CVE-2024-38812, CVSS 9.8) that could allow remote code execution. The vulnerability, a heap-overflow in the DCE/RPC protocol, can be triggered by sending a specially crafted packet to the server. It is similar to two other flaws (CVE-2024-37079, CVE-2024-37080) addressed in June 2024. Another issue, CVE-2024-38813 (CVSS 7.5), could allow privilege escalation to root. Security researchers zbl and srs discovered the flaws during the Matrix Cup competition in China. VMware has patched these vulnerabilities in the latest versions of vCenter Server and VMware Cloud Foundation. While no exploitation has been reported, customers are urged to update to protect against potential threats.

5. Google Fixes GCP Composer Flaw That Could’ve Led to Remote Code Execution

A critical security flaw in Google Cloud Platform (GCP) Composer, called CloudImposer, has been patched. Discovered by Tenable, this vulnerability could have enabled remote code execution via a supply chain attack technique known as dependency confusion.

The flaw involved Google’s Composer tool fetching a malicious package from a public repository instead of an internal one. Attackers could exploit this by uploading a fake package with a higher version number to the Python Package Index (PyPI), potentially gaining control over Composer instances. Google fixed the issue in May 2024 by ensuring packages are only installed from private repositories and verifying checksums to prevent tampering. Developers are now advised to use the “--index-url” argument to minimize risk.