09/04/2024-09/11/2024 Ivanti Releases Urgent Security Updates, Progress LoadMaster Vulnerable, Critical Vulnerability In The LiteSpeed And More.

1. Microsoft September 2024 Patch Tuesday Fixes 4 zero-days, 79 Flaws

Microsoft’s September 2024 Patch Tuesday includes security updates for 79 vulnerabilities, including four actively exploited zero-days and one publicly disclosed. Seven critical vulnerabilities were fixed, mainly involving remote code execution or elevation of privilege.

The flaws break down as follows:

• 30 Elevation of Privilege;
• 4 Security Feature Bypass;
• 23 Remote Code Execution;
• 11 Information Disclosure;
• 8 Denial of Service;
• 3 Spoofing.

The four actively exploited zero-days are:

• CVE-2024-38014 (Windows Installer Privilege Elevation);
• CVE-2024-38217 (Mark of the Web Bypass);
• CVE-2024-38226 (Microsoft Publisher Bypass);
• CVE-2024-43491 (Windows Update Remote Code Execution).

2. Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities

Ivanti has released updates for Endpoint Manager (EPM) to fix multiple security flaws, including 10 critical vulnerabilities that could enable remote code execution.

• CVE-2024-29847 (CVSS 10.0) is a deserialization vulnerability allowing remote code execution by unauthenticated attackers.
• Nine vulnerabilities (CVSS 9.1) involve SQL injection flaws, allowing remote code execution by authenticated admin users.

The issues impact EPM versions 2024 and 2022 SU5 and earlier. Fixes are available in versions 2024 SU1 and 2022 SU6. While no active exploitation has been reported, users should update promptly. Ivanti also patched high-severity flaws in Workspace Control and Cloud Service Appliance. Zyxel also fixed a critical OS command injection vulnerability in its NAS devices (CVE-2024-6342).

3. Progress LoadMaster Vulnerable to 10/10 Severity RCE Flaw

Progress Software released an emergency fix for a critical vulnerability (CVE-2024-7591) in its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products. The flaw, with a severity score of 10/10, allows unauthenticated attackers to remotely execute commands via a crafted HTTP request, exploiting improper input validation on the management interface. The vulnerability affects LoadMaster version 7.2.60.0 and earlier, and MT Hypervisor version 7.1.35.11 and prior releases. Progress issued an add-on patch to mitigate the flaw, except for the free LoadMaster version, which remains vulnerable.

Although no active exploitation has been reported, users are urged to install the patch and follow recommended security measures.

4. GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code

Threat actors use typosquatting to trick users into visiting malicious sites or downloading harmful software by registering names similar to legitimate ones (e. g., goog1e.com vs. google.com). This technique is also used to target developers through platforms like PyPI, npm, and GitHub Actions. Researchers from Orca found that GitHub Actions, a CI/CD platform, is vulnerable if developers accidentally mistype action names. Malicious actors can create GitHub repositories with misspelled names, leading to the execution of harmful code. A search revealed 198 files with such errors. Users are advised to verify GitHub Actions names carefully, stick to trusted sources, and regularly check for typosquatting risks.

5. LiteSpeed Cache Plugin For WordPress Has a Critical Security Vulnerability

Security researchers have found a critical vulnerability (CVE-2024-44000) in the LiteSpeed Cache plugin for WordPress, allowing unauthenticated attackers to take over websites. The flaw, with a severity score of 7.5, enables attackers to access any logged-in user, including admin accounts. The bug affects version 6.4.1 and earlier, exposing the debug.log file, which contains sensitive information like login credentials and cookies. Although the debug feature is disabled by default, users are urged to update to version 6.5.0.1. LiteSpeed Cache, designed to improve website performance by caching static content, is a popular optimization plugin for WordPress.

08/28/2024-09/04/2024 Malicious npm Packages Mimicking ‘noblox.js’, Critical Fortra FileCatalyst Workflow Vulnerability, Critical Apache OFBiz Flaw And More.

1. Malicious npm Packages Mimicking ‘noblox.js’ Compromise Roblox Developers’ Systems

Roblox developers are being targeted by a campaign using fake npm packages to compromise systems, highlighting the ongoing exploitation of trust in the open-source ecosystem. Attackers mimic the popular “noblox.js” library, publishing malicious packages like noblox.js-proxy-server and noblox-ts to steal data and deliver malware, including the Luna Token Grabber and Quasar RAT. These packages are deceptively named, such as noblox.js-async and noblox.js-api, to appear legitimate. They use tactics like starjacking, linking to the real noblox.js repository. The malware steals Discord tokens, evades detection, and ensures persistence by altering Windows Registry settings. Developers must remain vigilant against these threats, as new malicious packages continue to surface.

2. North Korean Hackers Target Developers with Malicious npm Packages

A set of fake npm packages linked to North Korean state-sponsored actors has been uncovered, according to Phylum. The packages, including execution-time-async, data-time-utils, and mongodb-connection-utils, were designed to steal credentials and cryptocurrency. Execution-time-async, for example, mimics the legitimate execution-time library, which has over 27,000 weekly downloads. These packages, downloaded over 300 times before takedown, concealed malicious scripts within test files, targeting browsers like Chrome and Brave. Connections to North Korean actors emerged through obfuscated JavaScript resembling BeaverTail malware, linked to the Contagious Interview campaign, which targets developers through fake job interviews.

3. Critical Fortra FileCatalyst Workflow Vulnerability Patched (CVE-2024-6633)

Organizations using Fortra’s FileCatalyst Workflow should urgently upgrade to version 5.1.7 to patch two critical vulnerabilities. The first, CVE-2024-6633, involves static credentials for an internal HSQL database exposed in a vendor knowledge base article. Attackers exploiting this flaw can gain admin access to the Workflow web application by adding an admin-level user. The HSQL database, meant only for installation, is vulnerable if not replaced with a recommended alternative database.

The second flaw, CVE-2024-6632, is a SQL injection vulnerability that allows unauthorized modifications to the MySQL database during setup. Both vulnerabilities affect versions up to 5.1.6 and can only be resolved by upgrading.

4. CISA Flags Critical Apache OFBiz Flaw Amid Active Exploitation Reports

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Apache OFBiz vulnerability, CVE-2024-38856, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. This flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute remote code via a Groovy payload.

Discovered as a patch bypass for CVE-2024-36104, it exploits a flaw in the override view functionality, exposing critical endpoints. Although specific details of its exploitation are scarce, proof-of-concept exploits are publicly available. Organizations are urged to update to version 18.12.15, with federal agencies required to apply updates by September 17, 2024.

08/21/2024-08/28/2024 Apache OFBiz RCE Flaw, Critical WPML Plugin Flaw, Supply Chain Vulnerabilities in MLOps Platforms And More.

1. CISA Warns About Actively Exploited Apache OFBiz RCE Flaw

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned of two exploited vulnerabilities, including a path traversal flaw in Apache OFBiz (CVE-2024-32113). Apache OFBiz, an open-source ERP system, is widely used due to its versatility. The flaw affects versions before 18.12.13 and allows remote execution of arbitrary commands. Federal agencies must apply security updates or stop using the product by August 28, 2024. Another vulnerability, CVE-2024-36971, affecting the Android kernel, was also flagged. A newer OFBiz flaw, CVE-2024-38856, impacts versions up to 18.12.14 and poses a critical pre-authentication remote code execution risk. Users should upgrade to version 18.12.15 to secure their systems.

2. Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution

A critical flaw in the WPML WordPress plugin (CVE-2024-6386, CVSS score: 9.9) could let authenticated users execute arbitrary code remotely. This vulnerability affects all versions before 4.6.13, released on August 20, 2024. Caused by missing input validation, the issue allows attackers with Contributor-level access or higher to exploit server-side template injection (SSTI) via shortcodes. WPML, used on over a million sites for multilingual content, failed to properly sanitize input in Twig templates, leading to potential server takeover. Users are strongly advised to update to the latest version to mitigate this risk.

3. SonicWall SonicOS Vulnerability Let Attackers Gain Unauthorized Access & Crash Firewall

SonicWall has disclosed a critical vulnerability (CVE-2024-40766) in its SonicOS management access, rated with a high CVSS score of 9.3. This flaw, identified as an improper access control issue, could lead to unauthorized resource access and potentially cause firewall crashes. The vulnerability affects a wide range of SonicWall devices, including Gen 5, Gen 6, and Gen 7 models. SonicWall strongly advises updating to the latest firmware versions to mitigate these risks and suggests restricting or disabling WAN management access from untrusted sources. Updated firmware versions are available, and users are urged to apply these patches immediately. 

4. Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms

Cybersecurity researchers have uncovered over 20 vulnerabilities in machine learning (ML) software supply chains, posing significant risks to MLOps platforms. These flaws, both inherent and implementation-based, could lead to severe outcomes such as arbitrary code execution or loading malicious datasets.

MLOps platforms enable the creation and execution of ML models, but vulnerabilities like automatic code execution in models and datasets, particularly in tools like JupyterLab, can open doors for malware attacks. Implementation weaknesses, such as lack of authentication, have been exploited by attackers to deploy cryptocurrency miners, as seen with unpatched Anyscale Ray instances. Additionally, a container escape vulnerability in Seldon Core allows attackers to move laterally in cloud environments, compromising models and data.

5. Hardcoded Credential Vulnerability Found in SolarWinds Web Help Desk

SolarWinds has issued patches to address a new security flaw in its Web Help Desk (WHD) software that could allow remote unauthenticated users to gain unauthorized access to susceptible instances. The issue, tracked as CVE-2024-28987, is rated 9.1 on the CVSS scoring system, indicating critical severity. Horizon3.ai security researcher Zach Hanley has been credited with discovering and reporting the flaw. Users are recommended to update to version 12.8.3 Hotfix 2, but applying the fix requires Web Help Desk 12.8.3.1813 or 12.8.3 HF1. The disclosure comes a week after SolarWinds moved to resolve another critical vulnerability in the same software that could be exploited to execute arbitrary code (CVE-2024-28986, CVSS score: 9.8). Additional details about CVE-2024-28987 are expected to be released next month.