09/11/2024-09/18/2024 GitLab Patches Critical Flaw, Critical ARM Vulnerability, Critical Ivanti RCE Flaw And More.

1. Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

GitLab has released security updates to fix 17 vulnerabilities, including a critical flaw (CVE-2024-6678, CVSS 9.9) that allows attackers to run pipeline jobs as arbitrary users. This issue affects versions 8.14 to 17.3.1 of GitLab CE/EE. The flaw, along with three high-severity and 13 medium- and low-severity bugs, has been patched in versions 17.3.2, 17.2.5, and 17.1.7. CVE-2024-6678 is the fourth major vulnerability GitLab has addressed this year, following others like CVE-2023-5009. Although there is no evidence of active exploitation, users are urged to apply the patches promptly to avoid potential risks.

2. Critical ARM Vulnerability That Could Have Allowed RCE Patched by SolarWinds

SolarWinds has patched a critical vulnerability in its Access Rights Manager (ARM) software, which could allow remote code execution (CVE-2024-28991, severity 9.0/10). The flaw stems from improper validation of user-supplied data, enabling attackers to exploit deserialization issues. Discovered by Trend Micro’s Zero Day Initiative (ZDI), the bug can bypass weak authentication mechanisms. SolarWinds urges users to update to version 2024.3.1, though no active exploitation has been reported. ARM is used to manage and audit user access rights across IT systems. Despite its prominence, SolarWinds faced scrutiny after a 2020 ransomware breach compromised many customers, leading to a lawsuit from the SEC.

3. Exploit Code Released For Critical Ivanti RCE Flaw, Patch Now 

A proof-of-concept (PoC) exploit for CVE-2024-29847, a critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager, has been publicly released. The flaw, caused by insecure deserialization in the AgentPortal.exe executable, affects versions before 2022 SU6 and EPM 2024. The exploit allows attackers to perform file operations like executing web shells. Ivanti released patches in September 2024, with no other mitigations or workarounds available. Users are urged to apply the update immediately. In related news, Ivanti’s Endpoint Manager and Cloud Services Appliance have been targeted by attackers, prompting CISA to add the vulnerabilities to its Known Exploited Vulnerabilities catalog.

4. Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution

Broadcom has released updates to fix a critical security flaw in VMware vCenter Server (CVE-2024-38812, CVSS 9.8) that could allow remote code execution. The vulnerability, a heap-overflow in the DCE/RPC protocol, can be triggered by sending a specially crafted packet to the server. It is similar to two other flaws (CVE-2024-37079, CVE-2024-37080) addressed in June 2024. Another issue, CVE-2024-38813 (CVSS 7.5), could allow privilege escalation to root. Security researchers zbl and srs discovered the flaws during the Matrix Cup competition in China. VMware has patched these vulnerabilities in the latest versions of vCenter Server and VMware Cloud Foundation. While no exploitation has been reported, customers are urged to update to protect against potential threats.

5. Google Fixes GCP Composer Flaw That Could’ve Led to Remote Code Execution

A critical security flaw in Google Cloud Platform (GCP) Composer, called CloudImposer, has been patched. Discovered by Tenable, this vulnerability could have enabled remote code execution via a supply chain attack technique known as dependency confusion.

The flaw involved Google’s Composer tool fetching a malicious package from a public repository instead of an internal one. Attackers could exploit this by uploading a fake package with a higher version number to the Python Package Index (PyPI), potentially gaining control over Composer instances. Google fixed the issue in May 2024 by ensuring packages are only installed from private repositories and verifying checksums to prevent tampering. Developers are now advised to use the “--index-url” argument to minimize risk.

09/04/2024-09/11/2024 Ivanti Releases Urgent Security Updates, Progress LoadMaster Vulnerable, Critical Vulnerability In The LiteSpeed And More.

1. Microsoft September 2024 Patch Tuesday Fixes 4 zero-days, 79 Flaws

Microsoft’s September 2024 Patch Tuesday includes security updates for 79 vulnerabilities, including four actively exploited zero-days and one publicly disclosed. Seven critical vulnerabilities were fixed, mainly involving remote code execution or elevation of privilege.

The flaws break down as follows:

• 30 Elevation of Privilege;
• 4 Security Feature Bypass;
• 23 Remote Code Execution;
• 11 Information Disclosure;
• 8 Denial of Service;
• 3 Spoofing.

The four actively exploited zero-days are:

• CVE-2024-38014 (Windows Installer Privilege Elevation);
• CVE-2024-38217 (Mark of the Web Bypass);
• CVE-2024-38226 (Microsoft Publisher Bypass);
• CVE-2024-43491 (Windows Update Remote Code Execution).

2. Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities

Ivanti has released updates for Endpoint Manager (EPM) to fix multiple security flaws, including 10 critical vulnerabilities that could enable remote code execution.

• CVE-2024-29847 (CVSS 10.0) is a deserialization vulnerability allowing remote code execution by unauthenticated attackers.
• Nine vulnerabilities (CVSS 9.1) involve SQL injection flaws, allowing remote code execution by authenticated admin users.

The issues impact EPM versions 2024 and 2022 SU5 and earlier. Fixes are available in versions 2024 SU1 and 2022 SU6. While no active exploitation has been reported, users should update promptly. Ivanti also patched high-severity flaws in Workspace Control and Cloud Service Appliance. Zyxel also fixed a critical OS command injection vulnerability in its NAS devices (CVE-2024-6342).

3. Progress LoadMaster Vulnerable to 10/10 Severity RCE Flaw

Progress Software released an emergency fix for a critical vulnerability (CVE-2024-7591) in its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products. The flaw, with a severity score of 10/10, allows unauthenticated attackers to remotely execute commands via a crafted HTTP request, exploiting improper input validation on the management interface. The vulnerability affects LoadMaster version 7.2.60.0 and earlier, and MT Hypervisor version 7.1.35.11 and prior releases. Progress issued an add-on patch to mitigate the flaw, except for the free LoadMaster version, which remains vulnerable.

Although no active exploitation has been reported, users are urged to install the patch and follow recommended security measures.

4. GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code

Threat actors use typosquatting to trick users into visiting malicious sites or downloading harmful software by registering names similar to legitimate ones (e. g., goog1e.com vs. google.com). This technique is also used to target developers through platforms like PyPI, npm, and GitHub Actions. Researchers from Orca found that GitHub Actions, a CI/CD platform, is vulnerable if developers accidentally mistype action names. Malicious actors can create GitHub repositories with misspelled names, leading to the execution of harmful code. A search revealed 198 files with such errors. Users are advised to verify GitHub Actions names carefully, stick to trusted sources, and regularly check for typosquatting risks.

5. LiteSpeed Cache Plugin For WordPress Has a Critical Security Vulnerability

Security researchers have found a critical vulnerability (CVE-2024-44000) in the LiteSpeed Cache plugin for WordPress, allowing unauthenticated attackers to take over websites. The flaw, with a severity score of 7.5, enables attackers to access any logged-in user, including admin accounts. The bug affects version 6.4.1 and earlier, exposing the debug.log file, which contains sensitive information like login credentials and cookies. Although the debug feature is disabled by default, users are urged to update to version 6.5.0.1. LiteSpeed Cache, designed to improve website performance by caching static content, is a popular optimization plugin for WordPress.

08/28/2024-09/04/2024 Malicious npm Packages Mimicking ‘noblox.js’, Critical Fortra FileCatalyst Workflow Vulnerability, Critical Apache OFBiz Flaw And More.

1. Malicious npm Packages Mimicking ‘noblox.js’ Compromise Roblox Developers’ Systems

Roblox developers are being targeted by a campaign using fake npm packages to compromise systems, highlighting the ongoing exploitation of trust in the open-source ecosystem. Attackers mimic the popular “noblox.js” library, publishing malicious packages like noblox.js-proxy-server and noblox-ts to steal data and deliver malware, including the Luna Token Grabber and Quasar RAT. These packages are deceptively named, such as noblox.js-async and noblox.js-api, to appear legitimate. They use tactics like starjacking, linking to the real noblox.js repository. The malware steals Discord tokens, evades detection, and ensures persistence by altering Windows Registry settings. Developers must remain vigilant against these threats, as new malicious packages continue to surface.

2. North Korean Hackers Target Developers with Malicious npm Packages

A set of fake npm packages linked to North Korean state-sponsored actors has been uncovered, according to Phylum. The packages, including execution-time-async, data-time-utils, and mongodb-connection-utils, were designed to steal credentials and cryptocurrency. Execution-time-async, for example, mimics the legitimate execution-time library, which has over 27,000 weekly downloads. These packages, downloaded over 300 times before takedown, concealed malicious scripts within test files, targeting browsers like Chrome and Brave. Connections to North Korean actors emerged through obfuscated JavaScript resembling BeaverTail malware, linked to the Contagious Interview campaign, which targets developers through fake job interviews.

3. Critical Fortra FileCatalyst Workflow Vulnerability Patched (CVE-2024-6633)

Organizations using Fortra’s FileCatalyst Workflow should urgently upgrade to version 5.1.7 to patch two critical vulnerabilities. The first, CVE-2024-6633, involves static credentials for an internal HSQL database exposed in a vendor knowledge base article. Attackers exploiting this flaw can gain admin access to the Workflow web application by adding an admin-level user. The HSQL database, meant only for installation, is vulnerable if not replaced with a recommended alternative database.

The second flaw, CVE-2024-6632, is a SQL injection vulnerability that allows unauthorized modifications to the MySQL database during setup. Both vulnerabilities affect versions up to 5.1.6 and can only be resolved by upgrading.

4. CISA Flags Critical Apache OFBiz Flaw Amid Active Exploitation Reports

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Apache OFBiz vulnerability, CVE-2024-38856, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. This flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute remote code via a Groovy payload.

Discovered as a patch bypass for CVE-2024-36104, it exploits a flaw in the override view functionality, exposing critical endpoints. Although specific details of its exploitation are scarce, proof-of-concept exploits are publicly available. Organizations are urged to update to version 18.12.15, with federal agencies required to apply updates by September 17, 2024.