Cyble Research and Intelligence Labs (CRIL) researchers this week investigated 15 vulnerabilities of particular significance for IT teams, and identified three that merit high-priority patching.
Cyble’s Sept. 18-24 Weekly Vulnerability Insights Report for subscribers also examined seven exploits circulating on the dark web and cybercrime forums, elevating the importance of addressing those flaws too.
Cyble also highlighted eight cybersecurity best practices that all organizations should follow to reduce the risk of cyberattacks and contain any that do occur.
The full report is available for subscribers; here we’ll focus on the most critical risks.
The three vulnerabilities highlighted in the report include:
CVE-2024-8963, a critical admin bypass vulnerability in Ivanti Cloud Services Appliance (CSA), is a security-focused solution designed to facilitate secure communication and device management. Recently, Ivanti disclosed that attackers could exploit the flaw by chaining CVE-2024-8963 with CVE-2024-8190 to bypass admin authentication and execute arbitrary commands on unpatched appliances. This vulnerability is also being discussed on the dark web (see below). There is an available patch. Cyble researchers also issued a separate advisory on a vulnerability (CVE-2024-7593) in Ivanti’s Virtual Traffic Manager (VTM).
CVE-2024-45409, a critical SAML authentication bypass vulnerability impacting self-managed installations of the GitLab Community Edition (CE) and Enterprise Edition (EE). Security Assertion Markup Language (SAML) is a single sign-on (SSO) authentication protocol that allows users to log in across different services using the same credentials. An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system. The disclosure follows several other recent GitLab vulnerabilities.
Internet Exposure? No
Patch Available? Yes
CVE-2024-7490, a critical improper input validation vulnerability in Microchip Technology Advanced Software Framework, a comprehensive library designed for microcontrollers, facilitating various stages of product development, including evaluation, prototyping, design, and production. The vulnerability can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option.
Internet Exposure? No
Patch Available? Yes
CRIL researchers observed multiple Telegram channels where the channel administrator shared or discussed exploits weaponizing vulnerabilities, including:
CVE-2024-8190: This is a high-severity OS command injection vulnerability present in Ivanti’s Cloud Services Appliance versions 4.6 Patch 518. It allows attackers with admin access to execute arbitrary commands on the system, potentially leading to complete system compromise.
CVE-2024-36837: A high-severity SQL injection vulnerability present in CRMEB version 5.2.2. This vulnerability allows remote attackers to gain unauthorized access to sensitive information.
CVE-2024-46740: A high severity Use-After-Free (UAF) vulnerability in the Linux Kernel. It is specifically related to the binder subsystem.
CVE-2024-20439: A critical security vulnerability affecting the Cisco Smart Licensing Utility, which could allow unauthenticated, remote attackers to gain administrative access to the system.
CVE-2024-8956: A critical improper authentication vulnerability was identified in PTZOptics’ PT30X-SDI and PT30X-NDI cameras prior to firmware version 6.3.40.
CVE-1999-1587: A vulnerability is present in the ‘/usr/ucb/ps’ command in Sun Microsystems’ Solaris OS, affecting Solaris 8 and 9, as well as a few older versions. The vulnerability allows local users to exploit certain parameters in the commands to view environment details on the system.
CVE-2024-23692: CRIL observed multiple administrators of Telegram channels and a Threat Actor sharing a proof of concept (PoC) for a critical command injection vulnerability affecting the Rejetto HTTP File Server (HFS), specifically versions up to 2.3m. The vulnerability allows remote, unauthenticated attackers to execute arbitrary commands by sending specially crafted HTTP requests to the server.
To protect against these vulnerabilities and exploits, organizations should implement the following best practices:
To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment.
Change default passwords immediately and enforce a strong password policy across the organization. Implement multi-factor authentication (MFA) to provide an extra layer of security and significantly reduce the risk of unauthorized access.