Cybersafe Solutions Security Advisory Bulletin Sept 13, 2024

In this week's Security Advisory:

• Veeam warns of critical RCE flaw in Backup & Replication software
• Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws
• Ivanti fixes Maximum severity RCE bug in Endpoint Management software
• Progress LoadMaster vulnerable to 10/10 severity RCE flaw
• Security Updates Released for Adobe Products and Google Chrome Desktop Browser

Veeam has issued security updates for multiple products in its September 2024 security bulletin, addressing 18 high and critical severity vulnerabilities in Veeam Backup & Replication, Service Provider Console, and One. The most critical flaw, tracked as CVE-2024-40711 (CVSS score 9.8 out of 10), is a remote code execution vulnerability that can be exploited without authentication.

Affected Versions

• Veeam Backup & Replication 12.1.2.172 and all earlier versions of the 12 branch
• Service Provider Console versions 8.1.0.21377 and earlier
• ONE products versions 12.1.0.3208 and older

More Reading/Information

• https://www.helpnetsecurity.com/2024/09/09/cve-2024-40711-exploited/
• https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-flaw-in-backup-and-replication-software/
• https://censys.com/cve-2024-40711/

Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws

The September 10th edition of Microsoft's Patch Tuesday includes updates that address 79 vulnerabilities including four (4) actively exploited and one (1) publicly disclosed zero-day of which seven (7) critical vulnerabilities could allow for remote code execution.  Patching addresses CVE-2024-38226 (CVSS score 6.8 out of 10) which affects Microsoft Publisher.  This could allow an attacker with authenticated access to a system to bypass Microsoft Office macros for blocking malicious and untrusted files.

Affected Versions

• For a full Affected Versions list click here

More Reading/Information

• https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2024-patch-tuesday-fixes-4-zero-days-79-flaws/
• https://www.helpnetsecurity.com/2024/09/10/cve-2024-38217-cve-2024-43491/
• https://medium.com/@windows101tricks/microsoft-september-2024-patch-tuesday-update-fixes-four-zero-days-seven-critical-bugs-00346251eeba
• https://www.darkreading.com/application-security/microsoft-discloses-4-zero-days-in-september-update

Ivanti fixes maximum severity RCE bug in Endpoint Management Software

Ivanti has released security updates for its Endpoint Manager (EPM), addressing a critical vulnerability that could lead to unauthorized access to the EPM core server.  Ivanti also released updates for other critical and high vulnerabilities today in their Workspace Control (IWC) and Cloud Service Appliance (CSA).

Affected Versions

• Ivanti Endpoint Manager 2024
• Ivanti Endpoint Manager 2022 SU5 and earlier
• Ivanti IWC 10.18.0.0 and below
• Ivanti Cloud Services Appliance (CSA) 4.6 (All versions before Patch 519)

More Reading/Information

• https://www.bleepingcomputer.com/news/security/ivanti-fixes-maximum-severity-rce-bug-in-endpoint-management-software/
• https://cybersecuritynews.com/ivanti-endpoint-manager-rce-vulnerability/
• https://securityonline.info/ivanti-issues-patch-for-critical-vulnerabilities-in-endpoint-manager-including-cve-2024-29847-cvss-10-0/

Progress LoadMaster vulnerable to 10/10 severity RCE flaw

Progress Software has released a patch for the critical vulnerability published in CVE-2024-7591 (CVSS 10/10). The CVE concerns the LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products. The vulnerability allows for an unauthenticated, remote user to access the LoadMaster management interface and execute arbitrary system commands.

Affected Versions

• LoadMaster 7.2.60.0 and all prior versions
• MT Hypervisor 7.1.35.11 and all prior versions
  
  

More Reading/Information

• https://www.bleepingcomputer.com/news/security/progress-loadmaster-vulnerable-to-10-10-severity-rce-flaw/
• https://nvd.nist.gov/vuln/detail/CVE-2024-7591
• https://thehackernews.com/2024/09/progress-software-issues-patch-for.html

Security Updates Released for Adobe Products and Google Chrome Desktop Browser

There were security updates released by Adobe and Google Chrome Desktop Browser to address several vulnerabilities in each product.

Adobe had over twenty-eight (28) vulnerabilities, with two (2) vulnerabilities given a severity rating of "critical".  The ColdFusion product had a vulnerability tagged as CVE-2024-41874 (CVSS base score of 9.8/10) and CVE-2024-45112 (CVSS 8.6/10).

Google released a security update to fix five (5) vulnerabilities in its Chrome Desktop Browser for Windows, Mac, and Linux.  This includes CVE-2024-8638 a bug in the V8 JavaScript engine that can lead to remote code execution.

More Reading

• https://www.securityweek.com/adobe-patches-critical-code-execution-flaws-in-multiple-products/
• https://helpx.adobe.com/security/security-bulletin.html
• https://chromereleases.googleblog.com/
• https://www.securityweek.com/chrome-128-update-resolves-high-severity-vulnerabilities/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.