In this week's Security Advisory:
Veeam has issued security updates for multiple products in its September 2024 security bulletin, addressing 18 high and critical severity vulnerabilities in Veeam Backup & Replication, Service Provider Console, and One. The most critical flaw, tracked as CVE-2024-40711 (CVSS score 9.8 out of 10), is a remote code execution vulnerability that can be exploited without authentication.
Affected Versions
More Reading/Information
The September 10th edition of Microsoft's Patch Tuesday includes updates that address 79 vulnerabilities including four (4) actively exploited and one (1) publicly disclosed zero-day of which seven (7) critical vulnerabilities could allow for remote code execution. Patching addresses CVE-2024-38226 (CVSS score 6.8 out of 10) which affects Microsoft Publisher. This could allow an attacker with authenticated access to a system to bypass Microsoft Office macros for blocking malicious and untrusted files.
Affected Versions
More Reading/Information
Ivanti has released security updates for its Endpoint Manager (EPM), addressing a critical vulnerability that could lead to unauthorized access to the EPM core server. Ivanti also released updates for other critical and high vulnerabilities today in their Workspace Control (IWC) and Cloud Service Appliance (CSA).
Affected Versions
More Reading/Information
Progress Software has released a patch for the critical vulnerability published in CVE-2024-7591 (CVSS 10/10). The CVE concerns the LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products. The vulnerability allows for an unauthenticated, remote user to access the LoadMaster management interface and execute arbitrary system commands.
Affected Versions
More Reading/Information
There were security updates released by Adobe and Google Chrome Desktop Browser to address several vulnerabilities in each product.
Adobe had over twenty-eight (28) vulnerabilities, with two (2) vulnerabilities given a severity rating of "critical". The ColdFusion product had a vulnerability tagged as CVE-2024-41874 (CVSS base score of 9.8/10) and CVE-2024-45112 (CVSS 8.6/10).
Google released a security update to fix five (5) vulnerabilities in its Chrome Desktop Browser for Windows, Mac, and Linux. This includes CVE-2024-8638 a bug in the V8 JavaScript engine that can lead to remote code execution.
More Reading
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.