Cybersafe Solutions Security Advisory Bulletin October 11, 2024

In this week's Security Advisory:

• Multiple Ivanti Products Being Exploited in the Wild
• macOS Sequia Now Supports Multiple Security Software Products
• Microsoft October 2024 Patch Tuesday Addresses Multiple Zero Days
• Okta Patches Vulnerability That Allowed Bypassing Authentication
• Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution
• Apple Patches Two Vulnerabilities In iOS 18
• Jenkins Releases Patches For Multiple High-Severity Vulnerabilities
• Security Updates Released for Google Chrome, Adobe Products, and Mozilla Firefox
• SAP Releases Patch for Critical Vulnerabilities

Ivanti has warned that vulnerabilities to its Cloud Service Appliance, Virtual Traffic Manager, and Endpoint Manager are being actively exploited in the wild. The vulnerabilities range from authentication bypass to arbitrary code execution Ivanti CSA (Cloud Services Appliance) versions 5.0.1 and prior.

Affected Versions

• Ivanti CSA (Cloud Services Appliance) versions 5.0.1 and prior
• Ivanti EPMM (Core) versions 12.1.0.3 and prior
• Velocity License Server 5.1 versions prior to 5.1.2
• Avalanche versions 6.4.2.313 and prior
• Ivanti Connect Secure versions 22.7R2.1 and prior
• Ivanti Policy Secure versions 22.7R1.1 and prior

More Reading/Information

• https://www.ivanti.com/blog/october-2024-security-update
• https://www.bleepingcomputer.com/news/security/ivanti-warns-of-three-more-csa-zero-days-exploited-in-attacks/
• https://www.securityweek.com/ivanti-warns-customers-of-more-csa-zero-days-exploited-in-attacks

macOS Sequoia Now Supports Multiple Security Software Products

On September 19th Cybersafe Solutions advised against upgrading the macOS Sequoia 15 due to significant network issues that affected the functionality of multiple vendor security tools. That has since been addressed in macOS Sequoia 15.0.1. Many of the affected software providers have now released statements confirming this as well.

• https://techcrunch.com/2024/10/07/apple-fixes-bugs-in-macos-sequoia-that-broke-some-cybersecurity-tools
• https://www.securityweek.com/macos-sequoia-update-fixes-security-software-compatibility-issues/

Microsoft October 2024 Patch Tuesday Addresses Multiple Zero Days

The October 8th release of Microsoft's patch Tuesday includes updates to one hundred eighteen (118) vulnerabilities, five (5) of which are zero days, and two (2) that are being actively exploited. Three critical vulnerabilities were addressed, all three are remote code execution execution vulnerabilities.

The two under active exploitation include:

• CVE-2024-43573 - Windows MSHTML Platform Spoofing Vulnerability
• CVE-2024-43572 - Microsoft Management Console Remote Code Execution Vulnerability

More Reading/Information

• https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2024-patch-tuesday-fixes-5-zero-days-118-flaws/
• https://www.securityweek.com/patch-tuesday-microsoft-confirms-exploited-zero-day-in-windows-management-console/

Okta Patches Vulnerability That Allowed Bypassing Authentication

Okta has released a patch for Okta Classic which allows an attacker to bypass specific conditions set in the sign-on policies if they have valid user credentials. Okta recommended customers review logs to identify unauthorized authentication events, failed authentication events, and any unusual behavior (geolocations, timestamps, etc.).

Affected Versions

• Okta Classic as of July 17, 2024.

More Reading/Information

• https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/
• https://www.securityweek.com/okta-tells-users-to-check-for-potential-exploitation-of-newly-patched-vulnerability/

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. A successful exploitation of the most severe vulnerability could lead to a compromised user account, which could then lead to privilege escalation attempts. 

Affected Versions

Android OS patch levels before 2024-10-05, a full list can be found here.

More Reading/Information

• https://source.android.com/docs/security/bulletin/2024-10-01
• https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-android-os-could-allow-for-remote-code-execution_2024-110

Apple Patches Two Vulnerabilities in iOS 18

Apple has released an iOS upgrade that patches two vulnerabilities allowing attackers to expose users' passwords and audio snippets. The first, CVE-2024-44204, could enable voiceover to read user's passwords aloud. The second, CVE-2024-44207, allowed for audio messages to be captured before the microphone was shown to be activated.

Affected Versions

• iPhone XS and later
• iPad Pro 13-inch
• iPad Pro 12.9-inch 3rd generation and later
• iPad Pro 11-inch 1st generation and later
• iPad 7th generation and later
• iPad mini 5th generation and later

More Reading/Information

• https://www.securityweek.com/apple-ios-18-0-1-patches-password-exposure-and-audio-snippet-bugs/
• https://support.apple.com/en-us/121373

Jenkins Releases Patches For Multiple High-Severity Vulnerabilities

Jenkins has released patches for multiple vulnerabilities. The high-severity vulnerabilities (CVE-2024-47806 and CVE-2024-47807) affect the Jenkins OpenID Connect Authentication Plugin where the plugin does not check the token ID claim during the authentication. This could allow attackers to bypass the authentication workflow. Two other medium-severity vulnerabilities affecting Jenkins weekly, and Jenkins LTS were also addressed with patches.

Affected Versions

• Jenkins weekly up to and including 2.478
• Jenkins LTS up to and including 2.462.2
• Credentials Plugin up to and including 1380.va_435002fa_924
• OpenID Connect Authentication Plugin up to and including 4.354.v321ce67a_1de8

More Reading/Information

• https://www.securityweek.com/jenkins-patches-high-impact-vulnerabilities-in-server-and-plugins/
• https://www.jenkins.io/security/advisory/2024-10-02/

Security Updates Released for Google Chrome, Adobe Products, and Mozilla Firefox

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. There are currently no reports of these vulnerabilities being exploited in the wild.

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. There are currently no reports of these vulnerabilities being exploited in the wild.

Mozilla Firefox patched a critical vulnerability that allowed an attacker to execute code within its content process. Mozilla has received reports of this vulnerability being exploited in the wild.

Affected Versions

• Chrome prior to 129.0.6668.100/.101 for Windows and Mac
• Chrome prior to 129.0.6668.100 for Linux
• A full list of affected Adobe products can be found here
• Firefox prior to 131.0.2
• Firefox ESR prior to 128.3.1
• Firefox ESR prior to 115.16.1

More Reading/Information

• https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_8.html
• https://helpx.adobe.com/security/Home.html
• https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-adobe-products-could-allow-for-arbitrary-code-execution_2024-112
• https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2024-113
• https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/

SAP Releases Patch for Critical Vulnerabilities

SAP has released patches for six new vulnerabilities as well as updates to 7 previously released ones. The most severe of the vulnerabilities involves a missing authorization check in the BusinessObjects Business Intelligence platform. If SSO is enabled for the enterprise authentication, an attacker can gain access to a logon token.

Affected Versions

• A full list of affected versions can be found here

• https://www.securityweek.com/sap-patches-critical-vulnerability-in-businessobjects/
• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2024.html
• https://www.cve.org/CVERecord?id=CVE-2024-41730

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.