In this week's Security Advisory:
- Veeam Warns of Critical RCE Flaw Exploited in the Wild
- Proof of Concept Available for Multiple Vulnerabilities in Palo Alto Expedition
- Critical Fortinet RCE Under Active Exploitation
- GitLab Fixes Critical Pipeline Execution Flaw
- Oracle Releases October Critical Patch Advisory
- GitHub Patches Critical Vulnerability Allowing Authentication Bypass
- Juniper Networks Releases Patches for Dozens of Vulnerabilities
- Automattic Releases Critical Jetpack Security Update
- Splunk Patches Remote Code Execution Vulnerabilities
- Security Updates Released for Mozilla and Chrome
Last month, Veeam released updates for a critical vulnerability, CVE-2024-40711, that allows an unauthenticated attacker to exploit systems remotely. As an update to our original advisory below, a Proof of Concept has been released and there are now reports of public exploitation attempts. It is highly recommended that you ensure you have patched appropriately.
Original Advisory:
Veeam has issued security updates for multiple products in its September 2024 security bulletin, addressing 18 high and critical severity vulnerabilities in Veeam Backup & Replication, Service Provider Console, and One. The most critical flaw, tracked as CVE-2024-40711 (CVSS score 9.8 out of 10), is a remote code execution vulnerability that can be exploited without authentication.
Affected Versions
- Veeam Backup & Replication 12.1.2.172 and all earlier versions of the 12 branch
- Service Provider Console versions 8.1.0.21377 and earlier
- ONE products versions 12.1.0.3208 and older
More Reading/Information
- https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/
- https://www.helpnetsecurity.com/2024/09/09/cve-2024-40711-exploited/
- https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-flaw-in-backup-and-replication-software/
- https://censys.com/cve-2024-40711/
Critical Fortinet RCE Under Active Exploitation
A critical Fortinet RCE is now being exploited in the wild. The critical vulnerability tracked as CVE-2024-23113 has a 9.8/10 rating and allows a remote unauthenticated attacker to execute arbitrary code. The original patch for this was released in February of this year. If you have not upgraded to that version, it is highly recommended that you do so now.
Original Advisory
Fortinet announced two critical vulnerabilities in its FortiSIEM report server. Identified as 2024-23108 and CVE-2024-23109, remote unauthenticated attackers are able to exploit the FortiSIEM systems by sending well-crafted API requests to an affected system. Fortinet has clarified that CVE-2024-23108 and CVE-2024-23109 are patch bypasses to a previously observed issue in CVE-2023-34992.
Affected Versions
- FortiSIEM version 7.1.0 through 7.1.1.
- FortiSIEM version 7.0.0 through 7.0.2.
- FortiSIEM version 6.7.0 through 6.7.8.
- FortiSIEM version 6.6.0 through 6.6.3.
- FortiSIEM version 6.5.0 through 6.5.2.
- FortiSIEM version 6.4.0 through 6.4.2.
More Reading/Information
- https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-rce-flaw-now-exploited-in-attacks/
- https://www.fortiguard.com/psirt
- https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/
- https://www.fortiguard.com/psirt/FG-IR-23-130
- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortisiem-rce-bugs-in-confusing-disclosure/
- https://securityaffairs.com/158813/security/fortinet-addressed-two-critical-fortisiem-vulnerabilities.html
Proof of Concept Available For Multiple Vulnerabilities in Palo Alto Expedition
A Proof of Concept is now available for multiple vulnerabilities in Palo Alto Expedition. There are five new vulnerabilities in total, three critical and two high severities. These vulnerabilities can be chained with CVE-2024-5910 and allow attackers to hijack PAN-OS firewalls. When combined, these vulnerabilities can reveal usernames, cleartext passwords, device configurations, and API keys of PAN-OS firewalls. Our original advisory reflected updating to Palo Expedition 1.2.96. Due to the new vulnerabilities, we recommend updating to Palo Expedition 1.2.96.
Original Advisory:
Security updates were released by Palo Alto Networks to address a critical vulnerability within Palo Alto Expedition, a migration software used to import configuration data. The flaw is being tracked as CVE-2024-5910 with a CVSS score of 9.3 out of 10 and allows an attacker to gain unauthorized access due to missing authentication standards. Successful exploitation can allow a threat actor to gain sensitive information from data imported into Expedition. Customers should update to the latest patch before using the tool for any data migration to prevent unauthorized access of information.
Affected Versions
- Expedition Versions Prior to 1.2.92
More Reading/Information
- https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-firewall-hijack-bugs-with-public-exploit/
- https://security.paloaltonetworks.com/PAN-SA-2024-0010
- https://security.paloaltonetworks.com/CVE-2024-5910
- https://www.securityweek.com/palo-alto-networks-addresses-blastradius-vulnerability-fixes-critical-bug-in-expedition-tool/
- https://securityaffairs.com/165641/security/palo-alto-networks-critical-bug-expedition.html
GitLab Fixes Critical Pipeline Execution Flaw
GitLab released a critical patch for a vulnerability that allows unauthorized users to deploy Continuous Integration/Continuous Delivery (CI/CD) pipelines on arbitrary branches. The vulnerability is tracked as CVE-2024-9164 (CVSS 9.6) and only affects GitLab's Enterprise Edition (EE). However, several other vulnerabilities affecting their Community Edition (CE) were addressed within their security bulletin as well.
Affected Versions
- GitLab EE all versions from 12.5 up to 17.2.8.
- GitLab EE all versions from 17.3 up to 17.3.4.
- GitLab EE all versions from 17.4 up to 17.4.1.
More Reading/Information
- https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-arbitrary-branch-pipeline-execution-flaw/
- https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/
Oracle Releases October Critical Patch Advisory
On Tuesday, Oracle released patches addressing over two hundred unique vulnerabilities in many of their products. One hundred eighty-six (186) of these vulnerabilities can be exploited by unauthenticated remote users. Oracle made note that they have seen customers fall victim to outside attackers due to not patching in a timely manner.
Affected Versions
- A full list of affected versions can be found here
More Reading/Information
- https://www.oracle.com/security-alerts/cpuoct2024.html
- https://www.securityweek.com/oracle-patches-over-200-vulnerabilities-with-october-2024-cpu/
GitHub Patches Critical Vulnerability Allowing Authentication Bypass
GitHub has released patches for a critical severity vulnerability, CVE-2024-9487 (CVSS 9.5/10), that allows an unauthenticated user access to the Enterprise server and potentially gain administrative access. This is done by bypassing the SAML SSO authentication and provisioning access to new users.
Affected Versions
- All versions of GitHub Enterprise Server prior to 3.15
More Reading/Information
- https://nvd.nist.gov/vuln/detail/CVE-2024-9487
- https://www.securityweek.com/github-patches-critical-vulnerability-in-enterprise-server/
Juniper Networks Releases Patches for Dozens of Vulnerabilities
Juniper released patches for dozens of high-severity vulnerabilities in Junos OS and Junos OS Evolved operating systems. Unauthenticated attackers can send malformed packets to cause denial-of-service conditions, access sensitive information, bypass firewalls, or access sensitive information.
Affected Versions
- A full list of affected versions can be found here
More Reading/Information
- https://www.securityweek.com/juniper-networks-patches-dozens-of-vulnerabilities/
- https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=relevancy
Automattic Releases Critical Jetpack Security Update
The owner of Jetpack, Automattic, announced that during an internal audit, they came across a vulnerability that has existed since 2016. The vulnerability allows a logged-in user to access information others submit on that site. They have now released updated versions of Jetpack to remediate this issue. Automattic states that they have not observed any exploitation of this issue.
Affected Versions
- A full list of affected versions can be found here
More Reading/Information
- https://jetpack.com/blog/jetpack-13-9-1-critical-security-update/
- https://www.bleepingcomputer.com/news/security/jetpack-fixes-critical-information-disclosure-flaw-existing-since-2016/
- https://thehackernews.com/2024/10/wordpress-plugin-jetpack-patches-major.html
Splunk Patches Remote Code Execution Vulnerabilities
This week, Splunk released patches for eleven vulnerabilities in Splunk Enterprise. Two of the vulnerabilities, CVE-2024-45733 and CVE-2024-45731, can lead to unauthorized code execution. Both vulnerabilities require access to a lower-privileged user account on the system.
Affected Versions
- Splunk Enterprise versions prior to 9.3.1, 9.2.3 or 9.1.6
More Reading/Information
- https://www.securityweek.com/splunk-enterprise-update-patches-remote-code-execution-vulnerabilities/
- https://advisory.splunk.com/advisories/SVD-2024-1011
- https://nvd.nist.gov/vuln/detail/CVE-2024-45733
- https://nvd.nist.gov/vuln/detail/CVE-2024-45731
Security Updates Released for Mozilla and Chrome
Mozilla has released a critical update to its Thunderbird product to address a vulnerability that allowed for arbitrary code execution. There have been reports of this vulnerability being exploited in the wild. Mozilla has also addressed other vulnerabilities in Firefox in recent days.
Chrome has released updates addressing seventeen vulnerabilities, the most severe is a high-severity vulnerability tracked as CVE-2024-9954 which could allow for arbitrary code execution.
Affected Versions
- Upgrade to Thunderbird 115.16.
- Upgrade to Thunderbird 128.3.1.
- Upgrade to Thunderbird 131.0.1.
- Upgrade Google Chrome to 130.0.6723.58/.59 for Windows.
- Upgrade Google Chrome to 130.0.6723.58 for Mac.
More Reading/Information
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
- https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
- https://www.securityweek.com/google-pays-out-36000-for-severe-chrome-vulnerability/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
