Cybersafe Solutions Security Advisory Bulletin November 8, 2024

In this week's Security Advisory:

• LiteSpeed Cache Plugin Patches Privilege Escalation Vulnerability
• Okta Patches Vulnerability Allowing Authentication Bypass
• Android Releases November Security Bulletin
• Security Updates Released for Google Chrome

LiteSpeed Cache, a popular WordPress plugin, has released a patch for a high-severity vulnerability, CVE-2024-50550, that allows an unauthenticated attacker to gain admin privileges.  This is caused by a bad hash check where the values are more predictable and can be easily brute forced.

Affected Versions

• LiteSpeed Cache version 6.5.1 and earlier

More Reading/Information

• https://www.bleepingcomputer.com/news/security/litespeed-cache-wordpress-plugin-bug-lets-hackers-get-admin-access/
• https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-5-1-privilege-escalation-vulnerability?_s_id=cve

Okta Patches Vulnerability Allowing Authentication Bypass

Okta released a Security Advisory for its AD/LDAP DelAuth over the weekend.  The advisory was for a vulnerability that could allow a user with a username that was over fifty-two characters long to bypass the need for a password. If this and other conditions were met, an attacker could access a cached key from a previously authenticated session.  Okta has already updated these changes within their production environment.

Affected Versions

• Implement MFA at a minimum, further recommendations can be found here.

More Reading/Information

• https://www.darkreading.com/vulnerabilities-threats/okta-fixes-auth-bypass-bug-three-month-lull
• https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username/

Android Releases November Security Bulletin

Android has published their November Security Bulletin which addressed fifty-one vulnerabilities in multiple products. The most severe of these vulnerabilities could lead to remote code execution with no additional privileges needed. Android also announced that two vulnerabilities, CVE-2024-43047 and CVE-2024-43093, are under active exploitation.

Affected Versions

• A full list of affected versions can be found here.

More Reading/Information

• https://source.android.com/docs/security/bulletin/2024-11-01
• https://www.bleepingcomputer.com/news/security/google-fixes-two-android-zero-days-used-in-targeted-attacks/

Security Updates Released for Google Chrome

Google Chrome announced the release of Chrome 130.0.6723.117 which has addressed two new vulnerabilities.  These are both High Severity use after free vulnerabilities which could lead to remote code execution

• https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html
• https://www.chromium.org/Home/chromium-security/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.