In this week's Security Advisory:
- Cleo Zero-Day Affects Multiple Products
- Ivanti Patches Critical Authentication Bypass Vulnerability
- Microsoft Releases December Patch Tuesday
- SAP Releases December Security Bulletin
- Atlassian Releases December Security Bulletin
- Security Updates Released for Google Chrome and Adobe Products
Cleo Zero-Day Affects Multiple Products
This vulnerability is found in Cleo's LexiCom, VLTrader, and Harmony products. The vulnerability, CVE-2024-50623, was originally announced in October with a patch, however, it was recently determined that the patch did not work fully to resolve the issue. This vulnerability can allow a remote attacker to bypass authentication and access the product. A proof-of-concept was released for this too.
Affected Versions
- All versions including the recently patched 5.8.0.21.
More Reading/Information
- https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending
- https://www.bleepingcomputer.com/news/security/new-cleo-zero-day-rce-flaw-exploited-in-data-theft-attacks/
- https://labs.watchtowr.com/cleo-cve-2024-50623/
Ivanti Patches Critical Authentication Bypass Vulnerability
Ivanti released a patch for CVE-2024-11639 (CVSS10/10), that allows a remote attacker to bypass authentication in the admin web console. This allows them to gain administrative privileges with no user interaction. Ivanti released multiple patches for other vulnerabilities in different appliances as well.
Affected Versions
- A full list can be seen here
More Reading/Information
- https://www.ivanti.com/blog/december-security-update
- https://thehackernews.com/2024/12/ivanti-issues-critical-security-updates.html
Microsoft Releases December Patch Tuesday
Tuesday, Microsoft announced patches for seventy-one (71) vulnerabilities, including sixteen (16) critical remote execution vulnerabilities. One of the patches is for a privilege escalation vulnerability, CVE-2024-49138 (CVSS 7.8/10) which allows an attacker to gain SYSTEM privileges and is being actively exploited.
Affected Versions
- A full list can be found here
More Reading/Information
- https://msrc.microsoft.com/update-guide/vulnerability
- https://www.bleepingcomputer.com/news/microsoft/microsoft-december-2024-patch-tuesday-fixes-1-exploited-zero-day-71-flaws/
SAP Releases December Patch Cycle
SAP has released its December patches addressing nine new vulnerabilities and updating four previous ones. The most critical is CVE-2024-47578 (CVSS 9.1/10), this allows an attacker with admin privileges to send a crafted request from a vulnerable web app. Successful exploitation would allow them to read or modify any file and potentially make the entire application unavailable.
Affected Versions
- A full list can be found here
More Reading/Information
- https://www.securityweek.com/sap-patches-critical-vulnerability-in-netweaver/
- https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2024.html
Atlassian Releases December Security Bulletin
Atlassian has announced patches to twelve (12) high-severity vulnerabilities affecting the Bamboo Data Center and Server, Bitbucket Data Center and Server, and Confluence Data Center and Server. Atlassian has made no mention of these vulnerabilities being exploited in the wild.
Affected Versions
- A full list of affected versions can be found here
More Reading/Information
- https://confluence.atlassian.com/security/security-bulletin-december-10-2024-1476624803.html
- https://www.securityweek.com/atlassian-splunk-patch-high-severity-vulnerabilities/
Security Updates Released for Google Chrome and Adobe Products
Google Chrome announced the release of Chrome 131.0.6778.140 for Windows and Mac and 131.0.6778.139 for Linux. These updates addressed two new vulnerabilities. These are both High Severity use after free vulnerabilities which could lead to remote code execution.
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. There are currently no reports of these vulnerabilities being exploited in the wild.
More Reading/Information
- https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_10.html
- https://helpx.adobe.com/security.html
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
