In this week's Security Advisory:
- Veeam Patches Two Vulnerabilities Affecting its Service Provider Console
- Android Releases December Security Bulletin
- Zabbix Patches Critical Vulnerability in Network Monitoring Tool
- CISA Announces Zyxell Vulnerability Exploited in the Wild
The first vulnerability, CVE-2024-42448 (CVSS 9.9/10), allows an attacker to exploit arbitrary code on the server. The second vulnerability, CVE-2024-42449 (CVSS 7.1/10), allows an attacker to steal the NTLM hash of the server to gain access to remove current files on the server. Both vulnerabilities can only be exploited if the management agent is authorized on the server.
Affected Versions
- VPSC 8.1.0.21377 and all earlier versions
More Reading/Information
- https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-bug-in-service-provider-console/
- https://www.veeam.com/kb4679
Android Releases December Security Bulletin
Android published its December Security Bulletin, which addressed fourteen (14) vulnerabilities in multiple products. The most severe vulnerability, CVE-2024-43767 could lead to remote code execution with no additional privileges needed. The vulnerabilities affect several components such as Imagination Technologies, MediaTek, and Qualcomm. Google made no mention of these vulnerabilities being exploited in the wild.
Affected Versions
- A full list can be found here
More Reading/Information
- https://www.securityweek.com/androids-december-2024-security-update-patches-14-vulnerabilities/
- https://source.android.com/docs/security/bulletin/2024-12-01
Zabbix Patches Critical Vulnerability in Network Monitoring Tool
The vulnerability, CVE-2024-42327 (CVSS 9.9/10), can be exploited by any user with a role that has access to the API. This could allow an authenticated attacker to escalate privileges and gain complete control of a vulnerable server. The patches for this were released in July, though the advisory was released this week.
Affected Versions
- Zabbix versions 6.0.0 through 6.0.31, 6.4.0 through 6.4.16, and 7.0.0
More Reading/Information
- https://www.securityweek.com/critical-vulnerability-found-in-zabbix-network-monitoring-tool/
- https://support.zabbix.com/browse/ZBX-25623
CISA Announces Zyxell Vulnerability Exploited in the Wild
This vulnerability CVE-2024-11667 (CVSS 7.5/10) can allow an attacker to gain unauthorized access to the system. This vulnerability affects Zyxel ATP, USG FLEX, and USG20(W)-VPN devices. The initial patch was released early in September. If you have not upgraded to that version, it is recommended to do so immediately.
Affected Versions
- ZLD firmware versions 4.32 to 5.38 that have remote management of SSL VPN enabled
More Reading/Information
- https://www.securityweek.com/cisa-warns-of-zyxel-firewall-vulnerability-exploited-in-attacks/
- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.