Cybersafe Solutions Security Advisory Bulletin December 6, 2024

In this week's Security Advisory:

• Veeam Patches Two Vulnerabilities Affecting its Service Provider Console
• Android Releases December Security Bulletin
• Zabbix Patches Critical Vulnerability in Network Monitoring Tool
• CISA Announces Zyxell Vulnerability Exploited in the Wild

The first vulnerability, CVE-2024-42448 (CVSS 9.9/10), allows an attacker to exploit arbitrary code on the server. The second vulnerability, CVE-2024-42449 (CVSS 7.1/10), allows an attacker to steal the NTLM hash of the server to gain access to remove current files on the server. Both vulnerabilities can only be exploited if the management agent is authorized on the server.

Affected Versions

• VPSC 8.1.0.21377 and all earlier versions

More Reading/Information

• https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-bug-in-service-provider-console/
• https://www.veeam.com/kb4679

Android Releases December Security Bulletin

Android published its December Security Bulletin, which addressed fourteen (14) vulnerabilities in multiple products. The most severe vulnerability, CVE-2024-43767 could lead to remote code execution with no additional privileges needed. The vulnerabilities affect several components such as Imagination Technologies, MediaTek, and Qualcomm. Google made no mention of these vulnerabilities being exploited in the wild.

Affected Versions

• A full list can be found here

More Reading/Information

• https://www.securityweek.com/androids-december-2024-security-update-patches-14-vulnerabilities/
• https://source.android.com/docs/security/bulletin/2024-12-01

Zabbix Patches Critical Vulnerability in Network Monitoring Tool

The vulnerability, CVE-2024-42327 (CVSS 9.9/10), can be exploited by any user with a role that has access to the API. This could allow an authenticated attacker to escalate privileges and gain complete control of a vulnerable server. The patches for this were released in July, though the advisory was released this week.

Affected Versions

• Zabbix versions 6.0.0 through 6.0.31, 6.4.0 through 6.4.16, and 7.0.0

More Reading/Information

• https://www.securityweek.com/critical-vulnerability-found-in-zabbix-network-monitoring-tool/
• https://support.zabbix.com/browse/ZBX-25623

CISA Announces Zyxell Vulnerability Exploited in the Wild

This vulnerability CVE-2024-11667 (CVSS 7.5/10) can allow an attacker to gain unauthorized access to the system. This vulnerability affects Zyxel ATP, USG FLEX, and USG20(W)-VPN devices. The initial patch was released early in September. If you have not upgraded to that version, it is recommended to do so immediately.

Affected Versions

• ZLD firmware versions 4.32 to 5.38 that have remote management of SSL VPN enabled

More Reading/Information

• https://www.securityweek.com/cisa-warns-of-zyxel-firewall-vulnerability-exploited-in-attacks/
• https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.