In this week's Security Advisory:
- SolarWinds Patches Critical Remote Code Execution Vulnerability
- VMWare Patches Multiple Vulnerabilities Discovered for ESXi, Workstation, Fusion and Cloud Foundation
- Critical Security Patch for JetBrains TeamCity On-Premise Servers
- Microsoft Windows Kernel Vulnerability can Lead to Privilege Escalation
- Two Zero-Days (CVE-2024-23225 & CVE-2024-23296) in Apple Products
- Multiple Vulnerabilities in Android Products
SolarWinds Patches Critical Remote Code Execution Vulnerability
SolarWinds has disclosed a remote code execution vulnerability found within the SolarWinds Security Event Manager (SEM). The flaw is currently being tracked as CVE-2024-0692 with a CVSS score of 8.8 out of a possible 10. This vulnerability is caused by a deserialization issue that allows a threat actor to execute arbitrary code on an affected system without being authenticated.
Affected Versions:
- SolarWinds Security Event Manager (SEM) 2023.4 and prior versions
More Reading/Information
- https://www.solarwinds.com/trust-center/security-advisories/cve-2024-0692
- https://vulcan.io/blog/how-to-fix-cve-2024-0692-in-solarwinds-security-event-manager/
VMWare Patches Multiple Vulnerabilities Discovered for ESXi, Workstation, Fusion and Cloud Foundation
VMWare has issued a security patch to fix four (4) security vulnerabilities affecting their ESXi, Workstation, Fusion, and Cloud Foundation products. Among these, two (2) vulnerabilities are classified as 'Critical' and are identified as CVE-2024-22252 and CVE-2024-22253. These critical vulnerabilities involve the XHCI USB controller, posing a risk where a malicious actor with local administrative privileges on a virtual machine could execute arbitrary code.
VMWare has clarified that while the critical exploits are confined within the ESXi VMX sandbox, code execution is anticipated on hosts with Workstation or Fusion installations.
More Reading/Information
- https://www.vmware.com/security/advisories/VMSA-2024-0006.html
- https://securityaffairs.com/160037/security/vmware-critical-sandbox-escape-flaws.html
- https://www.scmagazine.com/brief/critical-vmware-vulnerabilities-addressed
- https://www.securityweek.com/vmware-patches-critical-esxi-sandbox-escape-flaws/
Critical Security Patch for JetBrains TeamCity On-Premise Servers
JetBrains issued a critical patch to address two (2) authentication bypass vulnerabilities in its TeamCity On-Premise servers. TeamCity is a popular continuous integration and continuous delivery (CI/CD) server. The vulnerability designated as CVE-2024-27198, with a CVSS score of 9.8 out of 10, allows an unauthenticated attacker to bypass authentication and gain administrator privileges on the affected server. The vulnerability identified as CVE-2024-27199, with a CVSS score of 7.3 out of 10, enables unauthenticated attackers to alter the HTTPS certificate of a TeamCity server or make unauthorized modifications to the HTTPS port number. Exploiting this vulnerability could result in a denial-of-service (DOS) attack.
Versions affected:
All TeamCity On-Premise versions through 2023.11.3
More Reading/Information
- https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/
- https://www.bleepingcomputer.com/news/security/exploit-available-for-new-critical-teamcity-auth-bypass-bug-patch-now/
- https://therecord.media/jet-brains-advisory-teamcity-vulnerabilities
- https://www.securityweek.com/critical-vulnerability-exposes-teamcity-servers-to-takeover/
Microsoft Windows Kernel Vulnerability Can Lead to Privilege Escalation
Recent threat intelligence reports indicate that CVE-2024-21338, with a CVSS score of 7.8 out of 10, is being actively exploited by threat actors in the wild. This security flaw allows an adversary to gain system privileges by executing custom applications that tamper directly with the kernel. Threat groups have been observed using this exploit to achieve kernel-level access, allowing them to deactivate security tools on a compromised host.
More Reading/Information
- https://www.bleepingcomputer.com/news/security/exploit-available-for-new-critical-teamcity-auth-bypass-bug-patch-now/
- https://bnnbreaking.com/tech/cybersecurity/critical-windows-kernel-vulnerability-cve-2024-21338-exploited-by-lazarus-group
- https://www.securityweek.com/windows-zero-day-exploited-by-north-korean-hackers-in-rootkit-attack/
- https://www.forbes.com/sites/daveywinder/2024/03/01/dangerous-windows-10-11-server-zero-day-exploited-by-lazarus-hackers/?sh=2050c76c3348
Two Zero-Days (CVE-2024-23225 & CVE-2024-23296) in Apple Products
Apple released updates to address two (2) zero-days in iOS and iPadOS. The first zero-day, CVE-2024-23225, allows a threat actor to bypass kernel memory protections due to a memory corruption issue. The second zero-day, CVE-2024-23296, is a memory corruption issue within the RTKit and can also bypass memory protections.
Affected Versions:
- iOS and iPadOS prior to 17.4 (iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later)
- iOS and iPadOS prior to 16.7.6 (iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation)
- iOS and iPadOS prior to 15.8.2 (iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation))
More Reading/Information
- https://www.bleepingcomputer.com/news/apple/apple-fixes-two-new-ios-zero-days-exploited-in-attacks-on-iphones/
- https://www.helpnetsecurity.com/2024/03/06/cve-2024-23225-cve-2024-23296/
- https://support.apple.com/en-us/HT201222
Multiple Vulnerabilities in Android Products
Android released updates to address thirty-eight (38) vulnerabilities, with two (2) given a severity rating of "Critical." The most severe is being tracked as CVE-2024-23717 and is a vulnerability in the system component that could lead to an attacker executing remote code on the affected system without requiring user interaction. These vulnerabilities affect Android OS security patch levels prior to 2024-03-05.
More Reading/Information
- https://source.android.com/docs/security/bulletin/2024-03-01
- https://www.securityweek.com/androids-march-2024-update-patches-critical-vulnerabilities/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.