In this week's Security Advisory:
PuTTY has issued a critical advisory concerning a vulnerability in the client responsible for generating ECDSA private keys used in SSH authentication. Tracked as CVE-2024-31497, this flaw has not yet received a CVSS rating. CVE-2024-31497 may allow an attacker to recover a user's private SSH key, thereby allowing access across any server the key is able to authenticate to. Of note, the only affected key type is ECDSA NIST-P521.
Affected Versions:
More Reading/Information
Fortinet has issued security updates for FortiOS, FortiProxy, FortiClientMac, and FortiClientLinux to address several vulnerabilities. The most critical issue, identified as CVE-2023-45590 with a CVSS score of 9.6, is vulnerable to code injection and can allow an unauthenticated attacker to execute malicious commands within FortiClientLinux. Other vulnerabilities that are rated 'high', include CVE-2023-41677 (CVSS 7.5), impacting FortiOS and FortiProxy, which could lead to administrator cookies being stolen upon visiting a malicious site. Additionally, CVE-2023-45588 and CVE-2024-31492 (both CVSS 7.8) affect the FortiClientMac installer, enabling attackers to execute malicious commands within a configuration file during installation.
More Reading/Information
Ivanti has released an advisory detailing twenty-seven (27) vulnerabilities within Ivanti Avalanche, an enterprise mobile device management solution. Of the vulnerabilities found, two (2) received a severity rating of "Critical." These vulnerabilities are present in the WLAvalancheService and WLInfoRailService components. CVE-2024-24996 and CVE-2024-29204 are critical flaws that have been given a CVSS rating of 9.8 out of a possible 10 and can allow an unauthenticated attacker to execute arbitrary commands. These vulnerabilities impact Ivanti Avalanche on-premise products.
Affected Versions:
More Reading/Information
Security updates were released by Google and Mozilla to address several vulnerabilities in each product.
Google released a security update to fix twenty-three (23) vulnerabilities in its Chrome Desktop Browser in Windows, Mac, and Linux with three (3) receiving a severity rating of "high".
Mozilla released security updates to address vulnerabilities in several of its products that could lead to arbitrary code execution. There was a total of twenty-four (24) vulnerabilities affecting Firefox, and Firefox ESR with thirteen (13) receiving a severity rating of 'high'. These affect Firefox versions prior to 125, and Firefox ESR versions prior to 115.10.
More Reading/Information
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.