Cybersafe Solutions Security Advisory Bulletin May 17, 2024

In this week's Security Advisory:

• Two Zero-Days in Apple Products Could Allow for Arbitrary Code Execution
• Multiple Vulnerabilities Patched in VMware Workstation and Fusion
• F5 Patches Two High-Severity Vulnerabilities in BIG-IP Next Central Manager
• Microsoft Patch Tuesday Fixes Two Zero-Days
• Zero-Day in Google Chrome Desktop Browser
• Security Updates Released for Mozilla and Adobe Products

Two Zero-Days in Apple Products Could Allow for Arbitrary Code Execution

Apple released updates to address several vulnerabilities, including two zero-days that may have been actively exploited in the wild. Both zero-days, CVE-2024-23296 and CVE-2024-23225, are memory corruption issues in the kernel that could allow an attacker to bypass kernel memory protections and execute arbitrary code. Both vulnerabilities received a CVSS score of 7.8 out of a possible 10.

The following products are affected:

• iOS and iPadOS prior to version 17.5 (iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later)
• iOS and iPadOS prior to version 16.7.8 (iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation)
• macOS Sonoma prior to version 14.5
• macOS Ventura prior to version 13.6.7
• macOS Monterey prior to version 12.7.5
• Safari prior to version 17.5
• watchOS prior to version 10.5
• tvOS prior to version 17.5

More Reading/Information

• https://support.apple.com/en-us/HT201222
• https://www.securityweek.com/apple-patch-day-code-execution-flaws-in-iphones-ipads-macos/
• https://www.helpnetsecurity.com/2024/03/06/cve-2024-23225-cve-2024-23296/
• https://nvd.nist.gov/vuln/detail/CVE-2024-23225
• https://nvd.nist.gov/vuln/detail/CVE-2024-23296

Multiple Vulnerabilities Patched in VMware Workstation and Fusion

VMware announced four (4) vulnerabilities in its Fusion, Workstation Player, and Workstation Pro products that could allow for arbitrary code execution. Of the four (4) vulnerabilities, the most severe is being tracked as CVE-2024-22267 and has received a CVSS score of 9.3 out of a possible 10. CVE-2024-22267 is a use-after-free vulnerability in the vbluetooth component that could allow an attacker with administrative privileges on a virtual machine to execute arbitrary code.

The following versions are affected:

• VMware Workstation versions prior to 17.5.2
• VMware Fusion versions prior to 13.5.2

VMware has released a workaround for those who cannot immediately apply the patches for these vulnerabilities. Navigate to the following link for more information: https://knowledge.broadcom.com/external/article?legacyId=91760 

More Reading/Information

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280
• https://www.securityweek.com/vmware-patches-vulnerabilities-exploited-at-pwn2own-2024/
• https://www.bleepingcomputer.com/news/security/vmware-fixes-three-zero-day-bugs-exploited-at-pwn2own-2024/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22267

F5 Patches Two High-Severity Vulnerabilities in BIG-IP Next Central Manager

F5 released patches to fix two (2) high-severity vulnerabilities in its BIG-IP Next Central Manager that could lead to an attacker taking over the device. Next Central Manager allows administrators to control all BIG-IP Next instances from a unified management interface. The vulnerabilities, CVE-2024-21793 and CVE-2024-26026, could allow an unauthenticated attacker to execute SQL queries through the BIG-IP Next Central Manager API, allowing the attacker to create new accounts and potentially gain full administrative control of the BIG-IP Next Central Manager device.

The following versions are affected:

• BIG-IP Next Central Manager versions 20.0.1 - 20.1.0

More Reading/Information

• https://my.f5.com/manage/s/article/K000138732
• https://my.f5.com/manage/s/article/K000138733
• https://www.bleepingcomputer.com/news/security/new-big-ip-next-central-manager-bugs-allow-device-takeover/
• https://www.helpnetsecurity.com/2024/05/09/cve-2024-21793-cve-2024-26026/
• https://thehackernews.com/2024/05/critical-f5-central-manager.html
• https://nvd.nist.gov/vuln/detail/CVE-2024-21793
• https://nvd.nist.gov/vuln/detail/CVE-2024-26026

Microsoft Patch Tuesday Fixes Two Zero-Days

This month's Patch Tuesday includes fixes for over sixty (60) vulnerabilities, including two (2) actively exploited zero-days. The first zero-day, CVE-2024-30040, allows an unauthenticated attacker to bypass security protections and execute arbitrary code. This zero-day requires that a user opens a malicious document to achieve exploitation. The second zero-day, CVE-2024-30051, is a heap-based buffer overflow that could allow an authenticated attacker to gain SYSTEM-level privilege if exploited. CVE-2024-30040 and CVE-2024-30051 received a CVSS score of 8.8 and 7.8 out of a possible 10, respectively.

More Reading/Information

• https://msrc.microsoft.com/update-guide/releaseNote/2024-May
• https://krebsonsecurity.com/2024/05/patch-tuesday-may-2024-edition/
• https://www.helpnetsecurity.com/2024/05/14/patch-tuesday-cve-2024-30051-cve-2024-30040/#:~:text=For%20May%202024%20Patch%20Tuesday,30040)%20actively%20exploited%20by%20attackers.
• https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-30040
• https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-30051

Zero-Day in Google Chrome Desktop Browser

Google released a patch for its Desktop Browser to address a zero-day that is actively being exploited in the wild. The zero-day is being tracked as CVE-2024-4761 and is an out-of-bounds write issue in the Chrome V8 JavaScript and WebAssembly engine. Successful exploitation can lead to a threat actor executing arbitrary code, gaining access to sensitive data, or causing the user's browser to crash. CVE-2024-4761 has not received a CVSS score.

More Reading/Information

• https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html
• https://www.securityweek.com/google-patches-second-chrome-zero-day-in-one-week/
• https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-6th-zero-day-exploited-in-2024/
• https://nvd.nist.gov/vuln/detail/CVE-2024-4761

Security Updates Released for Mozilla and Adobe Products

Security updates were released by Mozilla and Adobe to address several vulnerabilities in each product.

Mozilla released security updates to address vulnerabilities that could lead to arbitrary code execution. There was a total of twenty-eight (28) vulnerabilities affecting Firefox, Firefox ESR, and Thunderbird, with four (4) receiving a severity rating of "High". These affect Firefox versions prior to 126, Firefox ESR versions prior to 115.11, and Thunderbird versions prior to 115.11.

Adobe addressed thirty-seven (37) vulnerabilities, with twenty-six (26) vulnerabilities given a severity rating of "Critical". These vulnerabilities affect Adobe Acrobat Reader, Illustrator, Substance3D Painter, Aero, Substance3D Designer, Animate, FrameMaker, and Dreamweaver.

More Reading/Information

• https://www.mozilla.org/en-US/security/advisories/
• https://helpx.adobe.com/security.html

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.