Cybersafe Solutions Security Advisory Bulletin May 31, 2024

In this week's Security Advisory:

• Security Advisory Update: Critical Vulnerabilities in FortiSIEM Allows for Remote Code Execution
• Apache Flink Vulnerability (CVE-2020-17519) Under Active Exploitation
• Check Point Issues a Security Patch for a Zero-day Vulnerability in its Security Gateways
• Security Updates Released for Google Chrome Desktop

Security Advisory Update: Critical Vulnerabilities in FortiSIEM Allows for Remote Code Execution

New threat intel indicates that the vulnerability (CVE-2024-23108) impacting FortiSIEM has a released proof-of-concept (PoC) exploit on the public web. It is recommended to update FortiClient FortiSIEM to the latest version immediately.

Original Security Advisory - February 14, 2024:

Fortinet announced two critical vulnerabilities in its FortiSIEM report server. Identified as 2024-23108 and CVE-2024-23109, remote unauthenticated attackers are able to exploit the FortiSIEM systems by sending well-crafted API requests to an affected system. Fortinet has clarified that CVE-2024-23108 and CVE-2024-23109 are patch bypasses to a previously observed issue in CVE-2023-34992.

Affected Versions:

The following versions are affected:

• FortiSIEM version 7.1.0 through 7.1.1
• FortiSIEM version 7.0.0 through 7.0.2 
• FortiSIEM version 6.7.0 through 6.7.8
• FortiSIEM version 6.6.0 through 6.6.3 
• FortiSIEM version 6.5.0 through 6.5.2 
• FortiSIEM version 6.4.0 through 6.4.2  

More Reading/Information

• https://www.fortiguard.com/psirt/FG-IR-23-130
• https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortisiem-rce-bugs-in-confusing-disclosure/
• https://securityaffairs.com/158813/security/fortinet-addressed-two-critical-fortisiem-vulnerabilities.html
• https://www.bleepingcomputer.com/news/security/exploit-released-for-maximum-severity-fortinet-rce-bug-patch-now/

Apache Flink Vulnerability (CVE-2020-17519) Under Active Exploitation

A vulnerability identified within Apache Flink in 2021 is currently being actively exploited in the wild. Tracked as CVE-2020-17519, the flaw carries a CVSS score of 7.5 out of 10 due to inadequate access controls. This flaw enables remote attackers to gain unauthorized access, allowing them to read sensitive files on the local system through the JobManager process.

Organizations should update their Apache Flink installations to the latest patch or ensure they're running at least Version 1.11.3 or 1.12.0.

Affected Versions

• 1.11.0
• 1.11.1
• 1.11.2

More Reading/Information

• https://www.scmagazine.com/brief/cisa-adds-years-old-apache-flink-bug-to-kev-catalog
• https://www.theregister.com/2024/05/24/apache_flink_flaw_cisa/
• https://thecyberexpress.com/cisa-apache-flink-known-vulnerability-catalog/
• https://www.techradar.com/pro/security/apache-flink-flaw-is-back-and-being-actively-exploited

Check Point Issues Security Patch for a Zero-day Vulnerability in its Security Gateways

Check Point has released an urgent hotfix for a zero-day VPN vulnerability tracked as CVE-2024-24919 affecting its Security Gateways. The flaw can allow an attacker to read system information on Security Gateways that are exposed to the internet. Successful exploitation can allow threat actors to gain remote access to client firewalls.

Of note, CVE-2024-24919 only affects Security Gateways with 'Remote Access VPN' or 'Mobile Access Blade' enabled.

Affected Products & Versions: 

• Products: CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Spark Appliances
  • Vulnerable Versions: R80.20.x, R80.40 (EOL), R81, R81.10, R81.10.x, R81.20

More Reading/Information

• https://www.bleepingcomputer.com/news/security/check-point-releases-emergency-fix-for-vpn-zero-day-exploited-in-attacks/
• https://www.hipaajournal.com/check-point-issues-warning-about-attacks-targeting-its-vpns-for-initial-access/
• https://support.checkpoint.com/results/sk/sk182337

Security Updates Released for Google Chrome Desktop

Google Chrome has issued a security update addressing one (1) vulnerability that impacts Windows, Mac, and Linux operating systems.

The vulnerability is currently being tracked as CVE-2024-5274 with a "High" severity rating and is currently being exploited in the wild.

More Reading/Information

• https://chromereleases.googleblog.com/
• https://www.spiceworks.com/it-security/cyber-risk-management/news/chrome-security-alert-fourth-zero-day-exploit-patched/
• https://www.bleepingcomputer.com/news/security/google-fixes-eighth-actively-exploited-chrome-zero-day-this-year/
• https://www.forbes.com/sites/daveywinder/2024/05/24/should-you-delete-google-chrome-as-emergency-update-4-confirmed-for-may/?sh=21d15a67b81c

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.