Cybersafe Solutions Security Advisory Bulletin June 14, 2024

In this week's Security Advisory:

• Security Advisory Update: Critical Vulnerabilities Patched in Veeam Backup Enterprise Manager
• Critical Vulnerabilities in JetBrains IDEs can lead to Exposed GitHub Access Tokens
• Microsoft Patch Tuesday Addresses Several Vulnerabilities
• SolarWinds Issues Patch for Serv-U's Directory Traversal Vulnerability
• Multiple Vulnerabilities Patched in SAP Products
• Security Updates Released for Google Chrome Desktop Browser, Mozilla, and Adobe Products

There is a publicly available proof-of-concept (POC) for the exploit affecting Veeam Backup Enterprise Manager (CVE-2024-29849). Customers are strongly advised to apply the latest patch immediately.

Original Security Advisory - May 22nd, 2024:

Veeam has issued a security patch that addresses four (4) vulnerabilities that affect the Veeam Backup Enterprise Manager. The most critical flaw is being tracked as CVE-2024-29849 with a CVSS rating of 9.8 out of 10, and allows an unauthenticated attacker to bypass authentication and gain access to the manager's console. Threat actors can abuse this feature to access sensitive data and modify backup jobs that can impact data restoration.

Of note, the Veeam Backup Enterprise Manager is an optional component that can be installed in client environments. The vulnerabilities discovered in the Veeam Backup Manager is only vulnerable to customers that have the manager tool deployed within their environment.

Affected Versions

• V5.0 - V12.1

More Reading/Information

• https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-backup-enterprise-manager-auth-bypass-bug/#google_vignette
• https://www.helpnetsecurity.com/2024/05/22/cve-2024-29849/
• https://cybersecuritynews.com/critical-flaw-veeam-unauthorized-access/
• https://www.veeam.com/kb4581

Critical Vulnerability in JetBrains IDEs can lead to Exposed GitHub Access Tokens

JetBrains has released an update to address a critical vulnerability discovered in its IntelliJ-based IDEs. Tracked as CVE-2024-37051, the flaw can allow an attacker to steal the access token and gain unauthorized access to the user's GitHub account. Successful exploitation requires the GitHub plugin to be enabled on any IntelliJ-based IDE. JetBrains recommends customers who have utilized the GitHub pull request feature to revoke any GitHub tokens used by the plugin immediately.

More Reading/Information

• https://blog.jetbrains.com/security/2024/06/updates-for-security-issue-affecting-intellij-based-ides-2023-1-and-github-plugin/
• https://www.bleepingcomputer.com/news/security/jetbrains-warns-of-intellij-ide-bug-exposing-github-access-tokens/
• https://www.helpnetsecurity.com/2024/06/11/cve-2024-37051/
• https://securityaffairs.com/164466/security/jetbrains-fixed-intellij-ide-flaw.html

Microsoft Patch Tuesday Addresses Several Vulnerabilities

This month's Patch Tuesday includes fixes for over fifty-one (51) vulnerabilities, including one (1) critical zero-day flaw. CVE-2024-30080 allows an attacker to execute remote code by sending a specially crafted malicious Microsoft Message Queuing (MSMQ) packet to the server. This zero-day requires the MSMQ service to be enabled to achieve exploitation. Microsoft recommends customers to verify if the service is enabled and is running on TCP Port 1801.

CVE-2024-30103 (CVSS score of 8.8 out of 10) is a zero-click vulnerability within Microsoft Outlook that can lead to remote code execution without user interaction. Additionally, the 'Preview Pane' serves as an attack vector for this vulnerability to be executed.

• https://msrc.microsoft.com/update-guide
• https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2024-patch-tuesday-fixes-51-flaws-18-rces/
• https://www.helpnetsecurity.com/2024/06/11/cve-2024-30080-cve-2024-30103/
• https://www.securityweek.com/patch-tuesday-remote-code-execution-flaw-in-microsoft-message-queuing/

SolarWinds Issues Patch for Serv-U's Directory Traversal Vulnerability

SolarWinds has released a security patch to address a vulnerability discovered within Serv-U. Serv-U is a managed file transfer solution that can store and share files across a network. Tracked as CVE-2024-28995 with a CVSS score of 8.6 out of 10, this flaw enables unauthenticated attackers to access sensitive files by traversing outside the root directory. Successful exploitation can allow threat actors to read and modify information that can impact data integrity. 

Affected Versions

• Serv-U 15.4.2 HF 1 and prior

More Reading/Information

• • https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-2-Hotfix-2-Release-Notes
  • https://www.securityweek.com/solarwinds-patches-high-severity-vulnerability-reported-by-nato-pentester/
  • https://www.helpnetsecurity.com/2024/06/07/cve-2024-28995/

Multiple Vulnerabilities Patched in SAP Products

SAP has issued several security updates fixing ten (10) vulnerabilities, including three (3) updates addressing previously disclosed flaws across various products. The most critical vulnerability, CVE-2024-37177, carries a CVSS score of 8.1 out of 10 and could enable attackers to manipulate site content directly within the SAP Financial Consolidation web application. Successful exploitation can lead to incorrect or a loss of sensitive financial data. 

The remaining nine (9) vulnerabilities affect NetWeaver and ABAP platform, Document Builder, S/4HANA, CRM, BW/4HANA Transformation and DTP, Student Life Cycle Management, and NetWeaver AS Java products. 

Exploiting these vulnerabilities successfully could lead to Denial of Service (DoS) conditions, arbitrary file uploads, information disclosure, or data tampering. Clients are advised to update to the latest patch immediately.

More Reading/Information

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2024.html
• https://securityboulevard.com/2024/06/navigating-sap-security-notes-june-2024-patch-tuesday/

Security Updates Released for Google Chrome Desktop Browser, Mozilla, and Adobe Products

There were security updates released by several vendors including Google, Mozilla, and Adobe. 

Google Chrome had a total of twenty-one (21) vulnerabilities, with nine (9) vulnerabilities given a severity rating of "High." These vulnerabilities affect Windows, Mac, and Linux.

Mozilla released security updates to address vulnerabilities in several of its products that could lead to arbitrary code execution. There was a total of twenty-three (23) vulnerabilities affecting Firefox and Firefox ESR, with seven (7) receiving a severity rating of "High." These affect Firefox versions prior to 127 and Firefox ESR versions prior to 115.12.

Adobe addressed one hundred and sixty-seven (167) vulnerabilities, with thirteen (13) vulnerabilities given a severity rating of "Critical". These vulnerabilities affect Adobe Photoshop, Experience Manager, Audition, Media Encoder, FrameMaker Publishing Server, Commerce, ColdFusion, Substance 3D Stager, Creative Cloud Desktop, and Acrobat Android.

More Reading/Information

• https://chromereleases.googleblog.com/
• https://www.mozilla.org/en-US/security/advisories/
• https://helpx.adobe.com/security/security-bulletin.html

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.