Cybersafe Solutions Security Advisory Bulletin June 21, 2024

In this week's Security Advisory:

• Security Advisory Update: Microsoft Patch Tuesday Addresses Several Vulnerabilities
• Security Advisory Update: Multiple Vulnerabilities Patched in Ivanti Products
• Critical Vulnerabilities Patched in VMware vCenter Server
• Rockwell Automation Patches High-Severity Vulnerabilities in its FactoryTalk View Site Edition Product
• Security Updates Released for Google Chrome Desktop Browser and Mozilla Products

Recent threat intelligence indicates a significant uptick in exploitation attempts targeting CVE-2024-30103. Customers are strongly advised to apply the latest Microsoft Patch Tuesday updates.

Original Security Advisory - June 12th, 2024:

This month's Patch Tuesday includes fixes for over fifty-one (51) vulnerabilities, including one (1) critical zero-day flaw. CVE-2024-30080 allows an attacker to execute remote code by sending a specially crafted malicious Microsoft Message Queuing (MSMQ) packet to the server. This zero-day requires the MSMQ service to be enabled to achieve exploitation. Microsoft recommends customers to verify if the service is enabled and is running on TCP Port 1801.

CVE-2024-30080 has received a CVSS score of 9.8 out of a possible 10.

Other noteworthy vulnerabilities:

CVE-2024-30103 (CVSS score of 8.8 out of 10) is a zero-click vulnerability within Microsoft Outlook that can lead to remote code execution without user interaction. Additionally, the 'Preview Pane' serves as an attack vector for this vulnerability to be executed.

More Reading/Information

• https://msrc.microsoft.com/update-guide
• https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2024-patch-tuesday-fixes-51-flaws-18-rces/
• https://www.helpnetsecurity.com/2024/06/11/cve-2024-30080-cve-2024-30103/
• https://www.securityweek.com/patch-tuesday-remote-code-execution-flaw-in-microsoft-message-queuing/

Security Advisory Update: Multiple Vulnerabilities Patched in Ivanti Products

There is a publicly available proof-of-concept (PoC) for the exploit affecting Ivanti Endpoint Manager (EPM) (CVE-2024-29824). Customers are strongly advised to apply the latest patch immediately.

Original Security Advisory - May 22nd, 2024:

Ivanti has released multiple security updates to address sixteen (16) vulnerabilities impacting Ivanti Avalanche, Neurons for ITSM, Connect Secure, Secure Access, and Endpoint Manager (EPM). Among these vulnerabilities, six (6) have received a rating of "Critical" with a CVSS score of 9.6 out of 10.

CVE-2024-29822 through CVE-2024-29827 pertain to an SQL Injection vulnerability within the Ivanti Endpoint Manager that can allow an attacker to execute arbitrary code. All affected Ivanti on-premise products should be updated to their latest patches to address these vulnerabilities.

It's worth noting that these vulnerabilities are not related to previously disclosed vulnerabilities in Ivanti's PulseSecure devices.

More Reading/Information

• https://forums.ivanti.com/s/article/Security-Advisory-May-2024?language=en_US
• https://www.securityweek.com/ivanti-patches-critical-code-execution-vulnerabilities-in-endpoint-manager/
• https://cybersecuritynews.com/ivanti-endpoint-sql-injection-flaw/

Critical Vulnerabilities Patched in VMware vCenter Server

VMware has issued a security patch to mitigate three (3) severe vulnerabilities impacting VMware vCenter Server, which is present in VMware vSphere and VMware Cloud Foundation products. Two of these vulnerabilities have received a critical CVSS rating of 9.8 out of 10 and are identified as CVE-2024-37079 and CVE-2024-37080. These vulnerabilities involve heap-overflow issues that could allow an attacker to execute remote code through specially crafted network packets.

CVE-2024-37081 is a vulnerability that allows an authenticated user to escalate their local privileges to root level and has been given a CVSS rating of 7.8 out of 10. Customers are highly encouraged to update to the latest version and refer to the outlined patch guide by VMware: https://core.vmware.com/resource/vmsa-2024-0012-questions-answers#introduction 

Affected Versions

• VMware vCenter Server versions prior to 8.0 U2d
• VMware vCenter Server versions prior to 8.0 U1e
• VMware vCenter Server versions prior to 7.0 U3r
• VMware Cloud Foundation (VMware vCenter Server) 5.x prior to KB88287
• VMware Cloud Foundation (VMware vCenter Server) 4.x prior to KB88287

More Reading/Information

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
• https://core.vmware.com/resource/vmsa-2024-0012-questions-answers#introduction
• https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-vcenter-rce-vulnerability-patch-now/
• https://www.securityweek.com/critical-code-execution-vulnerabilities-patched-in-vmware-vcenter-server/

Rockwell Automation Patches High-Severity Vulnerabilities in its FactoryTalk View Site Edition Product

Rockwell Automation has issued patches addressing three (3) high-severity vulnerabilities in its FactoryTalk View Site Edition (SE) product, a platform used for monitoring industrial automation controls. CVE-2024-37368 and CVE-2024-37367 have both received a CVSS rating of 9.2 out of 10. These vulnerabilities enable a remote attacker, utilizing FTView, to access sensitive client data without proper authentication verification.

CVE-2024-37369, with a CVSS score of 8.5 out of 10, is a privilege escalation vulnerability that allows an attacker to modify scripts without being an elevated user. Exploiting this vulnerability could potentially grant the attacker additional permissions and access to sensitive system data.

Affected Versions

• FactoryTalk View SE v12.0
• FactoryTalk View SE v11.0

More Reading/Information

• https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1675.html
• https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1676.html
• https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1674.html
• https://www.securityweek.com/rockwell-automation-patches-high-severity-vulnerabilities-in-factorytalk-view-se/

Security Updates Released for Google Chrome Desktop Browser and Mozilla Products

There were security updates released for vulnerabilities found in Google Chrome and Mozilla Products. 

Google Chrome has issued a security update addressing six (6) vulnerabilities that impact Windows, Mac, and Linux operating systems.

Mozilla has issued security updates to resolve ten (10) vulnerabilities impacting Firefox for iOS and Firefox ESR. Among these, four (4) vulnerabilities have been classified as "High" severity. The affected versions include Firefox for iOS versions prior to 127 and Firefox ESR versions prior to 115.12.

More Reading/Information:

• https://chromereleases.googleblog.com/
• https://www.mozilla.org/en-US/security/advisories/
• https://www.securityweek.com/chrome-126-firefox-127-patch-high-severity-vulnerabilities/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.