In this week's Security Advisory:
Polyfill is an open-source library that provides functionality to aid with backwards compatibility in older browsers and is deployed by many websites. This domain transferred ownership in February of 2024 and since the change, the domain has been observed injecting malicious code into mobile websites that integrate scripts which depend on its code. All websites using polyfill[dot]io are impacted and should promptly remove their code to mitigate risks.
More Reading/Information
As an update to our Advisory on June 12th, Cybersafe is now aware that threat actors are actively exploiting SolarWinds Serv-U servers vulnerable to CVE-2024-28995. Customers are strongly advised to apply the latest patch immediately.
Original Security Advisory - June 12th, 2024:
SolarWinds has released a security patch to address a vulnerability discovered within Serv-U. Serv-U is a managed file transfer solution that can store and share files across a network. Tracked as CVE-2024-28995 with a CVSS score of 8.6 out of 10, this flaw enables unauthenticated attackers to access sensitive files by traversing outside the root directory. Successful exploitation can allow threat actors to read and modify information that can impact data integrity.
More Reading/Information
As an update to our Advisory on June 5th, Cybersafe is aware that there is a publicly available proof-of-concept (PoC) for the exploit affecting Zyxel NAS devices (CVE-2024-29973). Customers are strongly advised to apply the latest patch immediately.
Original Security Advisory - June 5th, 2024:
Zyxel Networks has released multiple patches to address three (3) out of five (5) vulnerabilities affecting its end-of-life NAS products. The flaws are being tracked as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974 and only affect Zyxel NAS devices NAS326/NAS542.
CVE-2024-29972 and CVE-2024-29973 are command injection flaws that allow an unauthenticated attacker to execute OS commands by sending custom crafted POST requests. CVE-2024-29974 is a critical flaw in the CGI program that allows a threat actor to upload specially crafted configuration files for remote code execution.
Of note, the vulnerabilities CVE-2024-29975 and CVE-2024-29976 are improper privilege management flaws and will not receive remediation from Zyxel Networks due to the devices reaching end-of-support status.
Affected Versions
More Reading/Information
Atlassian has issued a security update to resolve nine (9) vulnerabilities affecting Confluence, Crucible, and Jira. The most severe is an improper authorization flaw tracked as CVE-2024-22257, which carries a CVSS score of 8.2 out of 10. Exploitation of this vulnerability could allow an attacker to have unauthorized access to sensitive assets within a client's system. Customers should update their software to the latest patched versions or, if immediate updating is not feasible, apply one of the fixed versions as soon as possible.
More Reading/Information
WordPress has identified five (5) plugins compromised with malicious scripts due to a supply chain attack. This vulnerability allows an attacker to create new administrator accounts, granting them elevated privileges within a client's environment. Furthermore, the malicious script can inject search engine optimization (SEO) spam across the website, affecting unsuspecting users.
Of note, WordPress advises users with affected plugins to promptly update to the latest patch and conduct a thorough check for any unexpected rogue administrator accounts.
Affected Plugins & Versions:
More Reading/Information
Google Chrome has issued a security update addressing five (5) vulnerabilities that impact Windows, Mac, and Linux operating systems.
More Reading/Information
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.