Cybersafe Solutions Security Advisory Bulletin July 12, 2024

In this week's Security Advisory:

• Misconfigurations in Palo Alto's GlobalProtect VPN can lead to Authentication Bypass
• New OpenSSH Vulnerability in Red Hat Linux can Lead to Remote Code Execution
• Critical Vulnerability Discovered in the RADIUS Protocol
• Microsoft Patch Tuesday Addresses Several Vulnerabilities
• Security Updates Released for Mozilla and Adobe Products

Our Threat Intelligence team has observed an uptick in attackers focusing on Palo Alto's GlobalProtect VPN service to exploit authentication weaknesses. Organizations that apply Multi-Factor Authentication (MFA) only to the GlobalProtect Portal, while neglecting to enforce it on the Gateway, are susceptible to this attack. This misconfiguration can allow attackers to bypass MFA checks by directly connecting to the Gateway using open-source VPN clients. Successful exploitation grants threat actors unauthorized access to the internal network. Customers must implement MFA consistently across both Portals and Gateways in GlobalProtect to mitigate risks associated with authentication bypass attempts.

Mitigation

• MFA should be enforced on both the GlobalProtect Portal and Gateway(s).

More Reading/Information

• https://medium.com/cyesec/no-portals-needed-79995d8f7e62
• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VM9CAM&lang=en_US%E2%80%A9

New OpenSSH Vulnerability in Red Hat Linux can lead to Remote Code Execution

A high-severity vulnerability has been discovered in the OpenSSH Server (sshd) that impacts versions bundled with Red Hat Enterprise Linux, Identified as CVE-2024-6409 with a CVSS score of 7.0, this flaw enables attackers to execute remote code as an unprivileged user. Customers should update to the latest security patch released by Red Hat. It's worth noting that CVE-2024-6409 is a separate vulnerability to the previously released advisory regarding CVE-2024-6387 from earlier last week.

More Reading/Information

• https://cybersecuritynews.com/new-openssh-vulnerability-cve-2024-6409/
• https://access.redhat.com/security/cve/CVE-2024-6409
• https://access.redhat.com/errata/RHSA-2024:4457
• https://securityaffairs.com/165535/hacking/openssh-flaw-cve-2024-6409.html

Critical Vulnerability Discovered in the RADIUS Protocol

Security researchers have discovered a critical vulnerability in the RADIUS protocol, a widely used authentication an authorization protocol in network devices. The vulnerability has been given the name "BlastRADIUS" and allows attackers to intercept and modify access-request packets that can bypass multi-factor authentication (MFA) through Man-in-the-Middle attacks. Successful exploitation can allow a threat actor to authenticate any user to the local network. Researchers have already developed a proof-of-concept (POC) and a public release is expected soon.

More Reading/Information

• https://www.inkbridgenetworks.com/blastradius/faq
• https://www.securityweek.com/blastradius-attack-exposes-critical-flaw-in-30-year-old-radius-protocol/
• https://www.bleepingcomputer.com/news/security/new-blast-radius-attack-bypasses-widely-used-radius-authentication/
• https://cybersecuritynews.com/blast-radius-man-in-the-middle-attack/

Microsoft Patch Tuesday Addresses Several Vulnerabilities

This month's Patch Tuesday includes fixes for over one hundred and forty-two (142) vulnerabilities, including two (2) actively exploited zero-days. CVE-2024-38080 is a privilege escalation vulnerability within Windows Hyper-V that can allow an attacker to gain SYSTEM level privileges, while CVE-2024-38112 is a spoofing vulnerability within the MSHTML platform.

Patch Tuesday also includes updates to address five (5) critical remote code execution flaws affecting Microsoft SharePoint, Windows Imaging Component, Windows Desktop Licensing Service and Remote Desktop.

More Reading/Information

• https://msrc.microsoft.com/update-guide
• https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2024-patch-tuesday-fixes-142-flaws-4-zero-days/
• https://krebsonsecurity.com/2024/07/microsoft-patch-tuesday-july-2024-edition/
• https://www.theregister.com/2024/07/10/july_2024_patch_tuesday/

Security Updates Released for Mozilla and Adobe Products

Mozilla released security updates to address vulnerabilities in several of its products that could lead to arbitrary code execution. There was a total of twenty-one (21) vulnerabilities affecting Firefox and Firefox ESR, with five (5) receiving a severity rating of "High." These affect Firefox versions prior to 115.13 and Firefox ESR versions prior to 128.

Adobe has released patches for seven (7) vulnerabilities, six (6) of which are rated as "Critical" and allow for arbitrary code execution. These vulnerabilities impact Adobe Premiere Pro, InDesign, and Bridge.

More Reading/Information

• https://www.mozilla.org/en-US/security/advisories/
• https://helpx.adobe.com/security/security-bulletin.html
• https://cybersecuritynews.com/adobe-security-update/
• https://www.securityweek.com/adobe-issues-critical-patches-for-multiple-products-warns-of-code-execution-risks/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.