In this week's Security Advisory:
- SolarWinds fixes critical RCE bug affecting all Web Help Desk versions
- Microsoft Warns of Six Windows Zero-Days Being Actively Exploited
- Unpatched Microsoft Office Vulnerability can lead to Data Exposure
- OpenVPN vulnerabilities discovered leading to RCE and LPE
- Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
- Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution
- SAP Patches Critical Bypass Vulnerabilities
A critical vulnerability in SolarWinds' Web Help Desk solution for customer support could be exploited to execute remote code. Tracked as CVE-2024-28986, with a CVSS score of 9.8 out of 10, it could allow an attacker to run commands on a vulnerable host. Web Help Desk (WHD) is an IT help desk software.
Affected Versions
- SolarWinds Web Help Desk 12.8.3 and all previous versions
More Reading/Information
- https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28986
- https://www.bleepingcomputer.com/news/security/solarwinds-fixes-critical-rce-bug-affecting-all-web-help-desk-versions/
Microsoft Warns of Six Windows Zero-Days Being Actively Exploited
The August 13th edition of Microsoft's Patch Tuesday includes security updates for eighty-nine (89) flaws of which eight (8) are considered critical. The patches also address the following six (6) vulnerabilities that are under active exploitation:
• CVE-2024-38178, CVSS score 7.5 out of 10 - Scripting Engine Memory Corruption Vulnerability
• CVE-2024-38193, CVSS score 7.8 out of 10- Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
• CVE-2024-38213, CVSS score 6.5 out of 10 - Windows Mark of the Web Security Feature Bypass Vulnerability
• CVE-2024-38106, CVSS score 7.0 out of 10 - Windows Kernel Elevation of Privilege Vulnerability
• CVE-2024-38107, CVSS score 7.8 out of 10 - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
• CVE-2024-38189, CVSS score 8.8 out of 10 - Microsoft Project Remote Code Execution Vulnerability
More Reading/Information
• https://www.securityweek.com/microsoft-warns-of-six-windows-zero-days-being-actively-exploited/
• https://www.bleepingcomputer.com/news/microsoft/new-windows-smartscreen-bypass-exploited-as-zero-day-since-march/
• https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2024-patch-tuesday-fixes-9-zero-days-6-exploited/
Unpatched Microsoft Office Vulnerability can lead to Data Exposure
Microsoft has revealed an unpatched zero-day vulnerability in Office that, if successfully exploited, could lead to the unauthorized disclosure of sensitive information to malicious actors. Tracked as CVE-2024-38200, CVSS score 7.5 out of 10, this vulnerability stems from an information disclosure weakness that allows unauthorized actors to access protected information.
Affected Versions
- Microsoft Office 2016 for 32-bit edition and 64-bit editions
- Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
- Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems
- Microsoft Office 2019 for 32-bit and 64-bit editions
- https://thehackernews.com/2024/08/microsoft-warns-of-unpatched-office.html
- https://www.helpnetsecurity.com/2024/08/12/cve-2024-38200/
- https://www.bleepingcomputer.com/news/security/microsoft-discloses-unpatched-office-flaw-that-exposes-ntlm-hashes/
OpenVPN vulnerabilities discovered leading to RCE and LPE
Microsoft has revealed four medium-severity security flaws in the open-source OpenVPN software that could be combined to achieve remote code execution (RCE) and local privilege escalation (LPE). Identified as CVE-2024-27459, CVSS score 7.8, CVE-2024-24974, CVSS score of 7.5, and CVE-2024-27903, CVSS score 9.8, these vulnerabilities affect OpenVPN's openvpnserv component. Another flaw, related to the Windows TAP driver and tracked as CVE-2024-1305, could be exploited to trigger denial-of-service conditions. User authentication is needed to exploit this flaw. It is important to note that these flaws are present on the client side of OpenVPN, not the server side.
Affected Versions
- All versions of OpenVPN prior to version 2.6.10 and 2.5.10.
More Reading/Information
• https://www.microsoft.com/en-us/security/blog/2024/08/08/chained-for-attack-openvpn-vulnerabilities-discovered-leading-to-rce-and-lpe/• https://thehackernews.com/2024/08/microsoft-reveals-four-openvpn-flaws.html
• https://www.scmagazine.com/brief/rce-privilege-escalation-likely-with-chained-openvpn-flaws
Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
Several vulnerabilities have been identified in Ivanti products, with the most severe potentially allowing remote code execution. Tracked as CVE-2024-75, with a CVSS score of 9.8 out of 10, this authentication bypass vulnerability could allow unauthenticated attackers to bypass authentication on Internet-exposed vTM admin panels.
This also includes CVE-2024-7569 (CVSS score: 9.6) and CVE-2024-7570 (CVSS score: 8.3) which Ivanti has also addressed.
Affected Products:
- Ivanti Avalanche versions prior to 6.4.4
- Ivanti Neurons for ITSM without supplied patch.
- Ivanti Virtual Traffic Manager prior to versions 22.2R1, 22.3R3, 22.5R2, 22.6R2, 22.7R2
More Reading/Information
• https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-vtm-auth-bypass-with-public-exploit/
• https://duo.com/decipher/exploit-code-available-for-critical-ivanti-vtm-bug
Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution
Adobe has released patches for at least seventy-two (72) security vulnerabilities across multiple products, warning that Windows and macOS users are at risk of code execution, memory leaks, and denial-of-service attacks.
Affected Versions:
- Adobe Illustrator 2024 28.5 and earlier versions
- Adobe Illustrator 2023 27.9.4 and earlier versions
- Adobe Dimension 3.4.11 and earlier versions
- Adobe Photoshop 2023 24.7.3 and earlier versions
- Adobe Photoshop 2024 25.9.1 and earlier versions
- For a full list of affected products click here: https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-adobe-products-could-allow-for-arbitrary-code-execution_2024-091
More Reading/Information
• https://www.securityweek.com/adobe-calls-attention-to-massive-batch-of-code-execution-flaws/
• https://cybersecuritynews.com/adobe-patches-vulnerabilities/
SAP Patches Critical Bypass Vulnerabilities
SAP has released its August 2024 security patch update, addressing seventeen (17) new vulnerabilities, including two (2) critical flaws that could enable attackers to bypass authentication and fully compromise affected systems. The most severe vulnerability tracked as CVE-2024-41730, with a CVSS score of 9.8 out of 10, affects SAP BusinessObjects Business Intelligence Platform versions 430 and 440. The second critical vulnerability tracked as CVE-2024-29415, with a CVSS score of 9.1 out of 10, is a server-side request forgery flaw in applications built with SAP Build Apps versions earlier than 4.11.130.
More Reading/Information
• https://www.bleepingcomputer.com/news/security/critical-sap-flaw-allows-remote-attackers-to-bypass-authentication/
• https://www.securityweek.com/sap-patches-critical-vulnerabilities-in-businessobjects-build-apps/
• https://thecyberexpress.com/sap-update-critical-vulnerabilities-hackers/
• https://cybersecuritynews.com/sap-hackers-bypass-authentication/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
