Cybersafe Solutions Security Advisory Bulletin September 20, 2024

In this week's Security Advisory:

• Broadcom Patches Critical RCE Vulnerability in VMware vCenter
• SolarWinds Patches Critical RCE Vulnerability In Access Rights Manager Software
• Ivanti Warns of Exploitation of its Cloud Service Appliance Has Been Exploited
• GitLab updates Critical Vulnerability allowing for Unauthorized Pipeline Job Execution
• Palo Alto Release Security Updates for Multiple Vulnerabilities
• D-Link fixes Critical Remote Code Execution for Passwords in Wi-Fi 6 Routers
• Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
• Security Updates Released for Google Chrome Desktop Browser

Broadcom has patched a critical security issue in its VMware vCenter Server. The vulnerability tracked as CVE-2024-38812 (CVSS score 9.8/10), allows unauthenticated attackers to execute remote code on the server if exploited. They also released a patch for a high-severity privilege escalation vulnerability, tracked as CVE-2024-38813 (CVSS score 7.5/10), that allows an attacker to gain root privileges. Broadcom stated they have not seen evidence of this being exploited in the wild. 

Affected Versions

• VMware vCenter Server version 7.0 and 8.0
• VMware Cloud Foundation 4.x and 5.x

More Reading/Information

• https://www.bleepingcomputer.com/news/security/broadcom-fixes-critical-rce-bug-in-vmware-vcenter-server/
• https://thehackernews.com/2024/09/patch-issued-for-critical-vmware.html
• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

SolarWinds Patches Critical RCE Vulnerability in Access Rights Manager Software

SolarWinds has released security updates to remediate two (2) vulnerabilities in its Access Rights Manager (ARM) software. The most concerning of the two is vulnerability CVE-2024-28991 (CVSS score 9.9/10) which is susceptible to remote code execution. Authentication is required to exploit this vulnerability; however, it is possible to bypass authentication due to the vulnerability CVE-2024-28990.

Affected Versions

• SolarWinds ARM 2024.3 and prior versions

More Reading/Information

• https://thehackernews.com/2024/09/solarwinds-issues-patch-for-critical.html
• https://www.securityweek.com/solarwinds-patches-critical-vulnerability-in-access-rights-manager/
• https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28991
• https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28990

Ivanti Warns of Exploitation of its Cloud Service Appliance Has Been Exploited

Ivanti issued a warning that a recently patched vulnerability for its Cloud Service Appliance, tracked as CVE-2024-8190 (CVSS score 7.2/10), is now being exploited in the wild. Organizations should patch immediately.

Original Advisory September 11th:

Ivanti has released security updates for its Endpoint Manager (EPM), addressing a critical vulnerability that could lead to unauthorized access to the EPM core server, Ivanti also released updates for other critical and high vulnerabilities today in their Workspace Control (IWC) and Cloud Service Appliance (CSA).

Affected Versions

• Ivanti Endpoint Manager 2024
• Ivanti Endpoint Manager 2022 SU5 and earlier
• Ivanti IWC 10.18.0.0 and below
• Ivanti Cloud Services Appliance (CSA) 4.6 (All versions before Patch 519)

More Reading/Information

• https://www.securityweek.com/ivanti-csa-vulnerability-exploited-in-attacks-days-after-disclosure/
• https://www.helpnetsecurity.com/2024/09/17/cve-2024-8190/
• https://www.bleepingcomputer.com/news/security/ivanti-fixes-maximum-severity-rce-bug-in-endpoint-management-software/
• https://cybersecuritynews.com/ivanti-endpoint-manager-rce-vulnerability/
• https://securityonline.info/ivanti-issues-patch-for-critical-vulnerabilities-in-endpoint-manager-including-cve-2024-29847-cvss-10-0/

GitLab updates Critical Vulnerability allowing for Unauthorized Pipeline Job Execution

GitLab released security updates for seventeen (17) vulnerabilities including one critical vulnerability tracked as CVE-2024-6678 (CVSS 9.9/10). The Critical vulnerability allows for remote executions with arbitrary user permissions. This affects GitLab's Community Edition (CE) and Enterprise Edition (EE).  It is recommended that you apply the latest patches as soon as possible to mitigate the risk of this threat.

Affected Versions

• GitLab CE/EE all versions from 8.14 prior to 17.1.17
• GitLab CE/EE all versions from 17.2 prior to 17.2.5
• GitLab CE/EE all versions from 17.3 prior to 17.3.2

More Reading/Information

• https://thehackernews.com/2024/09/urgent-gitlab-patches-critical-flaw.html
• https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-pipeline-execution-vulnerability/
• https://nvd.nist.gov/vuln/detail/CVE-2024-6678

Palo Alto Releases Security Updates for Multiple Vulnerabilities

Palo Alto has released security updates for multiple products in their most recent Security Bulletin. The most concerning is a flaw tracked as CVE-2024-8686 (CVSS 8.6/10). If exploited, this may allow an unauthenticated attacker to execute commands as root on the device. 

Palo Alto also addressed twenty-nine (29) vulnerabilities for its Prime Access Browser. Most of these vulnerabilities are being tracked with a High severity rating. Multiple Medium-severity vulnerabilities were addressed in the bulletin as well.

Affected Versions

• PAN-OS 11.2.2
• Prisma Access Browser 128.91.2869.7 and earlier versions

More Reading/Information

• https://www.securityweek.com/palo-alto-networks-patches-dozens-of-vulnerabilities/
• https://security.paloaltonetworks.com/
• https://securityonline.info/pan-os-vulnerabilities-command-injection-cve-2024-8686-and-globalprotect-exposure-cve-2024-8687/

D-Link fixes Critical Remote Code Execution for Passwords in Wi-Fi 6 routers

D-Link has released security updates to multiple wireless router models. This includes three (3) critical and two (2) high CVEs.  Two of the critical vulnerabilities allow unauthenticated attackers to execute arbitrary code on the devices. The third critical vulnerability allows remote attackers to log in and execute commands with hard-coded credentials.

Affected Versions 

• COVR-X1870 versions 1.02 and below
• DIR-X4860 version 1.04B04_Hot-Fix and below
• DIR-X5460 versions 1.11B01_Hot-Fix and below

More Reading/Information

• https://www.bleepingcomputer.com/news/security/d-link-fixes-critical-rce-hardcoded-password-flaws-in-wifi-6-routers/
• https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10412
• https://securityonline.info/urgent-d-link-router-security-flaws-expose-millions-to-remote-attacks/

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

Thirty-two (32) vulnerabilities have been identified in Apple products, with the most severe potentially allowing arbitrary code execution. Successful exploitation of these critical vulnerabilities could enable arbitrary code execution within the context of the logged-in user. This includes CVE-2024-44171 (CVSS score 8.1/10) where an attacker with physical access to a locked device may be able to control nearby devices via accessibility features. 

Affected Versions

• Versions prior to iOS 18 and iPadOS 18
• Versions prior to macOS Sequoia 15
• Versions prior to tvOS 18
• Versions prior to watchOS 11
• Versions prior to visionOS 2
• Versions prior to iOS 17.7 and iPadOS 17.7
• Versions prior to macOS Sonoma 14.7
• Versions prior to macOS Ventura 13.7
• Versions prior to Xcode 16

More Reading/Information

• https://www.securityweek.com/apple-patches-major-security-flaws-with-ios-18-refresh/
• https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-apple-products-could-allow-for-arbitrary-code-execution_2024-102
• https://cybersecuritynews.com/ios-18-32-vulnerabilities/

Security Updates Released for Google Chrome Desktop Browser

Google released a security update to fix nine (9) vulnerabilities in its Chrome Desktop Browser for Windows, Mac, and Linux. This includes CVE-2024-8904 a bug in the V8 JavaScript engine that can lead to remote code execution.

Affected Versions

• Chrome prior to 129.0.6668.58/.59 for Windows and Mac
• Chrome prior to 129.0.6668.58 for Linux

More Reading/Information

• https://chromereleases.googleblog.com/
• https://www.securityweek.com/chrome-129-patches-high-severity-vulnerability-in-v8-engine/
• https://cybersecuritynews.com/chrome-129-released/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.