Cybersafe Solutions Security Advisory Bulletin September 27, 2024

In this week's Security Advisory:

• Multiple Vulnerabilities in Ivanti Products Being Actively Exploited In The Wild
• Atlassian Releases Patches for Multiple High Severity Vulnerabilities
• Critical Vulnerability in Microchip Technology ASF Allows For Remote Code Execution
• ESET Patches Vulnerabilities Allowing Privilege Escalation on Windows and Mac OS in Multiple Products
• Security Updates Released for Google Chrome and Mozilla Firefox

CISA has warned that CVE-2024-7593 (CVSS 9.8/10), affecting its Virtual Traffic Manager (vTM), is now being actively exploited. This vulnerability allows unauthenticated remote attackers to bypass authentication on exposed vTM panels. This was previously included in the Security Advisory sent on August 14th. Ivanti also announced that another vulnerability CVE-2024-8963 (CVSS 9.4/10) for their Cloud Service Appliance is being exploited. Attackers are combining this vulnerability along with CVE-2024-8910 to bypass admin authentication and execute arbitrary commands on unpatched appliances.

Affected Versions

• Ivanti vTM versions prior to 22.2R1, 22.3R3, 22.5R2, 22.6R2, 22.7R2
• Ivanti Cloud Services Appliance (CSA) 4.6 (All versions before Patch 519)

More Reading/Information

• https://www.bleepingcomputer.com/news/security/ivanti-warns-of-another-critical-csa-flaw-exploited-in-attacks/
• https://www.bleepingcomputer.com/news/security/critical-ivanti-vtm-auth-bypass-bug-now-exploited-in-attacks/
• https://www.securityweek.com/ivanti-warns-of-second-csa-vulnerability-exploited-in-attacks/

Atlassian Releases Patches For Multiple High Severity Vulnerabilities

Atlassian has updated its security bulletin identifying four new vulnerabilities in multiple products, all of which have a CVSS score of 7.5 out of 10. Each vulnerability allows an attacker to cause denial of service (DoS) conditions in a multitude of ways. The affected products include Bamboo Data Center and Server, Bitbucket Data Center and Server, Confluence Data Center and Server, and Crowd Data Center and Server.

Affected Versions

• A full list of the affected versions can be found here

More Reading/Information

• https://www.securityweek.com/atlassian-patches-vulnerabilities-in-bamboo-bitbucket-confluence-crowd/
• https://confluence.atlassian.com/security/security-bulletin-september-17-2024-1431249025.html

Critical Vulnerability in Microchip Technology ASF Allows for Remote Code Execution

A critical vulnerability was found in Microchip Technology's Advanced Software Framework (ASF) that could lead to remote code execution through a buffer overflow if exploited. The vulnerability is tracked as CVE-2024-7490 (CVSS 9.5/10). This software is currently no longer supported by Microchip. Due to this, there is not expected to be a patch on the way.

Affected Versions

• ASF 3.52.0.2574 and all previous versions

More Reading/Information

• https://www.securityweek.com/cert-cc-warns-of-unpatched-critical-vulnerability-in-microchip-asf/
• https://thehackernews.com/2024/09/critical-flaw-in-microchip-asf-exposes.html
• https://www.cve.org/CVERecord?id=CVE-2024-7490

ESET Patches Vulnerabilities Allowing Privilege Escalation on Windows and Mac OS in Multiple Products

ESET has released patches for two vulnerabilities allow privilege escalation. The first, tracked as CVE-2024-7400, affects the Windows OS and allows an attacker with low privileges to delete arbitrary files and escalate their permissions. The second, CVE-2024-6654, affects MacOS and allows an authenticated user to perform a DoS attack which could disable the protection of the endpoint.

Affected Versions

• A full list of affected versions can be found here.

More Reading/Information

• https://www.securityweek.com/eset-patches-privilege-escalation-vulnerabilities-in-windows-macos-products/
• https://securityaffairs.com/168795/security/eset-local-privilege-escalation-vulnerabilities.html
• https://support.eset.com/en/ca8726-local-privilege-escalation-fixed-for-vulnerability-during-detected-file-removal-in-eset-products-for-windows

Security Updates Released for Google Chrome and Mozilla Firefox

Google Chrome released updates to address four vulnerabilities. A successful exploitation of the most severe of these could allow for remote code execution. The full list of vulnerabilities includes CVE-2024-9120, CVE-2024-9121, CVE-2024-9122, and CVE-2024-9123.

Mozilla Firefox has released an update for CVE-2024-8897 Firefox for Android. This vulnerability can allow an attacker to make a malicious site appear to have the same URL as a trusted site.

Affected Versions

• Chrome prior to 129.0.6668.70/.71 for Windows and Mac
• Chrome prior to 129.0.0668.70 for Linux
• Firefox for Android all versions prior to 130.0.1

More Reading/Information

• https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_24.html
• https://www.mozilla.org/en-US/security/advisories/mfsa2024-45/
• https://nvd.nist.gov/vuln/detail/CVE-2024-8897

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.