Cybersafe Solutions Security Advisory Bulletin September 6, 2024

In this week's Security Advisory:

• VMware Patches High-Severity Code Execution Flaw in Fusion
• Critical flaw in Zyxel's secure routers allows OS command execution via cookie
• Android's September 2024 Update Patches Exploited Vulnerability
• Forta fixes critical FileCatalyst Workflow hardcoded password issue
• Security Updates Released for Google Chrome Desktop

VMware Patches High-Severity Code Execution Flaw in Fusion

VMware has released a security update for its Fusion hypervisor to address a high-severity vulnerability that exposes users to code execution exploits. Tracked as CVE-2024-38811 (CVSS score 8.8 out of 10), it could be exploited to execute code within the Fusion environment, potentially leading to a complete system compromise.

Affected Versions

• VMware Fusion 13.x and below

More Reading/Information

• https://www.securityweek.com/vmware-patches-high-severity-code-execution-flaw-in-fusion/
• https://cybersecuritynews.com/vmware-fusion-code-execution-vulnerability/ 
• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939                  

Critical Flaw in Zyxel's secure routers allows OS command execution via cookie

Zyxel has patched numerous vulnerabilities in its networking devices, including critical flaw CVE-2024-7261 (CVSS score of 9.8 out of 10), that could allow unauthenticated attackers to execute OS commands on various Zyxel access points (APs) and security routers by sending a specially crafted cookie to the vulnerable devices

Affected Versions

• Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier
• WAC500 firmware version 6.70(ABVS.4) and earlier
• WAX655E firmware version 7.00(ACDO.1) and earlier
• WBE530 firmware version 7.00(ACLE.1) and earlier
• USG LITE 60AX firmware version V2.00(ACIP.2)

More Reading/Information

• https://www.helpnetsecurity.com/2024/09/03/cve-2024-7261/  
• ttps://nvd.nist.gov/vuln/detail/CVE-2024-7261

Android's September 2024 Update Patches Exploited Vulnerability

Google has announced a new set of Android security updates that address thirty-five (35) vulnerabilities.  Including CVE-2024-32896 (CVSS score of 7.8 out of 10), is a high severity issue that could allow a local attacker to elevate privileges. This vulnerability does require access to the device.

• https://www.securityweek.com/androids-september-2024-update-patches-exploited-vulnerability/
• https://thehackernews.com/2024/09/google-confirms-cve-2024-32896.html
• https://source.android.com/docs/security/bulletin/2024-09-01  

Fortra fixes critical FileCatalyst Workflow hardcoded password issue

Fortra has issued a warning about a critical hardcoded password vulnerability in FileCatalyst Workflow, which could allow attackers to gain unauthorized access to an internal database, steal data, and obtain administrator privileges. This vulnerability is tracked as CVE-2024-6633 (CVSS score 9.8 out of 10). 

Affected Versions

• Apply latest Android Security patch 2024-09-05

More Reading/Information

• https://www.bleepingcomputer.com/news/security/fortra-fixes-critical-filecatalyst-workflow-hardcoded-password-issue/
• https://www.helpnetsecurity.com/2024/08/28/cve-2024-6633/

Security Updates Released for Google Chrome Desktop Browser and Mozilla

Google Chrome has issued security updates addressing eight (8) vulnerabilities, with six (6) classified as "High" severity. These vulnerabilities impact Windows, Mac, and Linux operating systems.

Mozilla released security updates to address vulnerabilities in Firefox and Firefox ESR versions that could lead to arbitrary code execution.  These vulnerabilities impact Firefox versions prior to 130 and Firefox ESR versions prior to 115.15

More Reading/Information

• https://chromereleases.googleblog.com/
• https://www.securityweek.com/chrome-128-updates-patch-high-severity-vulnerabilities/
• https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.