Author: Ravi

Security Advisory

Critical Flaw in WordPress Hunk Companion Plugin Enables Unauthorized Plugin Installation

Summary

OEM

WordPress

Severity

Critical

Date of Announcement

2024-12-13

CVSS score

9.8

CVE

CVE-2024-11972

Exploited in Wild

Yes

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

A Critical flaw in the WordPress Hunk Companion plugin has been actively exploited to enable unauthorized installation and activation of plugins. This vulnerability stems from insufficient authorization checks on a REST API endpoint. Exploited sites may see attackers silently install malicious or outdated plugins, leading to severe security risks, including remote code execution (RCE), unauthorized access, and website compromise.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Hunk Companion Plugin Vulnerability

CVE-2024-11972

Hunk Companion Plugin for WordPress

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-11972

Hunk Companion plugin versions  prior to 1.8.4

This vulnerability is caused by improper validation mechanisms in the file hunk-companion/import/app/app.php, a script responsible for handling plugin import and installation processes. At its core, the bug permits unauthenticated requests to bypass critical permission checks intended to ensure that only authorized users can install plugins.

This vulnerability potentially leads to remote code execution, unauthorized access, and full website compromise.

Remediations

  • “Hunk Companion” WordPress plugin, should update to version 9.0 or later.

General Recommendations

  • Regularly inspect your WordPress site for unknown plugins or modifications.
  • Reducing the risk of delayed patching can be achieved by enabling automatic updates for all plugins
  • Review server and WordPress logs for unauthorized login attempts to detect possible compromise.
  • Keep all plugins, themes, and WordPress core updated. Use strong, unique passwords and enable two-factor authentication for admin accounts.

References

Security Advisory

Zero-Day Vulnerability in Windows Exposes NTLM Credentials

Summary

OEM

Microsoft

Severity

Critical

Date of Announcement

2024-12-12

CVE

Not yet assigned

Exploited in Wild

No

Patch/Remediation Available

Yes (No official patch)

Advisory Version

1.0

Vulnerability Name

NTLM Zero-Day

Overview

A recently discovered zero-day vulnerability in Windows, enables attackers to steal user credentials through a malicious file viewed in File Explorer. This “clickless” exploit bypasses the need for user interaction, creating significant security risks. While Microsoft investigates, 0patch has released an unofficial micropatch to mitigate the threat. Users are advised to apply the patch or implement mitigations to reduce exposure.

Vulnerability Name

CVE ID

Product Affected

Severity

NTLM zero-day

Not Yet Assigned

Microsoft Windows

Critical

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

Not Yet Assigned

Windows 7 to 11 (24H2), Server 2008 R2 to 2022

A zero-day vulnerability that allows NTLM credential theft by viewing a malicious file in File Explorer. The flaw forces an outbound NTLM connection, leaking NTLM hashes. Exploitation requires no user interaction beyond viewing a malicious file, which can be delivered through shared folders, USB drives, or malicious downloads in the browser's default folder.

Enables attackers to steal NTLM credentials and  gain unauthorized access of the affected systems.

Remediations

  • Apply the 0patch Micropatch:
    • Register for a free account at 0patch Central.
    • Install the 0patch agent to automatically receive the micropatch.
  • Disable NTLM Authentication:
    • Navigate to Security Settings > Local Policies > Security Options in Group Policy.
    • Configure “Network security: Restrict NTLM” policies to limit NTLM usage. 

General Recommendations

  • Only enable patches or configurations after testing them on non-critical devices to ensure minimal impact.
  • Stay updated on Microsoft’s response and the availability of an official patch through trusted news sources or Microsoft’s advisories.
  • Inform users about the risks of handling unfamiliar files and downloading content from untrusted sources.
  • Monitor systems for suspicious NTLM-related activity.

References

Security Advisory

Microsoft December 2024 Patch Tuesday: Critical Fixes for Zero-Day and Remote Code Execution

Summary

OEM

Microsoft

Severity

High

Date of Announcement

2024-12-12

NO. of Vulnerabilities Patched

71

Actively Exploited

01

Exploited in Wild

Yes

Advisory Version

1.0

Overview

Microsoft released updates addressing 71 vulnerabilities across its product suite, including 1 actively exploited zero-day vulnerability. Critical patches include fixes for remote code execution (RCE) flaws in Windows TCP/IP and Windows Common Log File System (CLFS). Immediate attention is required for systems running Windows Server, Microsoft Exchange, and other affected components. The patch targets a range of critical issues across Microsoft products, categorized as follows:

  • 30 Remote Code Execution (RCE) Vulnerabilities
  • 27 Elevation of Privilege (EoP) Vulnerabilities
  • 7 Information Disclosure Vulnerabilities
  • 4 Denial of Service (DoS) Vulnerabilities
  • 1Defense-in-depth improvement
  • 1 Spoofing Vulnerabilities

The highlighted vulnerabilities include one zero-day flaw and critical RCE vulnerabilities, one of which is currently being actively exploited.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Unauthenticated Remote Code Execution in Windows LDAP

CVE-2024-49112 

Windows

Critical

9.8

Remote Code Execution in Windows Hyper-V

CVE-2024-49117

Windows

High

8.8

Remote Code Execution via Use-After-Free in Remote Desktop Services

CVE-2024-49132

Windows

High

8.1

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2024-49138

Windows

High

7.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49112 

Microsoft Windows Lightweight Directory Access Protocol (LDAP)

This vulnerability allows attackers to execute arbitrary code at the LDAP service level by sending specially crafted LDAP calls to a Windows Domain Controller. While Microsoft recommends disconnecting Domain Controllers from the Internet as a mitigation, applying the patch is the best course of action.

Remote Code Execution

CVE-2024-49117

Microsoft Windows Hyper-V

This vulnerability can be exploited by an authenticated attacker to execute code on the host operating system from a guest virtual machine. Cross-VM attacks are also possible. Although the attacker must have basic authentication, the vulnerability poses significant risks to virtualized environments.

Remote Code Execution

CVE-2024-49132

Microsoft Windows Remote Desktop Services

An attacker can exploit a use-after-free memory condition in Remote Desktop Gateway, allowing RCE. Exploitation requires precise timing, which makes this an advanced attack. Successful exploitation grants attackers control over the affected system.

Allows an attacker to execute remote code on systems using Remote Desktop Gateway

CVE-2024-49138

Windows Common Log File System Driver

This critical security flaw affects the Windows Common Log File System Driver and is classified as an Elevation of Privilege vulnerability.

It allows attackers to gain SYSTEM privileges on Windows devices, potentially giving them full control over the affected system.

Additional Critical Patches Address High-Severity Vulnerabilities

  • These are the eight other critical vulnerabilities that are rated 8.1 on the CVSS scale in Remote Desktop Services (CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, CVE-2024-49115, CVE-2024-49128, CVE-2024-49123, CVE-2024-49120, CVE-2024-49119).
  • Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49077).
  • Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49132).

Remediation

  • Ensure all December 2024 Patch Tuesday updates are applied promptly.
  • Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products.
  • Create and test an incident response plan with defined communication channels and responsibilities to ensure readiness for any security breaches.

References

https://msrc.microsoft.com/update-guide/releaseNote/2024-Dec

Security Advisory

RCE and File Deletion Vulnerabilities in Veeam Service Provider Console

Summary

OEM

Veeam

Severity

Critical

Date of Announcement

2024-12-05

CVSS Score

9.9

CVE

CVE-2024-42448, CVE-2024-42449

Exploited in Wild

No

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

Two critical vulnerabilities in the Veeam Service Provider Console (VSPC) enable attackers to perform unauthenticated remote code execution (RCE) and arbitrary file deletion. These flaws present severe threats to the infrastructure of managed service providers that depend on VSPC for their operations.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Veeam Service Provider Console RCE

CVE-2024-42448

Veeam Service Provider Console

Critical

9.9

NTLM Hash Leak and Arbitrary File Deletion on Server

CVE-2024-42449

Veeam Service Provider Console

High

7.1

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-42448

VSPC v8.1.0.21377 and all earlier versions.

This critical remote code execution (RCE) vulnerability allows unauthenticated attackers to execute arbitrary code on the Veeam Service Provider Console server. It exploits a flaw in the server's handling of input, enabling attackers to compromise the entire system.

Allows attackers to execute arbitrary code on the server remotely.

CVE-2024-42449

VSPC v8.1.0.21377 and all earlier versions.

This vulnerability allows attackers, via an authorized VSPC management agent, to leak the NTLM hash of the VSPC server service account and delete arbitrary files on the server. Exploitation requires valid credentials for an agent authorized by the VSPC server.

Permits authorized management agents to delete arbitrary files from the VSPC server.

Remediations

  • Update Veeam Service Provider Console to version 8.1.0.21999 or later version, which addresses this vulnerability.
  • Limit network exposure of VSPC and allow access only to trusted management agents.

General Recommendations

  • Monitor VSPC logs to detect suspicious activities and respond promptly.
  • Use strong, unique passwords for service accounts and enable multi-factor authentication (MFA) where possible.

References

Security Advisory

November 2024 Microsoft Patches: Addressing Zero-Day Exploits and High-Priority Vulnerabilities

Summary

OEM

Microsoft

Severity

High

Date of Announcement

2024-11-13

NO. of Vulnerabilities Patched

89

Actively Exploited

02

Exploited in Wild

Yes

Advisory Version

1.0

Overview

Microsoft’s November 2024 Patch Tuesday release addresses 89 security vulnerabilities across various products, including critical updates for Windows, Microsoft Edge, SQL Server, and more. Four zero-day vulnerabilities are part of this release, with two actively exploited in the wild. The patch targets a range of critical issues across Microsoft products, categorized as follows:

  • 51 Remote Code Execution (RCE) Vulnerabilities
  • 28 Elevation of Privilege (EoP) Vulnerabilities
  • 4 Denial of Service (DoS) Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 3 Spoofing Vulnerabilities
  • 1 Information Disclosure Vulnerabilities
The highlighted vulnerabilities include four zero-day flaws, two of which are currently being actively exploited.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)

CVE-2024-43572

Windows Servers and Windows 10&11

High

7.8

Winlogon Elevation of Privilege Vulnerability

CVE-2024-43583

Windows systems using Winlogon

High

7.8

Windows Hyper-V Security Feature Bypass Vulnerability

CVE-2024-20659

Windows Hyper-V

High

7.1

Windows MSHTML Platform Spoofing Vulnerability
(Exploitation Detected)

CVE-2024-43573

Windows Servers and Windows 10&11

Medium

6.5

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49039

Windows Servers and Windows 10&11

This zero-day allows attackers to escalate privileges within Windows environments. Exploited actively, it is particularly concerning for its ability to grant attackers elevated access.

Elevation of privilege potentially leading to full system control.

CVE-2024-49019

Windows Servers

A flaw in Active Directory Certificate Services allows attackers to gain domain administrator privileges by exploiting misconfigured version 1 certificate templates with overly broad enrollment permissions. This can be triggered by an attacker crafting a certificate request that bypasses security controls.

Elevate privileges to domain administrator, compromising the entire Active Directory environment and enabling full network control.

CVE-2024-49040

Microsoft Exchange Server 2016 and 2019

A vulnerability in Microsoft Exchange Server allows attackers to spoof the sender’s email address in emails to local recipients by exploiting improper verification of the P2 FROM header. This flaw can be used to launch email-based phishing and social engineering attacks.

Attackers can impersonate trusted senders, deceiving recipients into trusting malicious emails, potentially leading to data compromise or malware infections.

CVE-2024-43451

Windows Servers and Windows 10&11

A zero-day that exposes NTLMv2 hashes, enabling “pass-the-hash” attacks for unauthorized network access. This is the third NTLM-related zero-day discovered in 2024.

High risk in network environments; attackers may impersonate users and compromise critical systems.

Additional Critical Patches Address High-Severity Vulnerabilities

  • Azure CycleCloud: Remote Code Execution Vulnerability (CVE-2024-43602).
  • .NET and Visual Studio: Remote Code Execution vulnerability (CVE-2024-43498).
  • Microsoft Windows VMSwitch: Elevation of Privilege vulnerability (CVE-2024-43625).
  • Windows Kerberos: Remote Code Execution vulnerability (CVE-2024-43639).
  • SQL Server: Multiple updates targeting memory vulnerabilities, each with a CVSS score of 8.8, affecting database security.

Remediation

  • Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products.
  • Regularly audit Active Directory and Exchange Server configurations to close potential security gaps.
  • Awareness of download files from the internet & regularly review and monitor your security setup, staying updated on new advisories to secure against emerging threats and vulnerabilities.
  • Create and test an incident response plan with defined communication channels and responsibilities to ensure readiness for any security breaches.

References

https://msrc.microsoft.com/update-guide/releaseNote/2024-Nov

Security Advisory

Critical Remote Code Execution Vulnerability in VMware vCenter Server (CVE-2024-38812)

Summary

OEM

VMware

Severity

Critical

Date of Announcement

2024-10-23

CVSS Score

9.8

CVE

CVE-2024-38812, CVE-2024-38813

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

Critical vulnerabilities have been identified in the vCenter Server that require immediate action. A heap overflow vulnerability in the DCE/RPC protocol could allow a malicious actor with network access to execute remote code by sending specially crafted packets. Additionally, there is a privilege escalation vulnerability that enables an attacker to escalate privileges to root using a similar method. Both vulnerabilities pose significant risks, and it is essential to implement remediation measures promptly to protect your vCenter Server and associated assets.

Vulnerability Name

CVE ID

Product Affected

Severity

Fixed Version

VMware vCenter Server heap-overflow vulnerability

CVE-2024-38812

VMware vCenter Servers and VMware Cloud Foundation

Critical

7.0 U3t, 8.0 U3d and U2e (vCenter Server)

Async Patch for VMware Cloud Foundation

VMware vCenter privilege escalation vulnerability

CVE-2024-38813

VMware vCenter Servers and VMware Cloud Foundation

Critical

7.0 U3t, 8.0 U3d and U2e (vCenter Server)
Async Patch for VMware Cloud Foundation

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-38812

VMware vCenter Server 7.0 and 8.0, VMware Cloud Foundation 4.x and 5.x

The critical vulnerability is caused by a heap overflow in vCenter Server's DCE/RPC protocol implementation. This allows an unauthenticated attacker to remotely execute arbitrary code without user interaction.

Remote code execution.

CVE-2024-38813

VMware vCenter Server 7.0 and 8.0, VMware Cloud Foundation 4.x and 5.x

This is a privilege escalation vulnerability in VMware vCenter Server that allows attackers with network access to escalate their privileges to root by exploiting an improper permission management flaw. By sending specially crafted network packets, a malicious actor can completely takeover the target.

Full administrative control.

Recommendations

Patch Immediately:

Administrators are strongly advised to update their VMware vCenter Server to the latest available versions:

  • vCenter Server 7.0 U3t
  • vCenter Server 8.0 U3d and U2e
  • VMware Cloud Foundation (Async Patching available).
Limit Network Access:

Restrict network access to vCenter Server by configuring firewalls to allow access only from trusted IP addresses.

Monitor for Indicators of Compromise (IoCs):

Security teams should monitor logs and network traffic for unusual activity, including unexpected traffic to or from the vCenter Server.

References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968 

Security Advisory

Veeam Vulnerability (CVE-2024-40711) Exploited by Ransomware

Summary

OEM

Veeam

Severity

Critical

Date of Announcement

2024-10-17

CVSS Score

9.8

CVE

CVE-2024-40711

CWE

CWE-502

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

Veeam Backup & Replication software has been found to contain a critical vulnerability (CVE-2024-40711) that is actively being exploited by ransomware actors to distribute Akira and Fog ransomware. This vulnerability allows remote code execution without authentication, which can result in complete system compromise. Attackers are using this security gap to establish unauthorized accounts with administrative rights and spread ransomware on systems that lack protection.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Veeam Backup & Replication Critical Code Execution Vulnerability

CVE-2024-40711

Veeam Backup & Replication

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-40711

Veeam Backup & Replication versions prior to 12.2.0.334

CVE-2024-40711 is a deserialization of untrusted data flaw that can be exploited via a URI /trigger on port 8000. Once exploited, the vulnerability triggers Veeam.Backup.MountService.exe to create a local account named "point" with administrative and Remote Desktop User privileges. Attackers then use this access to deploy ransomware such as Akira and Fog, and in some cases, exfiltrate data using tools like Rclone.

Remote code execution, creation of unauthorized admin accounts, ransomware deployment (Akira and Fog), data exfiltration.

Recommendations

  • Update Veeam Backup & Replication to version 12.2.0.334 or later, which addresses this vulnerability.
  • Ensure VPN gateways are running supported software versions and have MFA enabled.

Threat Indicators and Monitoring

  • Look for the account “point” or similar with elevated privileges.
  • Monitor for unexpected instances of Veeam.Backup.MountService.exe creating or executing net.exe.

References

Security Advisory

Microsoft’s October Security Patches Mitigate Remote Code Execution & Spoofing Risk

Summary

OEM

Microsoft

Severity

Critical

Date of Announcement

2024-10-10

NO. of Vulnerabilities Patched

117

Exploitable Vulnerabilities

02

Exploited in Wild

Yes

Advisory Version

1.0

Overview

Microsoft’s October 2024 Patch on Tuesday addresses a total of 117 vulnerabilities, including five critical zero-days. This update resolves two actively exploited vulnerabilities and a significant remote code execution issue, while also reintroducing previously mitigated vulnerabilities. The patch targets a range of critical issues across Microsoft products, categorized as follows:

  • 42 Remote Code Execution (RCE) Vulnerabilities
  • 28 Elevation of Privilege (EoP) Vulnerabilities
  • 26 Denial of Service (DoS) Vulnerabilities
  • 7 Security Feature Bypass Vulnerabilities
  • 7 Spoofing Vulnerabilities
  • 7 Information Disclosure & Tampering Vulnerabilities

Highlighted below vulnerabilities were publicly known at release, with two actively exploited as zero-days.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)

CVE-2024-43572

Windows Servers and Windows 10&11

High

7.8

Winlogon Elevation of Privilege Vulnerability

CVE-2024-43583

Windows systems using Winlogon

High

7.8

Windows Hyper-V Security Feature Bypass Vulnerability

CVE-2024-20659

Windows Hyper-V

High

7.1

Windows MSHTML Platform Spoofing Vulnerability
(Exploitation Detected)

CVE-2024-43573

Windows Servers and Windows 10&11

Medium

6.5

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-43572

Windows Servers and Windows 10&11

This vulnerability enables attackers to remotely execute code on affected systems, allowing them to take control of the system.

Allows attackers to execute arbitrary code remotely.

CVE-2024-43583

Windows systems using Winlogon

Specifically, by abusing a third-party Input Method Editor (IME) during user sign-on. Attackers can exploit this vulnerability to escalate privileges and gain SYSTEM-level access on the affected machine

Allows attackers to gain SYSTEM-level privileges via third-party Input Method Editors (IME) during the Windows sign-in process.

CVE-2024-20659

Windows Hyper-V

A vulnerability in Windows Hyper-V that could allow a malicious guest to execute code on the host operating system. It leads to guest-to-host escapes or privilege escalation, making it possible for an attacker to gain elevated access or control of the host machine​

Allows guest-to-host escape or privilege escalation

CVE-2024-43573

Windows Servers and Windows 10&11

Improper input handling in web page generation [CWE-79], cross-site scripting)- Exploited by using fake web content that disguises legitimate web pages

Could lead to phishing attacks or data theft​.

Remediation

  • Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products
  • Create and regularly test an incident response plan with defined communication channels and responsibilities to ensure readiness for security breaches
  • Regularly enable and review logging for critical systems, utilizing SIEM tools to centralize and analyze security events for unauthorized access and anomalies
  • Awareness of download files from the internet & regularly review and monitor your security setup, staying updated on new advisories to secure against emerging threats and vulnerabilities.

References

 https://msrc.microsoft.com/update-guide/ 

Security Advisory

11 Million Affected: Widespread of the Necro Trojan in Android Apps

Overview

In September 2024, Kaspersky reported a widespread attack involving the Necro Trojan, which has potentially infected around 11 million Android devices globally. This sophisticated malware primarily targets users downloading modified versions of popular applications such as Spotify, WhatsApp, and Minecraft, as well as certain apps available on Google Play.

Necro Trojan

The Necro Trojan is a type of malware that acts as a loader, meaning it can download and execute additional malicious components once it infiltrates a device. Initially discovered in 2019, the Trojan has evolved, integrating advanced features that enhance its evasion techniques and capabilities. The Trojan cleverly hides its malicious payload within seemingly innocuous images, making it difficult to detect using traditional security methods. This technique allows the malware to bypass standard security checks.

Once activated, the Necro loader can:

  • Download and execute DEX files, which are compiled Android code.
  • Install additional malicious applications on the device without user consent.
  • Intercept sensitive information and transmit it to a command and control (C2) server operated by the attackers.
  • Display and interact with advertisements in invisible windows, potentially generating revenue for the attackers.
  • Open arbitrary links and execute JavaScript code, which can further compromise user security.

Affected Applications

The Necro Trojan has been found embedded in various applications, both from unofficial sources and Google Play.

  • “Spotify Plus” which is marketed as a free, premium version, it contained the Necro Trojan within its code. Users were enticed to download it from unofficial sources, unknowingly risking their devices.
  • Wuta Camera, which is the popular photo editing app was infected in version 6.3.2.148.
  • Max Browser in version 1.2.0.
  • Mods for WhatsApp and popular games like Minecraft, Stumble Guys, Car Parking Multiplayer etc have also been identified as carriers of the Necro loader.

Remediation

To effectively guard against the Necro Trojan and similar threats, users are advised to take the following actions

  • Wuta Camera, upgrade to version 6.3.7.138 or latest version immediately.
  • Ensure all apps are updated to the latest versions.

General Recommendations

  • Avoid unofficial sources for downloading any software.
  • Implement mobile security solutions that provide real-time and regular scanning to detect and neutralize threats.
  • Before downloading an app, review its ratings and feedback—watch for suspiciously high ratings and consider low-rated reviews for potential issues.
  • Always stay updated on emerging vulnerabilities & threats.

References

  • https://securelist.com/necro-trojan-is-back-on-google-play/113881/
Scroll to top