Security Advisory

Security Advisory

Critical Fortinet Vulnerability Exploiting in Wild

Summary

OEM

Fortinet

Severity

Critical

Date of Announcement

2024-10-16

CVSS Score

9.8

CVE

CVE-2024-23113

CWE

CWE-134

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

A Critical vulnerability (CVE-2024-23113) has been identified in the FortiOS fgfmd daemon, which enables unauthenticated attackers to remotely execute arbitrary code or commands. This flaw arises from a format string vulnerability (CWE-134) within the fgfmd daemon, where specially crafted requests can initiate arbitrary code execution, potentially resulting in full system compromise. Affected versions include multiple releases of FortiOS, FortiPAM, FortiProxy, and FortiWeb.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Fortinet Products Format Sting Vulnerability

CVE-2024-23113

FortiOS, FortiProxy, FortiPAM, FortiWeb

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-23113

FortiOS (7.4.0-7.4.2, 7.2.0-7.2.6, 7.0.0-7.0.13), FortiProxy (7.4.0-7.4.2, 7.2.0-7.2.8, 7.0.0-7.0.15), FortiPAM (1.2 and lower), FortiWeb (7.4.0-7.4.2)

The vulnerability lies in the fgfmd daemon’s handling of format strings in incoming requests, which can be exploited by remote attackers via crafted inputs. Exploitation of this flaw allows attackers to execute unauthorized code or commands on the affected systems.

Remote Code Execution (RCE)

Remediation

Fortinet has released security patches addressing this vulnerability. Here is the below patched versions for the Fortinet products.

  • FortiOS: Upgrade to version 7.4.3, 7.2.7, or 7.0.14 and above.
  • FortiProxy: Upgrade to version 7.4.3, 7.2.9, or 7.0.16 and above.
  • FortiPAM: Migrate to the latest supported version.
  • FortiWeb: Upgrade to version 7.4.3 and above.

Workarounds

It is strongly advised to upgrade to the latest secure versions of the affected products. As there are workarounds suggested by Fortinet team, here is the below.
  • Disable the fgfm access on affected interfaces using the following command:
      config system interface
      edit “portX”
      set allow access ping https ssh
      next
      end
  • Limit FGFM connections to trusted IPs using a local-in policy, which reduces the attack surface but does not fully eliminate the risk.

General Recommendations

  • Conduct regular vulnerability scans and ensure timely security updates of the applications.
  • Segment your network to reduce the potential impact of a compromise.

References

Security Advisory

Microsoft’s October Security Patches Mitigate Remote Code Execution & Spoofing Risk

Summary

OEM

Microsoft

Severity

Critical

Date of Announcement

2024-10-10

NO. of Vulnerabilities Patched

117

Exploitable Vulnerabilities

02

Exploited in Wild

Yes

Advisory Version

1.0

Overview

Microsoft’s October 2024 Patch on Tuesday addresses a total of 117 vulnerabilities, including five critical zero-days. This update resolves two actively exploited vulnerabilities and a significant remote code execution issue, while also reintroducing previously mitigated vulnerabilities. The patch targets a range of critical issues across Microsoft products, categorized as follows:

  • 42 Remote Code Execution (RCE) Vulnerabilities
  • 28 Elevation of Privilege (EoP) Vulnerabilities
  • 26 Denial of Service (DoS) Vulnerabilities
  • 7 Security Feature Bypass Vulnerabilities
  • 7 Spoofing Vulnerabilities
  • 7 Information Disclosure & Tampering Vulnerabilities

Highlighted below vulnerabilities were publicly known at release, with two actively exploited as zero-days.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)

CVE-2024-43572

Windows Servers and Windows 10&11

High

7.8

Winlogon Elevation of Privilege Vulnerability

CVE-2024-43583

Windows systems using Winlogon

High

7.8

Windows Hyper-V Security Feature Bypass Vulnerability

CVE-2024-20659

Windows Hyper-V

High

7.1

Windows MSHTML Platform Spoofing Vulnerability
(Exploitation Detected)

CVE-2024-43573

Windows Servers and Windows 10&11

Medium

6.5

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-43572

Windows Servers and Windows 10&11

This vulnerability enables attackers to remotely execute code on affected systems, allowing them to take control of the system.

Allows attackers to execute arbitrary code remotely.

CVE-2024-43583

Windows systems using Winlogon

Specifically, by abusing a third-party Input Method Editor (IME) during user sign-on. Attackers can exploit this vulnerability to escalate privileges and gain SYSTEM-level access on the affected machine

Allows attackers to gain SYSTEM-level privileges via third-party Input Method Editors (IME) during the Windows sign-in process.

CVE-2024-20659

Windows Hyper-V

A vulnerability in Windows Hyper-V that could allow a malicious guest to execute code on the host operating system. It leads to guest-to-host escapes or privilege escalation, making it possible for an attacker to gain elevated access or control of the host machine​

Allows guest-to-host escape or privilege escalation

CVE-2024-43573

Windows Servers and Windows 10&11

Improper input handling in web page generation [CWE-79], cross-site scripting)- Exploited by using fake web content that disguises legitimate web pages

Could lead to phishing attacks or data theft​.

Remediation

  • Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products
  • Create and regularly test an incident response plan with defined communication channels and responsibilities to ensure readiness for security breaches
  • Regularly enable and review logging for critical systems, utilizing SIEM tools to centralize and analyze security events for unauthorized access and anomalies
  • Awareness of download files from the internet & regularly review and monitor your security setup, staying updated on new advisories to secure against emerging threats and vulnerabilities.

References

 https://msrc.microsoft.com/update-guide/ 

Security Advisory

Zimbra Remote Code Execution Vulnerability (CVE-2024-45519)

Summary

OEM

Zimbra

Severity

Critical

Date of Announcement

2024-10-02

CVSS Score

10.0

CVE

CVE-2024-45519

CWE

--

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

A critical vulnerability (CVE-2024-29847) has been identified in Ivanti Endpoint Manager, allowing unauthenticated attackers to execute arbitrary code remotely. This flaw is due to a deserialization of untrusted data issue in the AgentPortal.exe service, specifically within the .NET Remote framework. Exploitation can allow attackers to perform file operations such as reading or writing files on the server, potentially leading to full system compromise.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Zimbra - Remote Command Execution

CVE-2024-45519

Zimbra Collaboration Suite (ZCS)

Critical

10.0

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-45519

Zimbra Collaboration Suite (ZCS) prior to 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1

Attackers sent spoofed emails, appearing to be from Gmail, with base64-encoded malicious code in the CC field. This code tricks Zimbra server into executing it as shell commands instead of processing it as email addresses. The goal is to create a web shell on vulnerable servers, enabling remote access and control. Once installed, the web shell listens for specific cookie values to execute commands or download malicious files.

Complete remote control of the affected Zimbra instance.

Remediation

  • Patch Immediately
    • Administrators are strongly advised to update their Zimbra servers to the latest patched versions: 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, 10.1.1
  • Disable postjournal if unused
    • To minimize the attack surface, it is advisable to completely disable the postjournal service if your organization doesn’t require it.
  • Verify Network Configurations
    • Ensure that the mynetworks parameter is correctly configured to limit access to trusted IP ranges, preventing unauthorized access.
  • Monitor for Indicators of Compromise (IoCs)
    • Security teams should monitor network traffic and Zimbra server logs for unusual activity, such as connections from suspicious IP addresses (e.g., 79.124.49[.]86).

References

Security Advisory

11 Million Affected: Widespread of the Necro Trojan in Android Apps

Overview

In September 2024, Kaspersky reported a widespread attack involving the Necro Trojan, which has potentially infected around 11 million Android devices globally. This sophisticated malware primarily targets users downloading modified versions of popular applications such as Spotify, WhatsApp, and Minecraft, as well as certain apps available on Google Play.

Necro Trojan

The Necro Trojan is a type of malware that acts as a loader, meaning it can download and execute additional malicious components once it infiltrates a device. Initially discovered in 2019, the Trojan has evolved, integrating advanced features that enhance its evasion techniques and capabilities. The Trojan cleverly hides its malicious payload within seemingly innocuous images, making it difficult to detect using traditional security methods. This technique allows the malware to bypass standard security checks.

Once activated, the Necro loader can:

  • Download and execute DEX files, which are compiled Android code.
  • Install additional malicious applications on the device without user consent.
  • Intercept sensitive information and transmit it to a command and control (C2) server operated by the attackers.
  • Display and interact with advertisements in invisible windows, potentially generating revenue for the attackers.
  • Open arbitrary links and execute JavaScript code, which can further compromise user security.

Affected Applications

The Necro Trojan has been found embedded in various applications, both from unofficial sources and Google Play.

  • “Spotify Plus” which is marketed as a free, premium version, it contained the Necro Trojan within its code. Users were enticed to download it from unofficial sources, unknowingly risking their devices.
  • Wuta Camera, which is the popular photo editing app was infected in version 6.3.2.148.
  • Max Browser in version 1.2.0.
  • Mods for WhatsApp and popular games like Minecraft, Stumble Guys, Car Parking Multiplayer etc have also been identified as carriers of the Necro loader.

Remediation

To effectively guard against the Necro Trojan and similar threats, users are advised to take the following actions

  • Wuta Camera, upgrade to version 6.3.7.138 or latest version immediately.
  • Ensure all apps are updated to the latest versions.

General Recommendations

  • Avoid unofficial sources for downloading any software.
  • Implement mobile security solutions that provide real-time and regular scanning to detect and neutralize threats.
  • Before downloading an app, review its ratings and feedback—watch for suspiciously high ratings and consider low-rated reviews for potential issues.
  • Always stay updated on emerging vulnerabilities & threats.

References

  • https://securelist.com/necro-trojan-is-back-on-google-play/113881/
Security Advisory

Critical RCE Vulnerability Patched in Ivanti Endpoint Manager (CVE-2024-29847)

Summary

OEM

Ivanti

Severity

Critical

Date of Announcement

2024-09-13

CVSS Score

9.8

CVE

CVE-2024-29847

CWE

CWE-502

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

A critical vulnerability (CVE-2024-29847) has been identified in Ivanti Endpoint Manager, allowing unauthenticated attackers to execute arbitrary code remotely. This flaw is due to a deserialization of untrusted data issue in the AgentPortal.exe service, specifically within the .NET Remote framework. Exploitation can allow attackers to perform file operations such as reading or writing files on the server, potentially leading to full system compromise.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Ivanti RCE (Remote code execution) Vulnerability

CVE-2024-29847

Ivanti Endpoint Manager (EPM) versions prior to 2022 SU6 and 2024 September updates

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-29847

Ivanti Endpoint Manager (EPM) versions prior to 2022 SU6 and 2024 September updates

The AgentPortal.exe service's insecure deserialization, notably in the On Start method that makes use of the antiquated Microsoft.NET Remoting framework, is the source of the vulnerability. Without any security enforcement, the service registers a TCP channel that makes it possible for attackers to inject malicious objects. Attackers can initiate file operations, such as reading, writing, or even executing arbitrary code on the server for example, launching web shells for remote code execution by transmitting a crafted hash table of serialized objects.

Remote Code Execution (RCE)

Remediation

Ivanti has released security updates addressing this vulnerability. Apply the latest patches for Ivanti EPM immediately:

  • Ivanti EPM 2022 SU6
  • Ivanti EPM September 2024 Update

General Recommendations:

  • Conduct regular vulnerability scans to ensure that all systems are up-to-date, and no vulnerable versions are in use.
  • Ensure that systems and users only have the minimum required access levels to reduce the impact of any compromise.
  • Segregate critical systems from the rest of the network to minimize potential damage from a successful exploitation.

References

Security Advisory

Critical SonicWall Firewall Vulnerability Exploited in Ransomware Attacks

Summary

OEM

SonicWall

Severity

Critical

Date of Announcement

2024-09-06

CVSS Score

9.3

CVE

CVE-2024-40766

CWE

CWE-284

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

A critical vulnerability in SonicWall SonicOS management access and SSLVPN, tracked as CVE-2024-40766, has been identified and potentially exploited in ransomware attacks. The vulnerability affects SonicWall firewalls (Gen 5, Gen 6, and Gen 7) and involves improper access control, which could allow unauthorized resource access or trigger a firewall crash. The Akira and other ransomware group is suspected of using this flaw to gain initial access to compromised systems.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

SonicOS Improper Access Control Vulnerability

CVE-2024-40766

SOHO (Gen 5),
Gen6 Firewalls,

Gen7 Firewalls

 
(Detailed table in Remediation)

Critical

9.3

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-40766

Affects SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

The SonicWall SSLVPN vulnerability (CVE-2024-40766) involves an improper access control issue within SonicOS, specifically targeting the management access and SSLVPN functionality of the firewall. This flaw allows an unauthenticated attacker to gain unauthorized access to critical resources or cause a firewall crash by bypassing security restrictions.

Potential unauthorized access to SonicWall firewalls, leading to resource exposure or system crashes.

Remediation

SonicWall has released patches to address CVE-2024-40766. Organizations are urged to apply these patches immediately to mitigate the risk of exploitation.
Here is the below table for fixed Platforms with the impacted versions along with fixed versions:

Impacted Platform

Impacted Versions

Fixed Versions

SOHO (Gen 5)

5.9.2.14-12o and older versions

5.9.2.14-13o

Gen6 Firewalls

6.5.4.14-109n and older versions

6.5.2.8-2n (for SM9800, NSsp 12400, NSsp 12800)


6.5.4.15.116n (for other Gen6 Firewall appliances)

Gen7 FirewallsGen7 Firewalls

SonicOS build version 7.0.1-5035 and older versions.


However, SonicWall recommends you install the latest firmware.

This vulnerability is not reproducible in SonicOS firmware version higher than 7.0.1-5035.


However, SonicWall recommends you install the latest firmware.

General Recommendations:

  • Limit management and SSLVPN access to trusted sources and disable WAN management portal internet access as an additional safeguard.
  • SonicWall strongly advises that customers using GEN5 and GEN6 firewalls with SSLVPN users should update their credentials as a precaution.
  • Enforce multi-factor authentication (MFA) for all SSLVPN users to reduce the risk of unauthorized access.
  • Continuously monitor for signs of compromise, especially for abnormal activities related to SonicWall devices.
  • Regularly monitor for suspicious login attempts from unusual locations or IP addresses, and block any that are identified.
  • Additionally, if there is any unauthorized access to the SonicWall management interface, take steps to block those access points as well.

References

Scroll to top