Security Advisory

Security Advisory

Critical Flaw in WordPress Hunk Companion Plugin Enables Unauthorized Plugin Installation

Summary

OEM

WordPress

Severity

Critical

Date of Announcement

2024-12-13

CVSS score

9.8

CVE

CVE-2024-11972

Exploited in Wild

Yes

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

A Critical flaw in the WordPress Hunk Companion plugin has been actively exploited to enable unauthorized installation and activation of plugins. This vulnerability stems from insufficient authorization checks on a REST API endpoint. Exploited sites may see attackers silently install malicious or outdated plugins, leading to severe security risks, including remote code execution (RCE), unauthorized access, and website compromise.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Hunk Companion Plugin Vulnerability

CVE-2024-11972

Hunk Companion Plugin for WordPress

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-11972

Hunk Companion plugin versions  prior to 1.8.4

This vulnerability is caused by improper validation mechanisms in the file hunk-companion/import/app/app.php, a script responsible for handling plugin import and installation processes. At its core, the bug permits unauthenticated requests to bypass critical permission checks intended to ensure that only authorized users can install plugins.

This vulnerability potentially leads to remote code execution, unauthorized access, and full website compromise.

Remediations

  • “Hunk Companion” WordPress plugin, should update to version 9.0 or later.

General Recommendations

  • Regularly inspect your WordPress site for unknown plugins or modifications.
  • Reducing the risk of delayed patching can be achieved by enabling automatic updates for all plugins
  • Review server and WordPress logs for unauthorized login attempts to detect possible compromise.
  • Keep all plugins, themes, and WordPress core updated. Use strong, unique passwords and enable two-factor authentication for admin accounts.

References

Security Advisory

Zero-Day Vulnerability in Windows Exposes NTLM Credentials

Summary

OEM

Microsoft

Severity

Critical

Date of Announcement

2024-12-12

CVE

Not yet assigned

Exploited in Wild

No

Patch/Remediation Available

Yes (No official patch)

Advisory Version

1.0

Vulnerability Name

NTLM Zero-Day

Overview

A recently discovered zero-day vulnerability in Windows, enables attackers to steal user credentials through a malicious file viewed in File Explorer. This “clickless” exploit bypasses the need for user interaction, creating significant security risks. While Microsoft investigates, 0patch has released an unofficial micropatch to mitigate the threat. Users are advised to apply the patch or implement mitigations to reduce exposure.

Vulnerability Name

CVE ID

Product Affected

Severity

NTLM zero-day

Not Yet Assigned

Microsoft Windows

Critical

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

Not Yet Assigned

Windows 7 to 11 (24H2), Server 2008 R2 to 2022

A zero-day vulnerability that allows NTLM credential theft by viewing a malicious file in File Explorer. The flaw forces an outbound NTLM connection, leaking NTLM hashes. Exploitation requires no user interaction beyond viewing a malicious file, which can be delivered through shared folders, USB drives, or malicious downloads in the browser's default folder.

Enables attackers to steal NTLM credentials and  gain unauthorized access of the affected systems.

Remediations

  • Apply the 0patch Micropatch:
    • Register for a free account at 0patch Central.
    • Install the 0patch agent to automatically receive the micropatch.
  • Disable NTLM Authentication:
    • Navigate to Security Settings > Local Policies > Security Options in Group Policy.
    • Configure “Network security: Restrict NTLM” policies to limit NTLM usage. 

General Recommendations

  • Only enable patches or configurations after testing them on non-critical devices to ensure minimal impact.
  • Stay updated on Microsoft’s response and the availability of an official patch through trusted news sources or Microsoft’s advisories.
  • Inform users about the risks of handling unfamiliar files and downloading content from untrusted sources.
  • Monitor systems for suspicious NTLM-related activity.

References

Security Advisory

Microsoft December 2024 Patch Tuesday: Critical Fixes for Zero-Day and Remote Code Execution

Summary

OEM

Microsoft

Severity

High

Date of Announcement

2024-12-12

NO. of Vulnerabilities Patched

71

Actively Exploited

01

Exploited in Wild

Yes

Advisory Version

1.0

Overview

Microsoft released updates addressing 71 vulnerabilities across its product suite, including 1 actively exploited zero-day vulnerability. Critical patches include fixes for remote code execution (RCE) flaws in Windows TCP/IP and Windows Common Log File System (CLFS). Immediate attention is required for systems running Windows Server, Microsoft Exchange, and other affected components. The patch targets a range of critical issues across Microsoft products, categorized as follows:

  • 30 Remote Code Execution (RCE) Vulnerabilities
  • 27 Elevation of Privilege (EoP) Vulnerabilities
  • 7 Information Disclosure Vulnerabilities
  • 4 Denial of Service (DoS) Vulnerabilities
  • 1Defense-in-depth improvement
  • 1 Spoofing Vulnerabilities

The highlighted vulnerabilities include one zero-day flaw and critical RCE vulnerabilities, one of which is currently being actively exploited.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Unauthenticated Remote Code Execution in Windows LDAP

CVE-2024-49112 

Windows

Critical

9.8

Remote Code Execution in Windows Hyper-V

CVE-2024-49117

Windows

High

8.8

Remote Code Execution via Use-After-Free in Remote Desktop Services

CVE-2024-49132

Windows

High

8.1

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2024-49138

Windows

High

7.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49112 

Microsoft Windows Lightweight Directory Access Protocol (LDAP)

This vulnerability allows attackers to execute arbitrary code at the LDAP service level by sending specially crafted LDAP calls to a Windows Domain Controller. While Microsoft recommends disconnecting Domain Controllers from the Internet as a mitigation, applying the patch is the best course of action.

Remote Code Execution

CVE-2024-49117

Microsoft Windows Hyper-V

This vulnerability can be exploited by an authenticated attacker to execute code on the host operating system from a guest virtual machine. Cross-VM attacks are also possible. Although the attacker must have basic authentication, the vulnerability poses significant risks to virtualized environments.

Remote Code Execution

CVE-2024-49132

Microsoft Windows Remote Desktop Services

An attacker can exploit a use-after-free memory condition in Remote Desktop Gateway, allowing RCE. Exploitation requires precise timing, which makes this an advanced attack. Successful exploitation grants attackers control over the affected system.

Allows an attacker to execute remote code on systems using Remote Desktop Gateway

CVE-2024-49138

Windows Common Log File System Driver

This critical security flaw affects the Windows Common Log File System Driver and is classified as an Elevation of Privilege vulnerability.

It allows attackers to gain SYSTEM privileges on Windows devices, potentially giving them full control over the affected system.

Additional Critical Patches Address High-Severity Vulnerabilities

  • These are the eight other critical vulnerabilities that are rated 8.1 on the CVSS scale in Remote Desktop Services (CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, CVE-2024-49115, CVE-2024-49128, CVE-2024-49123, CVE-2024-49120, CVE-2024-49119).
  • Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49077).
  • Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49132).

Remediation

  • Ensure all December 2024 Patch Tuesday updates are applied promptly.
  • Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products.
  • Create and test an incident response plan with defined communication channels and responsibilities to ensure readiness for any security breaches.

References

https://msrc.microsoft.com/update-guide/releaseNote/2024-Dec

Security Advisory

Advisory on MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

Overview

In November 2024, a supply chain attack designated as MUT-8694 was identified, targeting developers relying on npm and PyPI package repositories. This campaign exploits trust in open-source ecosystems, utilizing typosquatting to distribute malicious packages. The malware predominantly affects Windows users, delivering advanced infostealer payloads.

MUT-8694 Campaign Details

The threat actors behind MUT-8694 use malicious packages that mimic legitimate libraries to infiltrate developer environments. The campaign employs techniques such as:

  • Typosquatting: Using package names that closely resemble popular or legitimate libraries.
  • Payload Delivery: Embedded scripts download malware such as Blank Grabber and Skuld Stealer hosted on GitHub and repl.it.
  • Targeted Ecosystems: npm and PyPI, critical platforms for developers.

             Source: Datadog

Key Findings

One identified package, larpexodus (version 0.1), executed a PowerShell command to download and run a Windows PE32 binary from github[.]com/holdthaw/main/CBLines.exe. Analysis revealed the binary was an infostealer malware, Blank Grabber, compiled from an open-source project hosted on GitHub. Further inspection of the repository exposed another stealer, Skuld Stealer, indicating the involvement of multiple commodity malware samples.

Capabilities of Malware

The deployed malware variants include advanced features that allow:

  • Credential Harvesting: Exfiltrating usernames, passwords, and sensitive data.
  • Cryptocurrency Wallet Theft: Targeting and compromising crypto assets.
  • Application Data Exfiltration: Stealing configuration files from popular applications

Affected Packages

Some known malicious packages include:

  • larpexodus (PyPI): Executes a PowerShell script to download malware.
  • Impersonations of npm libraries: Host binaries leading to infostealer deployment.

Remediation:

To mitigate the risks associated with this attack, users should:

  • Audit Installed Packages: Use tools like npm audit or pip audit to identify vulnerabilities.
  • Validate Package Sources: Verify package publishers and cross-check names carefully before installation.
  • Monitor Network Activity: Look for unusual connections to GitHub or repl.it domains.
  • Use Security Tools: Implement solutions that detect malicious dependencies.

General Recommendations:

  • Avoid downloading software from unofficial or unverified sources.
  • Regularly update packages and dependencies to the latest versions.
  • Conduct periodic security awareness training for developers and IT teams.

References:

Security Advisory

RCE and File Deletion Vulnerabilities in Veeam Service Provider Console

Summary

OEM

Veeam

Severity

Critical

Date of Announcement

2024-12-05

CVSS Score

9.9

CVE

CVE-2024-42448, CVE-2024-42449

Exploited in Wild

No

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

Two critical vulnerabilities in the Veeam Service Provider Console (VSPC) enable attackers to perform unauthenticated remote code execution (RCE) and arbitrary file deletion. These flaws present severe threats to the infrastructure of managed service providers that depend on VSPC for their operations.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Veeam Service Provider Console RCE

CVE-2024-42448

Veeam Service Provider Console

Critical

9.9

NTLM Hash Leak and Arbitrary File Deletion on Server

CVE-2024-42449

Veeam Service Provider Console

High

7.1

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-42448

VSPC v8.1.0.21377 and all earlier versions.

This critical remote code execution (RCE) vulnerability allows unauthenticated attackers to execute arbitrary code on the Veeam Service Provider Console server. It exploits a flaw in the server's handling of input, enabling attackers to compromise the entire system.

Allows attackers to execute arbitrary code on the server remotely.

CVE-2024-42449

VSPC v8.1.0.21377 and all earlier versions.

This vulnerability allows attackers, via an authorized VSPC management agent, to leak the NTLM hash of the VSPC server service account and delete arbitrary files on the server. Exploitation requires valid credentials for an agent authorized by the VSPC server.

Permits authorized management agents to delete arbitrary files from the VSPC server.

Remediations

  • Update Veeam Service Provider Console to version 8.1.0.21999 or later version, which addresses this vulnerability.
  • Limit network exposure of VSPC and allow access only to trusted management agents.

General Recommendations

  • Monitor VSPC logs to detect suspicious activities and respond promptly.
  • Use strong, unique passwords for service accounts and enable multi-factor authentication (MFA) where possible.

References

Security Advisory

Security Update for NVIDIA Base Command & Bright Cluster Managers 

NVIDIA has issued a security advisory addressing a critical vulnerability (CVE-2024-0138) discovered in its Base Command Manager software. This flaw, located within the CMDaemon component, poses significant risks, including the potential for remote code execution, denial of service, privilege escalation, information disclosure, and data tampering.

What does the Vulnerability mean

The source of the vulnerability was from insecure temporary file handling, which could lead to a denial of service (DoS) condition on affected systems.

NVIDIA has released patches to address the issue and prevent potential exploitation. This critical flaw can be exploited remotely without any prerequisites, such as user interaction or special privileges, making it highly dangerous.

Vulnerability Name  CVE ID  Product Affected  Impact  Fixed Version 
Insecure Temporary File Vulnerability  CVE-2024-0139  NVIDIA Base Command Manager, Bright Cluster Manager  Medium  Base Command Manager: 10.24.09a; Bright Cluster Manager: 9.0-22, 9.1-19, 9.2-17 

Technical Summary 

 NVIDIA confirmed earlier versions, including 10.24.07 and earlier, are not impacted by this vulnerability.

To mitigate the issue, NVIDIA recommends updating the CMDaemon component on all head nodes and software images.

Remediation

1. Base Command Manager 

  • Update to version 10.24.09a to address the vulnerability. 

2. Bright Cluster Manager 

  • Depending on your version, update to one of the following: 
  • 9.0-22 
  • 9.1-19 
  • 9.2-17 

3. CMdaemon Update 

  • Ensure the most recent version of CMdaemon is installed on the head nodes and in all software images. 

4. Node Update . 

After applying the update, systems should be rebooted or resynchronized with the updated software image to ensure the fix is fully implemented. These measures are essential to eliminate the root cause that created vulnerability and protect systems from potential exploitation.

References

CVE ID  System Affected  Platform  Vulnerability Details  Impact 
CVE-2024-0139  NVIDIA Base Command Manager (Versions 3, 10) NVIDIA Bright Cluster Manager (Versions 9.0-9.2)  Linux  The vulnerability stems from insecure handling of temporary files in both Base Command Manager and Bright Cluster Manager. Exploiting this flaw could disrupt system availability, potentially causing a denial of service.  Potential denial of service on affected systems. 
News Security Advisory

Re-release of November 2024 Exchange Server Security Updates

Microsoft users had a tough time to send or load attachments to emails when using Outlook, were unable to connect to the server, and in some cases could not log into their accounts.

Microsoft Exchange Online is a platform for business communication that has a mail server and cloud apps for email, contacts, and calendars.

Microsoft mitigated the issue after identification were able to determine the cause of the outages and is rolling out a fix for the issue. That rollout is gradual, however, as outage reports continue to come in at DownDetector.

Impact

The outage left many users unable to communicate with colleagues, particularly as it coincided with the start of the workday in Europe. Frustration quickly spread across social media, with users reporting issues accessing emails and participating in Teams calls

Re-release of November 2024 Exchange Server Security Updates 

Summary 

OEM Microsoft 
Severity High 
Date of Announcement 27/11/2024 
Product Microsoft Exchange Server 
CVE ID CVE-2024-49040 
CVSS Score 7.5 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

On November 27, 2024, Microsoft re-released the November 2024 Security Updates (SUs) for Exchange Server to resolve an issue introduced in the initial release on November 12, 2024. The original update (SUv1) caused Exchange Server transport rules to intermittently stop functioning, particularly in environments using transport or Data Loss Protection (DLP) rules. The updated version (SUv2) addresses this issue. 

Table of Actions for Admins: 

Scenario Action Required 
SUv1 installed manually, and transport/DLP rules are not used Install SUv2 to regain control over the X-MS-Exchange-P2FromRegexMatch header. 
SUv1 installed via Windows/Microsoft Update, no transport/DLP rules used No immediate action needed; SUv2 will be installed automatically in December 2024. 
SUv1 installed and then uninstalled due to transport rule issues Install SUv2 immediately. 
SUv1 never installed Install SUv2 immediately. 

Remediation Steps 

1. Immediate Actions 

  • Use the Health Checker script to inventory your Exchange Servers and assess update needs. 
  • Install the latest Cumulative Update (CU) followed by the November 2024 SUv2. 

2. Monitor System Performance 

  • After enabling AMSI integration for message bodies, monitor for any performance issues such as delays in mail flow or server responsiveness. 

3. Run SetupAssist Script for Issues 

  • Use the SetupAssist script to troubleshoot issues with failed installations or update issues, and check logs for specific error details. 

References

News Security Advisory

Analysis of WezRat Malware; Check point Findings

New CheckPoint research discovered a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands.

Continue Reading
Security Advisory

November 2024 Microsoft Patches: Addressing Zero-Day Exploits and High-Priority Vulnerabilities

Summary

OEM

Microsoft

Severity

High

Date of Announcement

2024-11-13

NO. of Vulnerabilities Patched

89

Actively Exploited

02

Exploited in Wild

Yes

Advisory Version

1.0

Overview

Microsoft’s November 2024 Patch Tuesday release addresses 89 security vulnerabilities across various products, including critical updates for Windows, Microsoft Edge, SQL Server, and more. Four zero-day vulnerabilities are part of this release, with two actively exploited in the wild. The patch targets a range of critical issues across Microsoft products, categorized as follows:

  • 51 Remote Code Execution (RCE) Vulnerabilities
  • 28 Elevation of Privilege (EoP) Vulnerabilities
  • 4 Denial of Service (DoS) Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 3 Spoofing Vulnerabilities
  • 1 Information Disclosure Vulnerabilities
The highlighted vulnerabilities include four zero-day flaws, two of which are currently being actively exploited.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)

CVE-2024-43572

Windows Servers and Windows 10&11

High

7.8

Winlogon Elevation of Privilege Vulnerability

CVE-2024-43583

Windows systems using Winlogon

High

7.8

Windows Hyper-V Security Feature Bypass Vulnerability

CVE-2024-20659

Windows Hyper-V

High

7.1

Windows MSHTML Platform Spoofing Vulnerability
(Exploitation Detected)

CVE-2024-43573

Windows Servers and Windows 10&11

Medium

6.5

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49039

Windows Servers and Windows 10&11

This zero-day allows attackers to escalate privileges within Windows environments. Exploited actively, it is particularly concerning for its ability to grant attackers elevated access.

Elevation of privilege potentially leading to full system control.

CVE-2024-49019

Windows Servers

A flaw in Active Directory Certificate Services allows attackers to gain domain administrator privileges by exploiting misconfigured version 1 certificate templates with overly broad enrollment permissions. This can be triggered by an attacker crafting a certificate request that bypasses security controls.

Elevate privileges to domain administrator, compromising the entire Active Directory environment and enabling full network control.

CVE-2024-49040

Microsoft Exchange Server 2016 and 2019

A vulnerability in Microsoft Exchange Server allows attackers to spoof the sender’s email address in emails to local recipients by exploiting improper verification of the P2 FROM header. This flaw can be used to launch email-based phishing and social engineering attacks.

Attackers can impersonate trusted senders, deceiving recipients into trusting malicious emails, potentially leading to data compromise or malware infections.

CVE-2024-43451

Windows Servers and Windows 10&11

A zero-day that exposes NTLMv2 hashes, enabling “pass-the-hash” attacks for unauthorized network access. This is the third NTLM-related zero-day discovered in 2024.

High risk in network environments; attackers may impersonate users and compromise critical systems.

Additional Critical Patches Address High-Severity Vulnerabilities

  • Azure CycleCloud: Remote Code Execution Vulnerability (CVE-2024-43602).
  • .NET and Visual Studio: Remote Code Execution vulnerability (CVE-2024-43498).
  • Microsoft Windows VMSwitch: Elevation of Privilege vulnerability (CVE-2024-43625).
  • Windows Kerberos: Remote Code Execution vulnerability (CVE-2024-43639).
  • SQL Server: Multiple updates targeting memory vulnerabilities, each with a CVSS score of 8.8, affecting database security.

Remediation

  • Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products.
  • Regularly audit Active Directory and Exchange Server configurations to close potential security gaps.
  • Awareness of download files from the internet & regularly review and monitor your security setup, staying updated on new advisories to secure against emerging threats and vulnerabilities.
  • Create and test an incident response plan with defined communication channels and responsibilities to ensure readiness for any security breaches.

References

https://msrc.microsoft.com/update-guide/releaseNote/2024-Nov

Security Advisory

Palo Alto Account Takeover Vulnerability Actively Exploited

Summary

OEM

Palo Alto

Severity

Critical

Date of Announcement

2024-07-10

CVSS Score

9.3

CVE

CVE-2024-5910

CWE

CWE-306

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

CISA has included the Palo Alto Networks Expedition tool Missing Authentication Vulnerability in its catalog of actively exploited vulnerabilities. Palo Alto’s Expedition is a migration tool designed to simplify the process of transferring configurations from other vendors to Palo Alto Networks. The issue is tracked under CVE-2024-5910. The vulnerability, which involves missing authentication for a critical function in Expedition, could allow attackers with network access to take over an admin account. This poses a risk to imported configuration secrets, credentials, and other sensitive data within Expedition.

Vulnerability Name

CVE ID

Product Affected

Severity

Fixed Version

Palo Alto Networks Expedition Missing Authentication Vulnerability

CVE-2024-5910

Expedition

Critical

Expedition 1.2.92 and all later versions

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-5910

Expedition from 1.2 before 1.2.92

The vulnerability, caused by missing authentication for an important function in Expedition, could allow attackers with network access to take over an admin account.

Account Takeover

Recommendations

  • Update Expedition to 1.2.92 and the latest versions to mitigate the issue.

General Recommendations

  • Restrict Network Access: Limit network access to Expedition to only trusted and authorized users, hosts, and networks.
  • Enable Strong Authentication: Implement strong authentication for all critical functions in Expedition, including multi-factor authentication (MFA) where possible.
  • Monitor Access Logs: Regularly monitor and review access logs to detect any unusual or unauthorized access attempts.
  • Stay Updated: Stay informed about the latest cybersecurity news and updates to keep track of emerging threats and vulnerabilities.

References

Scroll to top