Significant Step to Initiate Trust & Security in India’s Digital landscape; DPDP Act 2025
Significant Step to Initiate Trust & Security in India’s Digital landscape; DPDP Act 2025
Continue ReadingPosts
Denial of Service Vulnerability in DNS Security Feature of Palo Alto Networks PAN-OS
Summary
| OEM | Palo Alto |
| Severity | High |
| CVSS | 8.7 |
| CVEs | CVE-2024-3393 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A Denial-of-Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| (DoS) in DNS Security Using a Specially Crafted Packet | CVE-2024-3393 | Palo Alto | High | PAN-OS 11.2 – < 11.2.3* PAN-OS 11.1 – < 11.1.5* PAN-OS 10.2 – >= 10.2.8*, <10.2.14* PAN-OS 10.1 – >= 10.1.14*, <10.1.15* |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-3393 | Palo Alto PAN-OS | CVE-2024-3393 is a high-severity DoS vulnerability in Palo Alto Networks PAN-OS exists in the DNS Security feature, where malformed DNS packets are improperly parsed and logged. If exploited, this vulnerability enables an unauthenticated attacker to remotely trigger a firewall reboot. Repeated exploitation attempts can cause the firewall to enter maintenance mode. CISA added it to the KEV catalog, with patching required by January 20, 2025. | Dos – Denial-of-Service |
Remediation:
- Update: Ensure that the appropriate patches or updates are applied to the relevant PAN-OS versions as listed below
| PAN-OS Version | Fixes and Releases |
| PAN-OS 11.1 | 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, 11.1.5 |
| PAN-OS 10.2 | 10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14 |
| PAN-OS 10.1 | 10.1.14-h8, 10.1.15 |
| PAN-OS 10.2.9-h19 | Only applicable to Prisma Access |
| PAN-OS 10.2.10-h12 | Only applicable to Prisma Access |
| PAN-OS 11.0 | No fix (reached end-of-life status on November 17, 2024) |
Recommendations:
- Avoid Using EOL Versions:
- PAN-OS 11.0 is end-of-life (EOL) as of November 17, 2024. Ensure that you are not using this version and upgrade to be supported versions.
- Monitoring & Incident Response:
- Regularly monitor firewall logs for unusual behavior, especially DoS triggers.
- For Prisma Access Users (Workaround):
- Disable DNS Security logging across all NGFWs if patching cannot be applied immediately. This can be done by opening a support case with Palo Alto Networks.
References:
Adobe released Security updates Addressing critical ColdFusion vulnerability with (PoC) Exploit code
Adobe released security updates (APSB24-107) addressing an arbitrary file system vulnerability ColdFusion, identified as CVE-2024-53961, is linked to a path traversal weakness with proof-of-concept (PoC) exploit code.
This could allow attackers to exploit the flaw and gain unauthorized access to arbitrary files on vulnerable servers.
As per the updates Adobe ColdFusion versions 2023 and 2021 that addressed an arbitrary file proof-of-concept may enable attackers to read arbitrary files on vulnerable servers, potentially leading to unauthorized access and data exposure warns of critical ColdFusion bug with PoC exploit code.
Summary:
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe earlier gave statement cautioning customers that it assigned a “Priority 1” severity rating to the flaw because it has a “a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”
Key findings:
- The vulnerability, CVE-2024-53961, affects ColdFusion 2021 and 2023.
- Adobe has provided a patch to address the issue.
- The vulnerability can potentially lead to unauthorized access and data exposure
- The flaw has been given a Priority 1 severity rating, the highest possible level, due to its potential for exploitation in the wild.
- Adobe has highlighted the critical nature of these updates and classified the vulnerability with a CVSS base score of 7.4, signifying a threat to the security of affected systems.
Adobe has issued advisory
- Monitor systems for any signs of exploitation.
- Adobe has provided a patch to address the vulnerability remediation to mitigate the risk of exploitation.
- Consider implementing file system monitoring and logging to detect and prevent unauthorized file access.
Path traversal weakness in ColdFusion; CVE-2024-53961
What is Path Traversal?
Hackers uses a tactics by Tricking a web application into displaying the contents of a directory that was not on request by user to gain access to sensitive files on a server.
The path traversal weakness in ColdFusion could be exploited by an attacker to perform unauthorized file system reads on affected servers.
This means that an attacker could manipulate file paths to access sensitive files that are otherwise restricted. This kind of vulnerability can lead to exposure of critical system information, unauthorized access and data exposure.
Reference: https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-bug-with-poc-exploit-code/
Sophisticated Phishing Attack Exposed Over 600,000 Users to Data Theft; 16 Chrome Extensions Hacked
A sophisticated phishing attack exposed 600, 000 user data to theft as 16 Chrome Extensions got hacked amounting to credential theft. The attack targeted extension publishers through phishing emails where Developers were tricked into granting access to a malicious OAuth app via fake Chrome Web Store emails. The malicious update mimicked official communications from the Chrome Web Store, stealing sensitive user data.
This breach puts Facebook ad users at high risk of account hacking or unknown access
Summary of the attack
The phishing email was designed to create a sense of urgency posing as Google Chrome Web Store Developer Support, warns the employee of the extension removal for policy violations. The message urges the recipient to accept the publishing policy.
As per Cyberhaven, a cybersecurity firm report mentioned about the impacted firms as the attack occurred on December 24 and involved phishing a company employee to gain access to their Chrome Web Store admin credentials.
16 Chrome Extensions, including popular ones like “AI Assistant – ChatGPT and Gemini for Chrome,” “GPT 4 Summary with OpenAI,” and “Reader Mode,” were compromised, exposing sensitive user data.
Response & Recommendations:
The attackers targeted browser extension publishers with phishing campaigns to gain access to their accounts and insert malicious code.
Extensions such as “Rewards Search Automator” and “Earny – Up to 20% Cash Back” were used to exfiltrate user credentials and identity tokens, particularly from Facebook business accounts.
Malicious versions of extensions communicated with external Command-and-Control (C&C) servers, such as domains like “cyberhavenext[.]pro.”
- Cyberhaven released a legitimate update (version 24.10.5), hired Mandiant to develop an incident response plan and also notified federal law enforcement agencies for investigation.
- All users advised to revoke credentials, monitor logs, and secure extensions; investigations continue.
- As per Cyberhaven, version 24.10.4 of Chrome extension was affected, and the malicious code was active for less than a day.
- The malicious extension used two files: worker.js contacted a hardcoded C&C server to download configuration and executed HTTP calls, and content.js that collected user data from targeted websites and exfiltrated it to a malicious domain specified in the C&C payload.
Critical Apache Tomcat Vulnerabilities Allow RCE & DoS
Summary
| OEM | Apache |
| Severity | Critical |
| CVSS | 9.8 |
| CVEs | CVE-2024-50379, CVE-2024-54677 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
Recent vulnerabilities in Apache Tomcat, identified as CVE-2024-50379 and CVE-2024-54677, present significant security threats, including remote code execution (RCE) and denial-of-service (DoS) risks. CVE-2024-50379 exploits a race condition during JSP compilation on case-insensitive file systems, enabling attackers to run arbitrary code. CVE-2024-54677 takes advantage of unlimited file uploads in example applications to trigger resource exhaustion.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Race Condition Vulnerability | CVE-2024-50379 | Apache | Critical | Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97 |
| Uncontrolled Resource Consumption Vulnerability | CVE-2024-54677 | Apache | Medium | Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-50379 | Apache Tomcat | A race condition during JSP compilation in Apache Tomcat allows attackers to upload malicious JSP files, leading to remote code execution. This occurs when the default servlet is configured with write permissions on a case-insensitive file system. | Remote Code Execution |
| CVE-2024-54677 | Apache Tomcat | The examples web application in Apache Tomcat does not limit the size of uploaded data, enabling attackers to cause an OutOfMemoryError by uploading excessive amounts of data, leading to a denial of service. | Denial of Service |
Remediation:
- Upgrade Apache Tomcat to the latest fixed versions:
- Apache Tomcat 11.0.2 or latest
- Apache Tomcat 10.1.34 or latest
- Apache Tomcat 9.0.98 or latest
Recommendations:
- Configuration Hardening:
- Restrict write permissions for the default servlet to prevent unauthorized JSP file uploads.
- Remove or disable example applications to reduce exposure to potential attacks.
- Monitor and Audit:
- Regularly review server logs for signs of exploitation attempts.
- Apply a robust file upload policy to limit sizes and validate content.
- Regularly update all your software’s to address security vulnerabilities
References:
Cleo Releases Patch for Critical Vulnerabilities Exploited in the Wild
Summary
OEM | Cleo |
Severity | Critical |
CVSS score | 9.8 |
CVE | CVE-2024-55956, CVE-2024-50623 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
The Clop ransomware group has exploited critical vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions, specifically targeting Cleo Harmony, VLTrader, and LexiCom. These vulnerabilities, identified as CVE-2024-50623 and CVE-2024-55956, allow unauthenticated attackers to execute arbitrary code on affected systems, leading to potential data breaches and system compromises.
Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score | Fixed Version |
Unauthenticated Command Execution | CVE-2024-55956 | Cleo products | Critical | 9.8 | 5.8.0.24 or latest |
Unrestricted File Upload/Download Vulnerability | CVE-2024-50623 | Cleo products | Critical | 9.8 | 5.8.0.24 or latest |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-55956 | Cleo Harmony, VLTrader, LexiCom | This flaw enables unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. Attackers can write a ZIP file containing a malicious XML file describing a new host. The malicious XML file contained a Mailbox action associated with the new host, which when run would execute an arbitrary OS command. | Execution of arbitrary commands, resulting in full system compromise. |
CVE-2024-50623 | Cleo Harmony, VLTrader, LexiCom | This vulnerability permits unauthenticated attackers to upload and download files without restrictions via the ‘/Synchronization’ endpoint. By uploading malicious files, attackers can achieve remote code execution. The exploitation involves writing malicious code to specific files, such as “webserverAjaxSwingconftemplatesdefault-pagebody-footerVL.html”, which is then leveraged to execute an attacker-controlled payload, potentially in the form of a webshell. | Unauthorized file manipulation and potential system compromise. |
Remediations
- Update Cleo Harmony, VLTrader, and LexiCom to the updated version 5.8.0.24 or latest one.
Recommendations
- It is strongly advised to move any internet-exposed Cleo systems behind a firewall until patches are applied to prevent unauthorized exploitation.
- Disable autorun files in Cleo software by clearing the “Autorun Directory” field under “Options” to limit the attack surface; this doesn’t resolve the file-write vulnerability.
- Implement monitoring for signs of the “Cleopatra” backdoor and other malicious activities associated with Clop ransomware.
- Conduct a thorough audit of your systems to identify any malicious files or abnormal system behavior associated with Cleo software. This includes checking logs, directories, and network traffic for unusual activities related to the known exploit chain.
- If you have an EDR solution, block the attacker IPs associated with the exploit to prevent further external communication with compromised systems.
- Ensure regular backups of critical data are performed and stored securely offline to facilitate recovery in case of any ransomware attack.
IOCs
Based on the research
These are the attacker IP addresses embedded in the encoded PowerShell
These are the attacker IP addresses embedded in the encoded PowerShell
IP Address IOCs | File IOCs |
176.123.5[.]126 | 60282967-dc91-40ef-a34c-38e992509c2c.xml |
5.149.249[.]226 | healthchecktemplate.txt |
185.181.230[.]103 | healthcheck.txt |
209.127.12[.]38 | |
181.214.147[.]164 | |
192.119.99[.]42 |
References
- https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956
- https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623
- https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis
- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
Critical Flaw in WordPress Hunk Companion Plugin Enables Unauthorized Plugin Installation
Summary
OEM | WordPress |
Severity | Critical |
Date of Announcement | 2024-12-13 |
CVSS score | 9.8 |
CVE | CVE-2024-11972 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
A Critical flaw in the WordPress Hunk Companion plugin has been actively exploited to enable unauthorized installation and activation of plugins. This vulnerability stems from insufficient authorization checks on a REST API endpoint. Exploited sites may see attackers silently install malicious or outdated plugins, leading to severe security risks, including remote code execution (RCE), unauthorized access, and website compromise.
Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
Hunk Companion Plugin Vulnerability | CVE-2024-11972 | Hunk Companion Plugin for WordPress | Critical | 9.8 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-11972 | Hunk Companion plugin versions prior to 1.8.4 | This vulnerability is caused by improper validation mechanisms in the file hunk-companion/import/app/app.php, a script responsible for handling plugin import and installation processes. At its core, the bug permits unauthenticated requests to bypass critical permission checks intended to ensure that only authorized users can install plugins. | This vulnerability potentially leads to remote code execution, unauthorized access, and full website compromise. |
Remediations
- “Hunk Companion” WordPress plugin, should update to version 9.0 or later.
General Recommendations
- Regularly inspect your WordPress site for unknown plugins or modifications.
- Reducing the risk of delayed patching can be achieved by enabling automatic updates for all plugins
- Review server and WordPress logs for unauthorized login attempts to detect possible compromise.
- Keep all plugins, themes, and WordPress core updated. Use strong, unique passwords and enable two-factor authentication for admin accounts.
Zero-Day Vulnerability in Windows Exposes NTLM Credentials
Summary
OEM | Microsoft |
Severity | Critical |
Date of Announcement | 2024-12-12 |
CVE | Not yet assigned |
Exploited in Wild | No |
Patch/Remediation Available | Yes (No official patch) |
Advisory Version | 1.0 |
Vulnerability Name | NTLM Zero-Day |
Overview
A recently discovered zero-day vulnerability in Windows, enables attackers to steal user credentials through a malicious file viewed in File Explorer. This “clickless” exploit bypasses the need for user interaction, creating significant security risks. While Microsoft investigates, 0patch has released an unofficial micropatch to mitigate the threat. Users are advised to apply the patch or implement mitigations to reduce exposure.
Vulnerability Name | CVE ID | Product Affected | Severity |
NTLM zero-day | Not Yet Assigned | Microsoft Windows | Critical |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
Not Yet Assigned | Windows 7 to 11 (24H2), Server 2008 R2 to 2022 | A zero-day vulnerability that allows NTLM credential theft by viewing a malicious file in File Explorer. The flaw forces an outbound NTLM connection, leaking NTLM hashes. Exploitation requires no user interaction beyond viewing a malicious file, which can be delivered through shared folders, USB drives, or malicious downloads in the browser's default folder. | Enables attackers to steal NTLM credentials and gain unauthorized access of the affected systems. |
Remediations
- Apply the 0patch Micropatch:
- Register for a free account at 0patch Central.
- Install the 0patch agent to automatically receive the micropatch.
- Disable NTLM Authentication:
- Navigate to Security Settings > Local Policies > Security Options in Group Policy.
- Configure “Network security: Restrict NTLM” policies to limit NTLM usage.
General Recommendations
- Only enable patches or configurations after testing them on non-critical devices to ensure minimal impact.
- Stay updated on Microsoft’s response and the availability of an official patch through trusted news sources or Microsoft’s advisories.
- Inform users about the risks of handling unfamiliar files and downloading content from untrusted sources.
- Monitor systems for suspicious NTLM-related activity.
Microsoft December 2024 Patch Tuesday: Critical Fixes for Zero-Day and Remote Code Execution
Summary
OEM | Microsoft |
Severity | High |
Date of Announcement | 2024-12-12 |
NO. of Vulnerabilities Patched | 71 |
Actively Exploited | 01 |
Exploited in Wild | Yes |
Advisory Version | 1.0 |
Overview
Microsoft released updates addressing 71 vulnerabilities across its product suite, including 1 actively exploited zero-day vulnerability. Critical patches include fixes for remote code execution (RCE) flaws in Windows TCP/IP and Windows Common Log File System (CLFS). Immediate attention is required for systems running Windows Server, Microsoft Exchange, and other affected components. The patch targets a range of critical issues across Microsoft products, categorized as follows:
- 30 Remote Code Execution (RCE) Vulnerabilities
- 27 Elevation of Privilege (EoP) Vulnerabilities
- 7 Information Disclosure Vulnerabilities
- 4 Denial of Service (DoS) Vulnerabilities
- 1Defense-in-depth improvement
- 1 Spoofing Vulnerabilities
The highlighted vulnerabilities include one zero-day flaw and critical RCE vulnerabilities, one of which is currently being actively exploited.
Vulnerability Name | CVE ID | Product Affected | Impact | CVSS Score |
Unauthenticated Remote Code Execution in Windows LDAP | CVE-2024-49112 | Windows | Critical | 9.8 |
Remote Code Execution in Windows Hyper-V | CVE-2024-49117 | Windows | High | 8.8 |
Remote Code Execution via Use-After-Free in Remote Desktop Services | CVE-2024-49132 | Windows | High | 8.1 |
Windows Common Log File System Driver Elevation of Privilege Vulnerability | CVE-2024-49138 | Windows | High | 7.8 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-49112 | Microsoft Windows Lightweight Directory Access Protocol (LDAP) | This vulnerability allows attackers to execute arbitrary code at the LDAP service level by sending specially crafted LDAP calls to a Windows Domain Controller. While Microsoft recommends disconnecting Domain Controllers from the Internet as a mitigation, applying the patch is the best course of action. | Remote Code Execution |
CVE-2024-49117 | Microsoft Windows Hyper-V | This vulnerability can be exploited by an authenticated attacker to execute code on the host operating system from a guest virtual machine. Cross-VM attacks are also possible. Although the attacker must have basic authentication, the vulnerability poses significant risks to virtualized environments. | Remote Code Execution |
CVE-2024-49132 | Microsoft Windows Remote Desktop Services | An attacker can exploit a use-after-free memory condition in Remote Desktop Gateway, allowing RCE. Exploitation requires precise timing, which makes this an advanced attack. Successful exploitation grants attackers control over the affected system. | Allows an attacker to execute remote code on systems using Remote Desktop Gateway |
CVE-2024-49138 | Windows Common Log File System Driver | This critical security flaw affects the Windows Common Log File System Driver and is classified as an Elevation of Privilege vulnerability. | It allows attackers to gain SYSTEM privileges on Windows devices, potentially giving them full control over the affected system. |
Additional Critical Patches Address High-Severity Vulnerabilities
- These are the eight other critical vulnerabilities that are rated 8.1 on the CVSS scale in Remote Desktop Services (CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, CVE-2024-49115, CVE-2024-49128, CVE-2024-49123, CVE-2024-49120, CVE-2024-49119).
- Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49077).
- Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49132).
Remediation
- Ensure all December 2024 Patch Tuesday updates are applied promptly.
- Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products.
- Create and test an incident response plan with defined communication channels and responsibilities to ensure readiness for any security breaches.