Exploit Proof-of-Concept Released for Windows Lightweight Directory Access Protocol (LDAP CVE-2024-49113 )
CVE-2024-49113 LDAP
Continue ReadingIntrucept
Denial of Service Vulnerability in DNS Security Feature of Palo Alto Networks PAN-OS
Summary
| OEM | Palo Alto |
| Severity | High |
| CVSS | 8.7 |
| CVEs | CVE-2024-3393 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A Denial-of-Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| (DoS) in DNS Security Using a Specially Crafted Packet | CVE-2024-3393 | Palo Alto | High | PAN-OS 11.2 – < 11.2.3* PAN-OS 11.1 – < 11.1.5* PAN-OS 10.2 – >= 10.2.8*, <10.2.14* PAN-OS 10.1 – >= 10.1.14*, <10.1.15* |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-3393 | Palo Alto PAN-OS | CVE-2024-3393 is a high-severity DoS vulnerability in Palo Alto Networks PAN-OS exists in the DNS Security feature, where malformed DNS packets are improperly parsed and logged. If exploited, this vulnerability enables an unauthenticated attacker to remotely trigger a firewall reboot. Repeated exploitation attempts can cause the firewall to enter maintenance mode. CISA added it to the KEV catalog, with patching required by January 20, 2025. | Dos – Denial-of-Service |
Remediation:
- Update: Ensure that the appropriate patches or updates are applied to the relevant PAN-OS versions as listed below
| PAN-OS Version | Fixes and Releases |
| PAN-OS 11.1 | 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, 11.1.5 |
| PAN-OS 10.2 | 10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14 |
| PAN-OS 10.1 | 10.1.14-h8, 10.1.15 |
| PAN-OS 10.2.9-h19 | Only applicable to Prisma Access |
| PAN-OS 10.2.10-h12 | Only applicable to Prisma Access |
| PAN-OS 11.0 | No fix (reached end-of-life status on November 17, 2024) |
Recommendations:
- Avoid Using EOL Versions:
- PAN-OS 11.0 is end-of-life (EOL) as of November 17, 2024. Ensure that you are not using this version and upgrade to be supported versions.
- Monitoring & Incident Response:
- Regularly monitor firewall logs for unusual behavior, especially DoS triggers.
- For Prisma Access Users (Workaround):
- Disable DNS Security logging across all NGFWs if patching cannot be applied immediately. This can be done by opening a support case with Palo Alto Networks.
References:
Cleo Releases Patch for Critical Vulnerabilities Exploited in the Wild
Summary
OEM | Cleo |
Severity | Critical |
CVSS score | 9.8 |
CVE | CVE-2024-55956, CVE-2024-50623 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
The Clop ransomware group has exploited critical vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions, specifically targeting Cleo Harmony, VLTrader, and LexiCom. These vulnerabilities, identified as CVE-2024-50623 and CVE-2024-55956, allow unauthenticated attackers to execute arbitrary code on affected systems, leading to potential data breaches and system compromises.
Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score | Fixed Version |
Unauthenticated Command Execution | CVE-2024-55956 | Cleo products | Critical | 9.8 | 5.8.0.24 or latest |
Unrestricted File Upload/Download Vulnerability | CVE-2024-50623 | Cleo products | Critical | 9.8 | 5.8.0.24 or latest |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-55956 | Cleo Harmony, VLTrader, LexiCom | This flaw enables unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. Attackers can write a ZIP file containing a malicious XML file describing a new host. The malicious XML file contained a Mailbox action associated with the new host, which when run would execute an arbitrary OS command. | Execution of arbitrary commands, resulting in full system compromise. |
CVE-2024-50623 | Cleo Harmony, VLTrader, LexiCom | This vulnerability permits unauthenticated attackers to upload and download files without restrictions via the ‘/Synchronization’ endpoint. By uploading malicious files, attackers can achieve remote code execution. The exploitation involves writing malicious code to specific files, such as “webserverAjaxSwingconftemplatesdefault-pagebody-footerVL.html”, which is then leveraged to execute an attacker-controlled payload, potentially in the form of a webshell. | Unauthorized file manipulation and potential system compromise. |
Remediations
- Update Cleo Harmony, VLTrader, and LexiCom to the updated version 5.8.0.24 or latest one.
Recommendations
- It is strongly advised to move any internet-exposed Cleo systems behind a firewall until patches are applied to prevent unauthorized exploitation.
- Disable autorun files in Cleo software by clearing the “Autorun Directory” field under “Options” to limit the attack surface; this doesn’t resolve the file-write vulnerability.
- Implement monitoring for signs of the “Cleopatra” backdoor and other malicious activities associated with Clop ransomware.
- Conduct a thorough audit of your systems to identify any malicious files or abnormal system behavior associated with Cleo software. This includes checking logs, directories, and network traffic for unusual activities related to the known exploit chain.
- If you have an EDR solution, block the attacker IPs associated with the exploit to prevent further external communication with compromised systems.
- Ensure regular backups of critical data are performed and stored securely offline to facilitate recovery in case of any ransomware attack.
IOCs
Based on the research
These are the attacker IP addresses embedded in the encoded PowerShell
These are the attacker IP addresses embedded in the encoded PowerShell
IP Address IOCs | File IOCs |
176.123.5[.]126 | 60282967-dc91-40ef-a34c-38e992509c2c.xml |
5.149.249[.]226 | healthchecktemplate.txt |
185.181.230[.]103 | healthcheck.txt |
209.127.12[.]38 | |
181.214.147[.]164 | |
192.119.99[.]42 |
References
- https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Update-CVE-2024-55956
- https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory-CVE-2024-50623
- https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis
- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
Critical Flaw in WordPress Hunk Companion Plugin Enables Unauthorized Plugin Installation
Summary
OEM | WordPress |
Severity | Critical |
Date of Announcement | 2024-12-13 |
CVSS score | 9.8 |
CVE | CVE-2024-11972 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
A Critical flaw in the WordPress Hunk Companion plugin has been actively exploited to enable unauthorized installation and activation of plugins. This vulnerability stems from insufficient authorization checks on a REST API endpoint. Exploited sites may see attackers silently install malicious or outdated plugins, leading to severe security risks, including remote code execution (RCE), unauthorized access, and website compromise.
Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
Hunk Companion Plugin Vulnerability | CVE-2024-11972 | Hunk Companion Plugin for WordPress | Critical | 9.8 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-11972 | Hunk Companion plugin versions prior to 1.8.4 | This vulnerability is caused by improper validation mechanisms in the file hunk-companion/import/app/app.php, a script responsible for handling plugin import and installation processes. At its core, the bug permits unauthenticated requests to bypass critical permission checks intended to ensure that only authorized users can install plugins. | This vulnerability potentially leads to remote code execution, unauthorized access, and full website compromise. |
Remediations
- “Hunk Companion” WordPress plugin, should update to version 9.0 or later.
General Recommendations
- Regularly inspect your WordPress site for unknown plugins or modifications.
- Reducing the risk of delayed patching can be achieved by enabling automatic updates for all plugins
- Review server and WordPress logs for unauthorized login attempts to detect possible compromise.
- Keep all plugins, themes, and WordPress core updated. Use strong, unique passwords and enable two-factor authentication for admin accounts.
Tailored Security Solutions for Maritime Operations by Intrucept
Tailored Security Solutions from Maritime Operations by Intrucept
Continue Reading
Future of Maritime Innovation at
METS Trade 2024; Intrucept
Maritime industry worldwide is witnessing massive changes in terms of continuous innovation and managing cyber risk on top priority list. In doing so enabling innovation becomes easier along with exploring various options that approaches and addresses cyber security in the maritime sector.
Now maritime professionals are ready to explore the latest industry trends and adopt solutions that dig deeper into maritime organizations’ challenges and priorities related to cyber security.
Intrucept Participates at the METS Trade 2024
Intrucept, a leader in cybersecurity solutions is excited to announce participation at the prestigious METS Trade 2024 in Amsterdam, Date Nov 19-21(2024).
This marks a significant step forward in transforming the maritime industry by combining the power of cutting-edge cybersecurity solutions.
About Intrucept: Ensuring Maritime Security in a Digital Age
As digital threats evolve, Intrucept is at the forefront of cyber security, providing comprehensive protection for maritime operations. From vessel systems to operational networks, we ensure that your fleet stays secure, resilient, and ready for the challenges of tomorrow.
Our solutions are designed to protect against cyberattacks, safeguard sensitive data, and maintain the integrity of vessel operations, all while enhancing overall business efficiency.
Why We’re Joining Forces at METS Trade 2024
At METS Trade 2024, we’ll be showcasing our unique partnership and how combining advanced cybersecurity with innovative engineering can provide unparalleled protection and efficiency for the maritime industry. Together, we are shaping the future of shipping — where digital security and operational excellence go hand in hand.
What You Can Expect from Our Joint Presence at METS 2024
Innovative cybersecurity solutions for shipping operations: Protect your vessels, data, and systems from the growing cyber threat landscape.
State-of-the-art shipping engineering technologies: Learn how we can optimize vessel performance, enhance fuel efficiency, and ensure compliance with global maritime standards.
Collaborative insights: Our team will be on hand to discuss how we can work together to make your operations safer, smarter, and more sustainable.
We invite you to visit our booth at METS Trade 2024 to explore how our solutions can help future-proof your business, improve operational resilience, and safeguard your digital infrastructure.
Details:
Event: METS Trade 2024
Dates: November 19-21, 2024
Location: Amsterdam RAI, Amsterdam, Netherlands
We look forward to meeting you and discussing how we can drive innovation, security, and efficiency in your maritime operations.
- ‹ Previous
- 1
- …
- 27
- 28
- 29
Recent Comments