Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from November that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2024-43093
CVE-2024-43093 is a high-severity vulnerability found in the Android operating system, specifically in the ExternalStorageProvider.java
file within the shouldHideDocument
function. This flaw arises from an issue with incorrect Unicode normalization, which allows an attacker to bypass a file path filter that is designed to prevent access to sensitive directories. The issue could lead to a local escalation of privilege without requiring additional execution privileges.
The attack vector for CVE-2024-43093 relies on user interaction. An attacker would need to exploit this vulnerability by providing malicious input that bypasses the file path filter. Although the attacker does not require elevated privileges initially, they would need to trick the user into interacting with a specific malicious app or content, which would then trigger the flaw. Once successfully exploited, the attacker could gain unauthorized access to sensitive files or data on the device, potentially leading to further escalation of privileges or data theft.
The CVSS v3 score for CVE-2024-43093 is 7.8, indicating that it is a high-risk vulnerability. While exploitation requires user interaction, the potential for damage is still significant, as it could allow an attacker to access or modify critical files on a device, depending on the privileges gained.
This vulnerability is actively exploited in the wild, which increases the urgency for Android users to apply patches or updates as recommended in the Android security bulletin. Users should be cautious about granting unknown applications access to sensitive data, as this type of attack could be used in phishing or social engineering campaigns. To mitigate the risk, it is advisable to stay up to date with the latest security updates and to avoid downloading apps from untrusted sources.
CVE-2024-0012
CVE-2024-0012 is a medium-severity vulnerability in Palo Alto Networks’ PAN-OS software that enables an unauthenticated attacker with network access to the management web interface to bypass authentication. This flaw grants the attacker administrator privileges, allowing them to perform administrative actions, modify configurations, or exploit other privilege escalation vulnerabilities such as CVE-2024-9474. The vulnerability is particularly concerning as it may lead to unauthorized access and manipulation of system configurations, which could further compromise the security of the affected devices.
The attack vector for this vulnerability relies on the attacker having network access to the management web interface of PAN-OS systems. Once the attacker gains this access, they can bypass authentication mechanisms and assume administrative privileges. This allows the attacker to tamper with the system configuration, which could lead to further exploitation, including gaining access to sensitive data or escalating their privileges to perform more destructive actions. The risk of exploitation is increased if the management interface is exposed to untrusted networks, especially the internet. However, the risk is mitigated if the access to the management web interface is restricted to trusted internal IP addresses, in line with Palo Alto Networks’ best practice deployment guidelines.
Palo Alto Networks has confirmed that CVE-2024-0012 and other vulnerabilities, including CVE-2024-9474, have been actively exploited in the wild, with one attack campaign attributed to Operation Lunar Peek. This highlights the importance of patching affected PAN-OS versions, including PAN-OS 10.2, 11.0, 11.1, and 11.2. The vulnerability does not affect Cloud NGFW or Prisma Access services, providing some relief to users of those products.
For organizations using vulnerable PAN-OS versions, immediate action is required to update to patched versions to prevent exploitation. Palo Alto Networks has issued patches for this vulnerability, and guidance on securing management access can be found in their deployment recommendations. Given the active exploitation in the wild, this vulnerability has been classified as critical by various cybersecurity organizations, with a CVSS v3 score of 9.8, reflecting the high severity of its potential impact.
CVE-2024-20481
CVE-2024-1212 is a critical vulnerability in Kemp Technologies’ LoadMaster system that allows unauthenticated remote attackers to execute arbitrary system commands through the LoadMaster management interface. This issue has a significant impact because it grants attackers full control over the system, enabling them to execute malicious commands without requiring authentication. Such capabilities could lead to a complete compromise of the affected system, with attackers potentially gaining unauthorized access to sensitive data, altering configurations, or causing further damage to the infrastructure.
The attack vector for this vulnerability involves remote exploitation of the LoadMaster management interface. An unauthenticated attacker who can reach the interface over the network can exploit the vulnerability to send specially crafted requests, which are then processed by the system in a way that allows command execution. Since no authentication is required, the attacker does not need prior access to the system, making the vulnerability particularly dangerous if the management interface is exposed to the internet or other untrusted networks.
This vulnerability has been classified as critical, with a CVSS v3 score of 9.8, reflecting the severity of the risk it poses. Its exploitation could allow attackers to fully compromise the LoadMaster system, potentially impacting the availability, confidentiality, and integrity of services running through it. Given the high likelihood of exploitation, especially after the vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog, immediate mitigation is essential. Kemp Technologies has issued a patch to address the flaw, and users are strongly advised to upgrade to the latest secure versions to prevent potential attacks.
Security experts recommend that organizations using affected versions of the LoadMaster software immediately apply the necessary security updates to prevent unauthorized access and safeguard their systems from exploitation.
CVE-2024-40711
CVE-2024-40711 is a critical vulnerability in Veeam Backup & Replication software that allows unauthenticated attackers to execute remote code on affected systems. This flaw arises from a deserialization of untrusted data, where a malicious payload can be crafted and delivered to the system, enabling the execution of arbitrary code. Given that the vulnerability does not require authentication, it can be exploited remotely by an attacker without needing prior access to the system.
The attack vector for CVE-2024-40711 is based on deserialization, a process where data is converted from one format to another. When untrusted data is deserialized without proper validation, it can result in remote code execution (RCE), allowing an attacker to execute commands with the same privileges as the vulnerable service. In this case, the vulnerability affects Veeam Backup & Replication software, which is widely used for data backup and disaster recovery. If exploited, an attacker could potentially gain complete control of the affected system, leading to significant security risks, including data theft, corruption, or even system shutdowns.
The CVSS v3 score for this vulnerability is 9.8, reflecting its high severity and the significant risk posed to systems that use Veeam Backup & Replication. Cybercriminals have already exploited this flaw in attacks involving ransomware, such as Akira and Frag, as reported by multiple security sources. These attacks have targeted organizations using vulnerable versions of Veeam’s software, demonstrating the urgent need for patching.
Veeam has released security updates to address this issue, and users are strongly encouraged to apply these patches immediately to protect their systems. If the vulnerability remains unaddressed, attackers could exploit it to gain unauthorized access, execute malicious commands, and potentially disrupt the operations of businesses relying on the software for data backup and recovery.
CVE-2024-8068
CVE-2024-8068 is a medium-severity privilege escalation vulnerability found in Citrix Session Recording. This flaw allows an authenticated attacker, who is within the same Windows Active Directory domain as the session recording server, to escalate their privileges to the NetworkService account. The NetworkService account is a built-in Windows account with system-level access, which can significantly impact the security of a compromised system.
The attack vector for CVE-2024-8068 requires that the attacker be an authenticated user within the same domain as the Citrix Session Recording server. Once authenticated, the attacker can exploit the vulnerability to escalate their privileges, thereby gaining access to the NetworkService account. This is a notable concern because the NetworkService account typically has higher privileges, and unauthorized access to it can allow attackers to perform a variety of malicious actions, such as accessing sensitive data, modifying system configurations, or executing arbitrary code with elevated privileges.
The CVSS v3 score for CVE-2024-8068 is 8.8, which signifies that while the vulnerability is not critical, it still presents a high risk due to the potential for privilege escalation and the ease with which it can be exploited by an attacker already within the network. Patches have been released by Citrix to mitigate the vulnerability, and users are strongly advised to update their systems to prevent potential exploitation.
While this vulnerability is not as severe as others, its impact can still be significant in environments where Citrix Session Recording is used. Organizations should take appropriate steps to apply the necessary patches and mitigate the risk associated with this flaw, especially if their network has multiple authenticated users who could potentially exploit the vulnerability.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact