Critical Flaws in Ivanti Endpoint Manager and Zimbra postjournal Added to CISA;Õs Known Exploited Vulnerabilities Catalog; Akamai: CUPS Vulnerabilities Can be Chained for DDoS Attacks

Earlier this week, Ivanti updated a May advisory to note that one of the vulnerabilities it addresses (CVE-2024-29824) is being actively exploited. CVE-2024-29824 is a critical SQL-injection vulnerability affecting Ivanti Endpoint Manager. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to their Known Exploited Vulnerabilities (KEV) catalog; Federal Civilian Executive Branch (FCEB) agencies are expected to address the issue by October 23.

Zimbra has released an update to address a critical inadequate user input sanitation vulnerability in its postjournal service. The flaw could be exploited by unauthenticated attackers to execute arbitrary commands on vulnerable installations. The flaw is being actively exploited, and has prompted warnings from Computer Emergency Response Teams (CERTs) in Italy and Latvia, as well as from multiple threat researchers. Users are urged to install the latest Zimbra update or disable postjournal.

Researchers at Akamai have determined that several of the recently-disclosed vulnerabilities in the Common UNIX Printing System (CUPS) could be chained to launch distributed denial-of-service (DDoS) attacks. According to Akamai, 'Research shows that, to begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with internet connectivity, [and] it would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the internet and cost the attacker less than a single US cent on modern hyperscaler platforms.'

Researchers at Forescout's Vedere Labs identified 14 security issues affecting DrayTek Vigor routers. One of the flaws is rated maximum severity (CVSS 10.0) and a second is rated critical (CVSS 9.1). Nine are rated high-severity (between CVSS 7.0 and 8.9), and three are rated medium-severity. The flaws can be exploited to take control of vulnerable routers and from there steal data, deploy malware, and launch denial-of-service attacks. Most of the vulnerabilities affect the routers' web-based user interface. While DrayTek warns that the routers' control panels should be accessible only from local networks, the researchers at Forescout found more than 700,000 devices had their web interfaces exposed to the public Internet. The flaws affect 24 models of DrayTek Vigor routers, some of which are no longer supported. DrayTek has made patches available for all affected models, end-of-life included.

Jenkins has released updates to address five vulnerabilities in multiple products. A pair of vulnerabilities (CVE-2024-47806 and CVE-2024-47807) in the OpenId Connect Authentication Plugin are considered high-severity; they involve audience and issuer claim validation and could be exploited to gain elevated privileges. The other three vulnerabilities are considered medium-severity.

On October 3, 2024, Aqua Nautilus published analysis of the "perfctl" malware, which researchers discovered on a honeypot server, and whose effects have been observed on Linux servers worldwide for three years. The malware breaches systems through "misconfigurations or exposed secrets," often exploiting two known, patched vulnerabilities: CVE-2023-33246, affecting Apache RocketMQ 5.1.0 and older, and CVE-2021-4034, a flaw in Polkit. The attack is "elusive and persistent," waiting for a server to be idle: an obfuscated payload is downloaded, executed, copied into a directory for temporary files, then the original process is terminated and the original file deleted. Copies of the malware and its elements are named to camouflage as legitimate Linux files and processes, embedding themselves in the target server with rootkits and "trojanized versions" of normal utilities. Once established, the malware begins cryptomining and in some cases proxyjacking to sell unused bandwidth. Aqua Nautilus recommends "system monitoring, network traffic analysis, file and process integrity monitoring, and proactive mitigation" via patching, restricting file execution, disabling unused services, implementing strict privilege management, and segmenting networks.

A vulnerability in Avast Antivirus for Windows could be exploited to gain elevated privileges on unpatched systems. The high-severity race-condition flaw (CVE-2024-5102) exists in the 'Repair' feature of Avast Antivirus for Windows versions older than 24.2. Users are urged to ensure they are running the most recent version of the product.

A court order released on September 30, 2024, approves a Consent Decree settling legal action against T-Mobile by the Federal Communications Commission. The FCC had been investigating T-Mobile after four major data breaches between 2021 and 2023, aiming to determine the company's culpability per the Communications Act of 1934; the act "expects telecommunications carriers to take 'every reasonable precaution' to protect their customers' proprietary or personal information." The breaches resulted in the theft and release of millions of customers' "names, addresses, dates of birth, Social Security numbers, driver's license numbers," and service plan details. Half of the $31.5 million settlement will be paid as civil penalty to the US Treasury, and the other half must be spent to "address foundational security flaws" within two years: applying secure authentication practices, building zero-trust architecture, improving data hygiene, and arranging for third-party assessments, among other measures.

The UK's Office for Nuclear Regulation (ONR) has fined nuclear waste processing firm Sellafield Ltd £332,500 (436,439 USD) for issues with 'management of the security around its information technology systems between 2019 to 2023 and its breaches of the Nuclear Industries Security Regulations 2003.' An investigation determined that Sellafield's IT systems could have allowed unauthorized access and data loss. The Chief Magistrate presiding in court earlier this week also fined Sellafield £53,253 (69,900 USD) to cover costs associated with the prosecution.

A new publication of joint guidance from security organizations in Australia, Canada, Germany, Japan, Korea, New Zealand, the US, and the UK outlines core principles for maintaining security in Operational Technology (OT). OT systems are 'vital services;' they are also complex, diverse, and difficult to change, making security difficult to assess. The document emphasizes checking decisions against six principles: 1. 'Safety is paramount,' specifically physical safety of human beings; 2. 'Knowledge of the business is crucial ... Top-down thinking has historically led many organisations to seek to separate OT from IT;" 3. 'OT data is extremely valuable and needs to be protected;' 4. 'Segment and segregate OT from all other networks;' 5. 'The supply chain must be secure;' and 6. 'People are essential for OT cyber security.' Within days of this guidance, MITRE fully published EMB3D: a 'living framework' for linking device properties to threats and mitigations in OT as well as IoT, automotive, healthcare, and other applications. The framework is informed by major vulnerability enumerations, and the mitigations are "mapped to the security controls" from International Society of Automation and International Electrotechnical Commission's ISA/EIC 62443 Series of Standards.

The US National Institute of Standards and TechnologyÕs (NISTÕs) National Vulnerability Database (NVD) is still showing a significant enrichment backlog. What this means is that while new CVEs appear in the NVD, some currently offer only minimal information instead of an organized aggregation of publicly available data about the vulnerability. The backlog issue began in February 2024. In May, NIST hired a third-party consultant to help with the backlog.

The US Justice Department (DoJ) has unsealed a warrant that authorized the seizure of more than 100 domains associated with cyberthreat actors with ties to Russia's government. The domains have been used to conduct computer fraud and other abuses in the US. A civil lawsuit filed by Microsoft and the NGO Information Sharing and Analysis Center (NGO-ISAC) sought the seizure of 66 domains; the DoJ seized an additional 41 domains.