SANS NewsBites

Critical Flaws in Ivanti Endpoint Manager and Zimbra postjournal Added to CISA;Õs Known Exploited Vulnerabilities Catalog; Akamai: CUPS Vulnerabilities Can be Chained for DDoS Attacks

October 4, 2024  |  Volume XXVI - Issue #76

Top of the News


2024-10-03

Ivanti: Known Endpoint Manager Vulnerability is Being Actively Exploited

Earlier this week, Ivanti updated a May advisory to note that one of the vulnerabilities it addresses (CVE-2024-29824) is being actively exploited. CVE-2024-29824 is a critical SQL-injection vulnerability affecting Ivanti Endpoint Manager. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to their Known Exploited Vulnerabilities (KEV) catalog; Federal Civilian Executive Branch (FCEB) agencies are expected to address the issue by October 23.

Editor's Note

Of course it is exploited. Ivanti vulnerabilities have become common enough where attackers have playbooks as to how to effectively exploit them. If attackers have playbooks to exploit a product, you had better have a playbook to keep it up to date and to deal with the resulting incidents if you are not up to date.

Johannes Ullrich
Johannes Ullrich

One's strategy shouldn't be to manage updates depending on whether the vulnerability is being actively exploited. It should be based on the criticality of the vulnerability (Arbitrary Code Execution). The hot patch should have been applied back in May. For those that haven't yet patched, now you may be in a race with a determined adversary - don't lose.

Curtis Dukes
Curtis Dukes

CVE-2024-29824, SQL Injection vulnerability, has a CVSS score of 9.6 and is due to improper input sanitization of special elements in a SQL command. The flaw affects Ivanti endpoint manager (EPM) up to 2022 su5. Address the issue by updating your Ivanti EPM to the latest version.

Lee Neely
Lee Neely

2024-10-02

Patch Now: Critical Zimbra Flaw in postjournal is being Actively Exploited

Zimbra has released an update to address a critical inadequate user input sanitation vulnerability in its postjournal service. The flaw could be exploited by unauthenticated attackers to execute arbitrary commands on vulnerable installations. The flaw is being actively exploited, and has prompted warnings from Computer Emergency Response Teams (CERTs) in Italy and Latvia, as well as from multiple threat researchers. Users are urged to install the latest Zimbra update or disable postjournal.

Editor's Note

CVE-2024-45519, RCE flaw, has a CVSS 3 score of 10.0, and has been added to the NIST KEV catalog with a due date of 10/24/24. The fix is to either disable if not used, or to update postjournal to the latest version, ensure mynetworks is properly configured to prevent unauthorized access, and apply all Zimbra updates.

Lee Neely
Lee Neely

2024-10-03

Akamai Researchers Find that CUPS Vulnerabilities Can be Exploited to Launch DDoS Attacks

Researchers at Akamai have determined that several of the recently-disclosed vulnerabilities in the Common UNIX Printing System (CUPS) could be chained to launch distributed denial-of-service (DDoS) attacks. According to Akamai, 'Research shows that, to begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with internet connectivity, [and] it would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the internet and cost the attacker less than a single US cent on modern hyperscaler platforms.'

Editor's Note

This is an interesting exploit vector and longer term, it may have a larger impact than the remote code execution issues.

Johannes Ullrich
Johannes Ullrich

If you're not using CUPS, don't just disable it, uninstall it so the vulnerable code is removed. IF you are using it, apply the updated fixes to cups-lib. Consider carefully how you're exposing TCP and UDP Port 631 (Internet Printing Protocol).

Lee Neely
Lee Neely

Simone Margaritelli has been trying for months to get the CUPS developers to acknowledge this vulnerability. Block port 631.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2024-10-02

Multiple Flaws Found in DrayTek Vigor Routers

Researchers at Forescout's Vedere Labs identified 14 security issues affecting DrayTek Vigor routers. One of the flaws is rated maximum severity (CVSS 10.0) and a second is rated critical (CVSS 9.1). Nine are rated high-severity (between CVSS 7.0 and 8.9), and three are rated medium-severity. The flaws can be exploited to take control of vulnerable routers and from there steal data, deploy malware, and launch denial-of-service attacks. Most of the vulnerabilities affect the routers' web-based user interface. While DrayTek warns that the routers' control panels should be accessible only from local networks, the researchers at Forescout found more than 700,000 devices had their web interfaces exposed to the public Internet. The flaws affect 24 models of DrayTek Vigor routers, some of which are no longer supported. DrayTek has made patches available for all affected models, end-of-life included.

Editor's Note

Never ever expose these admin interfaces to the internet. They are all vulnerable. For some of them, the vulnerability just hasn't been published yet.

Johannes Ullrich
Johannes Ullrich

Two things that should drive patch prioritization: 1) the large number of vulnerabilities; and 2) the criticality of the vulnerabilities. For the first, it gives the evildoer a lot to work with in developing an exploit. For the second, a criticality of 10.0 effectively means that the router is remotely vulnerable with low complexity. Although we can chastise DrayTek for having so many vulnerabilities, they at least did the right thing by including patches for end-of-life products.

Curtis Dukes
Curtis Dukes

The DrayTek routers are primarily used for commercial customers; it's important to get these patched to protect their business, providing VPN, firewall, content filtering, VoIP and bandwidth management. Of the 24 impacted models, 11 are EOL. Aside from updating the firmware, protect the management interface from unauthorized devices, replace EOL devices (the update for EOL devices only addresses CVE-2024-41592, the GetCGI() function with buffer overflow, CVSS score 10).

Lee Neely
Lee Neely

2024-10-03

Fixes Available for Multiple Jenkins Vulnerabilities

Jenkins has released updates to address five vulnerabilities in multiple products. A pair of vulnerabilities (CVE-2024-47806 and CVE-2024-47807) in the OpenId Connect Authentication Plugin are considered high-severity; they involve audience and issuer claim validation and could be exploited to gain elevated privileges. The other three vulnerabilities are considered medium-severity.

Editor's Note

The three medium-severity flaws could be used to access and decode encrypted credential values, API keys, Certificates and secret files. Check your component product versions, update Jenkins Weekly to 2.479, Jenkins LTS to 2.462.3, Credentials plugin to1381.v2c3a_12074da_b_ and OpenID Connect Authentication Plugin to 4.355.v3a_fb_fca_b_96d4. Jenkins advises to update immediately.

Lee Neely
Lee Neely

2024-10-03

Aqua Nautilus Dissects Parasitic 'perfctl' Cryptomining Malware

On October 3, 2024, Aqua Nautilus published analysis of the "perfctl" malware, which researchers discovered on a honeypot server, and whose effects have been observed on Linux servers worldwide for three years. The malware breaches systems through "misconfigurations or exposed secrets," often exploiting two known, patched vulnerabilities: CVE-2023-33246, affecting Apache RocketMQ 5.1.0 and older, and CVE-2021-4034, a flaw in Polkit. The attack is "elusive and persistent," waiting for a server to be idle: an obfuscated payload is downloaded, executed, copied into a directory for temporary files, then the original process is terminated and the original file deleted. Copies of the malware and its elements are named to camouflage as legitimate Linux files and processes, embedding themselves in the target server with rootkits and "trojanized versions" of normal utilities. Once established, the malware begins cryptomining and in some cases proxyjacking to sell unused bandwidth. Aqua Nautilus recommends "system monitoring, network traffic analysis, file and process integrity monitoring, and proactive mitigation" via patching, restricting file execution, disabling unused services, implementing strict privilege management, and segmenting networks.


2024-10-03

Update Available to Address Flaw in Avast Antivirus for Windows

A vulnerability in Avast Antivirus for Windows could be exploited to gain elevated privileges on unpatched systems. The high-severity race-condition flaw (CVE-2024-5102) exists in the 'Repair' feature of Avast Antivirus for Windows versions older than 24.2. Users are urged to ensure they are running the most recent version of the product.

Editor's Note

Flaws in your endpoint protection solution should be rapidly addressed regardless of score. The flaw stems from how the repair function handles symbolic links; an attacker can manipulate those links to have it delete or recreate arbitrary files as well as execute code with system privileges. The root cause is improper link resolution before file access and improper validation of input.

Lee Neely
Lee Neely

2024-10-03

T-Mobile to Pay $15.75 Million Fine and Spend the Same on Security

A court order released on September 30, 2024, approves a Consent Decree settling legal action against T-Mobile by the Federal Communications Commission. The FCC had been investigating T-Mobile after four major data breaches between 2021 and 2023, aiming to determine the company's culpability per the Communications Act of 1934; the act "expects telecommunications carriers to take 'every reasonable precaution' to protect their customers' proprietary or personal information." The breaches resulted in the theft and release of millions of customers' "names, addresses, dates of birth, Social Security numbers, driver's license numbers," and service plan details. Half of the $31.5 million settlement will be paid as civil penalty to the US Treasury, and the other half must be spent to "address foundational security flaws" within two years: applying secure authentication practices, building zero-trust architecture, improving data hygiene, and arranging for third-party assessments, among other measures.

Editor's Note

While T-Mobile has had as many as 7 breaches over the last five years, this settlement covers the last four (since 2021). You may recall in 2021 things kicked off with an attacker stealing personal and device related information, including PINs, for 76.6 million current, former, and prospective T-Mobile customers. The good news is that the FCC is actively raising the bar, requiring breach notifications, stating "ConsumersÕ data is too important and much too sensitive to receive anything less than the best cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences." The hard part, if you're a T-Mobile customer, is deciding if you can survive until the changes are made or if you should switch to AT&T, Sprint or Verizon who have had other issues of late.

Lee Neely
Lee Neely

The FCC is increasingly holding organizations accountable for not exhibiting a standard of reasonableness when it comes to protecting consumer information. This is the latest installment. For companies wishing to stay out of the FCC, or judicial branch crosshairs, the Center for Internet Security recently published a 'Guide to Defining Reasonable Cybersecurity' that specifies what must be done to meet the standard of reasonable cybersecurity. https://www.cisecurity.org/insights/white-papers/reasonable-cybersecurity-guide: Reasonable Cybersecurity Guide

Curtis Dukes
Curtis Dukes

2024-10-03

UK Nuclear Safety Regulator Fines Nuclear Facility Overseer for Cybersecurity Failings

The UK's Office for Nuclear Regulation (ONR) has fined nuclear waste processing firm Sellafield Ltd £332,500 (436,439 USD) for issues with 'management of the security around its information technology systems between 2019 to 2023 and its breaches of the Nuclear Industries Security Regulations 2003.' An investigation determined that Sellafield's IT systems could have allowed unauthorized access and data loss. The Chief Magistrate presiding in court earlier this week also fined Sellafield £53,253 (69,900 USD) to cover costs associated with the prosecution.

Editor's Note

Another example of the standard 'duty of care' being applied by the judicial system to an organization. Besides the monetary fine, the settlement typically requires the organization to apply additional security controls and submit annual risk management reports on the state of its cybersecurity program. You can get ahead of this by implementing and measuring yourself against one of several well-known cybersecurity frameworks: NIST CSF, ISO 27001, and the CIS Critical Security Controls.

Curtis Dukes
Curtis Dukes

2024-10-02

Stronger OT Security: International Guidance and MITRE EMB3D

A new publication of joint guidance from security organizations in Australia, Canada, Germany, Japan, Korea, New Zealand, the US, and the UK outlines core principles for maintaining security in Operational Technology (OT). OT systems are 'vital services;' they are also complex, diverse, and difficult to change, making security difficult to assess. The document emphasizes checking decisions against six principles: 1. 'Safety is paramount,' specifically physical safety of human beings; 2. 'Knowledge of the business is crucial ... Top-down thinking has historically led many organisations to seek to separate OT from IT;" 3. 'OT data is extremely valuable and needs to be protected;' 4. 'Segment and segregate OT from all other networks;' 5. 'The supply chain must be secure;' and 6. 'People are essential for OT cyber security.' Within days of this guidance, MITRE fully published EMB3D: a 'living framework' for linking device properties to threats and mitigations in OT as well as IoT, automotive, healthcare, and other applications. The framework is informed by major vulnerability enumerations, and the mitigations are "mapped to the security controls" from International Society of Automation and International Electrotechnical Commission's ISA/EIC 62443 Series of Standards.

Editor's Note

Flat networks continue to be problematic everywhere but exposing OT to the public networks is reckless.

William Hugh Murray
William Hugh Murray

2024-10-02

NVD Enrichment Backlog Update

The US National Institute of Standards and TechnologyÕs (NISTÕs) National Vulnerability Database (NVD) is still showing a significant enrichment backlog. What this means is that while new CVEs appear in the NVD, some currently offer only minimal information instead of an organized aggregation of publicly available data about the vulnerability. The backlog issue began in February 2024. In May, NIST hired a third-party consultant to help with the backlog.

Editor's Note

The trend is moving in the right direction: as of September 21, 72.4% of CVEs were not analyzed compared to 93.4% in May. NIST missed their self-imposed deadline of September 30th to clear the backlog; it's not clear what it'll take to clear it, as well as to thwart efforts to create alternates to the NIST vulnerability repositories.

Lee Neely
Lee Neely

One can only love the characterization of "significant enrichment backlog." They have had a broken system for months.

William Hugh Murray
William Hugh Murray

2024-10-03

Taking Down State-Sponsored Threat Actor Domains

The US Justice Department (DoJ) has unsealed a warrant that authorized the seizure of more than 100 domains associated with cyberthreat actors with ties to Russia's government. The domains have been used to conduct computer fraud and other abuses in the US. A civil lawsuit filed by Microsoft and the NGO Information Sharing and Analysis Center (NGO-ISAC) sought the seizure of 66 domains; the DoJ seized an additional 41 domains.

Editor's Note

While the work of government and the private sector is applauded, two areas need additional focus: 1) the speed in moving from detection of criminal domains to their seizure; and 2) detection of new criminal domains. For the first, it appears it took upwards of a year to seize the domains identified as supporting criminal activity. For the second, global collaboration and information sharing is needed. Let's celebrate the win and continue the fight against cyber criminals.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Hurricane Helene Aftermath - Cyber Security Awareness Month

https://isc.sans.edu/diary/Hurricane+Helene+Aftermath+Cyber+Security+Awareness+Month/31314

Security Related Docker Containers

https://isc.sans.edu/diary/Security%20related%20Docker%20containers/31318

Kickstart Your DShield Honeypot

https://isc.sans.edu/diary/Kickstart+Your+DShield+Honeypot+Guest+Diary/31320

SANS Munich (free Community Night Tuesday October 15th)

https://www.sans.org/cyber-security-training-events/munich-october-2024/

CreanaKeeper Use of Cloud Services

https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/

Optigo Spectra Vulnerabilities

https://claroty.com/team82/disclosure-dashboard/cve-2024-41925

https://claroty.com/team82/disclosure-dashboard/cve-2024-45367

Pixel Addressing Vulnerabilities in Cellular Modems

https://security.googleblog.com/2024/10/pixel-proactive-security-cellular-modems.html

CUPS DDoS Attack

https://www.akamai.com/blog/security-research/october-cups-ddos-threat

Draytek Vulnerabilities

https://www.forescout.com/resources/draybreak-draytek-research/

Zimbra - Remote Command Execution (CVE-2024-45519)

https://blog.projectdiscovery.io/zimbra-remote-code-execution/

Enhancing the security of Microsoft Edge extensions with the new Publish API

https://blogs.windows.com/msedgedev/2024/09/30/enhanced-security-for-extensions-with-new-publish-api/

CVE-2024-36435 Deep-Dive: The Year's Most Critical BMC Security Flaw

https://www.binarly.io/blog/cve-2024-36435-deep-dive-the-years-most-critical-bmc-security-flaw