Cyber Exposure Alerts From Tenable
- Microsoft Patch Tuesday 2024 Year in Reviewby Scott Caveza, Satnam Narang on December 10, 2024 at 4:52 pm
Microsoft addressed over 1000 CVEs as part of Patch Tuesday releases in 2024, including 22 zero-day vulnerabilities.BackgroundMicrosoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 21st anniversary. After a wrap-up covering the 20th anniversary in 2023, the Tenable Security Response Team (SRT) chose to keep the tradition and cover trends and significant vulnerabilities from the 2024 Patch Tuesday releases.AnalysisIn 2024, Microsoft patched 1,009 CVEs throughout the year across a multitude of products. In contrast, 2023 saw 909 CVE’s patched and in 2022, 917 CVE’s were patched. While Microsoft has yet to break its 2020 record with 1,245 CVE’s patched, 2024 was still significant, as it is only the second time since Patch Tuesday’s inception that Microsoft patched over 1,000 CVE’s in a year.Year over year, we see a steady increase in CVEs patched, with the exception of the outlier in 2020, a peak CVE count we have not yet seen matched.In 2024, the largest CVE count was observed in April, with Microsoft releasing patches for 147 CVEs. Only three months saw CVE counts over 100, with an average of 84 CVE’s patched per month.Patch Tuesday 2024 by severityEach month, Microsoft categorizes vulnerabilities into four main severity levels: low, moderate, important and critical.Just as in 2023, 2024 saw the majority of vulnerabilities rated as important, accounting for 93.6% of all CVEs patched, followed by critical at 5.4%. Moderate accounted for 1.1%, while there were no CVEs rated as low in 2024.Patch Tuesday 2024 by impactIn addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass and tampering.Once again in 2024, RCE vulnerabilities led the impact category, accounting for 39.7%, while EoP vulnerabilities accounted for 28.8%. DoS vulnerabilities ranked third, accounting for 10%, followed by information disclosure flaws at 8.3% and security feature bypass vulnerabilities at 8.0%. Last year, there were no vulnerabilities categorized as tampering, but this year, there were just four, which accounted for 0.4%.Patch Tuesday 2024 zero-day vulnerabilitiesAccording to Statista, Microsoft’s Windows operating system (OS) has a 72% market share as of February 2024, making it the most prominent OS. With the largest market share, Microsoft remains a top target for cybercriminals and advanced persistent threat (APT) groups. On occasion, these groups find and exploit vulnerabilities that remain unknown to Microsoft, known as zero-day vulnerabilities. Zero-day vulnerabilities are defined as vulnerabilities in software that have been exploited in the wild and/or have been publicly disclosed prior to patches becoming available. These zero-day vulnerabilities are often leveraged in limited, targeted attacks, however exploitation of these flaws can vary in depth and breadth.In 2024, Microsoft patched 22 CVEs that were identified as zero-day vulnerabilities. Of the 22 zero-day vulnerabilities patched in 2024, 36.4% were EoP flaws. EoP vulnerabilities are often leveraged by APT actors and by determined cybercriminals seeking to elevate privileges as part of post-compromise activity. Following EoP flaws, security feature bypass vulnerabilities accounted for 27.3% of zero-days in 2024. While RCEs were the most prominent vulnerabilities across Patch Tuesday, they only accounted for 18.2% of zero-day flaws.While these zero-days made up a small portion of the overall CVE’s addressed by Microsoft in 2024, we analyzed some of the most notable zero-day vulnerabilities of 2024. The table below includes these CVE’s with some details around their exploitation activity.CVEDescriptionExploitation ActivityCVE-2024-21338Windows Kernel Elevation of Privilege VulnerabilityExploited by the Lazarus APT Group to deploy the FudModule rootkitCVE-2024-21412Internet Shortcut Files Security Feature Bypass VulnerabilityWater Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. This APT has also exploited this CVE to deploy the DarkMe remote access trojan (RAT)CVE-2024-30051Windows DWM Core Library Elevation of Privilege VulnerabilityUsed to deploy QakBot malwareCVE-2024-30088Windows Kernel Elevation of Privilege VulnerabilityExploited by APT34 (aka OilRig)CVE-2024-38112Windows MSHTML Platform Spoofing VulnerabilityExploited by APT group Void Banshee to deploy the malware known as Atlantida stealer.CVE-2024-38178Scripting Engine Memory Corruption VulnerabilityExploited by APT37 (aka RedEyes, Reaper, ScarCruft, Group123 and TA-RedAnt)CVE-2024-38193Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploited by the Lazarus APT Group (aka Diamond Sleet) to deploy the FudModule rootkitCVE-2024-38213Windows Mark of the Web Security Feature Bypass VulnerabilityWater Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. Vulnerability was named “Copy2Pwn” by Trend Micro’s Zero Day Initiative (ZDI)CVE-2024-43451NTLM Hash Disclosure Spoofing VulnerabilityExploited by APT known as UAC-0194 to deploy Spark RAT malware.CVE-2024-43461Windows MSHTML Platform Spoofing VulnerabilityExploited by APT group Void Banshee in an attack chain with CVE-2024-38112CVE-2024-49039Windows Task Scheduler Elevation of Privilege VulnerabilityExploited by the threat actor tracked as RomCom to deploy the RomCom RAT malware.ConclusionAs we reflect on Patch Tuesday vulnerabilities in 2024, despite the year over year CVE counts being steady, we observed a small increase this year. While there will always be outliers, it is likely that 2025 will continue to follow an upward trend. In June, Microsoft announced that CVE’s would be issued for vulnerabilities in cloud-based products, even when no end user action is required. This could lead to a sharp increase in the number of CVEs assigned next year.View the video below for a summary of key takeaways:The SRT will continue to blog about Patch Tuesday each month along with other significant vulnerabilities that represent risk across the threat landscape, ensuring our readers are equipped with the most up to date information about the exposures that require immediate action.Get more informationTenable Blog: Microsoft Patch Tuesday 2023 Year in ReviewJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Microsoft’s December 2024 Patch Tuesday Addresses 70 CVEs (CVE-2024-49138)by Tenable Security Response Team on December 10, 2024 at 1:47 pm
16Critical54Important0Moderate0LowMicrosoft addresses 70 CVEs with 16 rated critical, including one zero-day that was exploited in the wild.Microsoft patched 70 CVEs in its December 2024 Patch Tuesday release, with 16 rated critical, and 54 rated as important.This month’s update includes patches for:GitHubMicrosoft Defender for EndpointMicrosoft OfficeMicrosoft Office AccessMicrosoft Office ExcelMicrosoft Office PublisherMicrosoft Office SharePointMicrosoft Office WordRemote Desktop ClientRole: DNS ServerRole: Windows Hyper-VSystem Center Operations ManagerWindows Cloud Files Mini Filter DriverWindows Common Log File System DriverWindows File ExplorerWindows IP Routing Management SnapinWindows KernelWindows Kernel-Mode DriversWindows LDAP – Lightweight Directory Access ProtocolWindows Local Security Authority Subsystem Service (LSASS)Windows Message QueuingWindows Mobile BroadbandWindows PrintWorkflowUserSvcWindows Remote DesktopWindows Remote Desktop ServicesWindows Resilient File System (ReFS)Windows Routing and Remote Access Service (RRAS)Windows Task SchedulerWindows Virtualization-Based Security (VBS) EnclaveWindows Wireless Wide Area Network ServiceWmsRepair ServiceRemote code execution (RCE) vulnerabilities accounted for 42.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 38.6%.ImportantCVE-2024-49138 | Windows Common Log File System Driver Elevation of Privilege VulnerabilityCVE-2024-49138 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was exploited in the wild as a zero-day, though no details about the in-the-wild exploitation were known at the time this blog post was published.In addition to CVE-2024-49138, Microsoft patched two other CLFS driver EoP vulnerabilities: CVE-2024-49090, CVE-2024-49088, both assigned a CVSSv3 score of 7.8, were rated as important and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.This is the ninth vulnerability in the Windows CLFS driver patched in 2024, and the first that was exploited in the wild as a zero-day this year. In 2023, there were 10 CLFS vulnerabilities patched, including two zero-day vulnerabilities in the CLFS driver that were exploited (CVE-2023-28252, CVE-2023-23376). CLFS driver vulnerabilities have been a popular attack vector and exploited in the wild by ransomware operators in the last few years according to researchers.ImportantCVE-2024-49070 | Microsoft SharePoint Remote Code Execution VulnerabilityCVE-2024-49070 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 7.4 and is rated as important. Microsoft’s advisory notes that complexity is high and successful exploitation requires the attacker to first prepare the target in order to improve reliability of an exploit. While no details have been provided, Microsoft assessed this vulnerability as “Exploitation More Likely.”In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.CriticalCVE-2024-49118, CVE-2024-49122 | Microsoft Message Queuing (MSMQ) Remote Code Execution VulnerabilityCVE-2024-49118 and CVE-2024-49122 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). Both were assigned a CVSSv3 score of 8.1 and are rated as critical. According to both of the Microsoft advisories, successful exploitation requires an attacker winning a race condition. Despite this requirement, Microsoft assessed CVE-2024-49122 as “Exploitation More Likely” while CVE-2024-49118 was assessed as “Exploitation Less Likely” as the winning the race condition must occur “during the execution of a specific operation that recurs in a low frequency on the target system.”In order for a system to be vulnerable, the MSMQ service must be added and enabled. According to Microsoft, if the service is enabled on a Windows installation, a service named “Message Queueing” will be running on TCP port 1801. Tenable customers can use Plugin ID 174933 to identify systems that have this service running.CVE-2024-49118 and CVE-2024-49122 brings the total to six RCE’s affecting MSMQ that were patched in 2024. One was addressed in the June Patch Tuesday (CVE-2024-30080) release, two addressed in the April Patch Tuesday (CVE-2024-26232, CVE-2024-26208) release and one in February’s Patch Tuesday (CVE-2024-21363) release.CriticalCVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution VulnerabilityCVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”In addition to these nine RCE’s, Microsoft addressed CVE-2024-49075, a DoS vulnerability affecting Remote Desktop Services.Tenable SolutionsA list of all the plugins released for Microsoft’s December 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s December 2024 Security UpdatesTenable plugins for Microsoft December 2024 Patch Tuesday Security UpdatesJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actorsby Tenable Security Response Team on November 19, 2024 at 9:00 am
Volt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has consistently targeted U.S. critical infrastructure with the intent to maintain persistent access. Tenable Research examines the tactics, techniques and procedures of this threat actor.BackgroundThe cyberthreat landscape is always evolving, with security teams continuously facing new threats and attacks from a myriad of malicious groups, including ransomware gangs and small collectives chasing financial gain or even clout in the hacking community. Meanwhile, advanced persistent threat (APT) actors continue to loom in the shadows, carefully planning and executing their next attack. One such APT group is Volt Typhoon, a People’s Republic of China (PRC) state-sponsored actor. Volt Typhoon has been the subject of multiple cybersecurity advisories (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA) along with joint partners, including international cybersecurity agencies, with warnings of the threat group targeting critical infrastructure in the U.S. and beyond. According to multiple reports, Volt Typhoon operates by pre-positioning themselves, actively working to maintain persistence in anticipation of conducting future attacks targeting U.S critical infrastructure, showing a specific interest in operational technology (OT) environments. Targeted sectors include communications, energy, transportation systems and water and wastewater systems. Volt Typhoon, historically associated with BRONZE SILHOUETTE, has been categorized under various aliases by different threat intelligence teams. These include Voltzite and Insidious Taurus in certain intelligence circles, DEV-0391 by Microsoft and UNC3236 by Mandiant (FireEye) before its formal attribution as Volt Typhoon. Additionally, CrowdStrike tracks the group under the name Vanguard Panda. As we examine the tactics, techniques and procedures (TTPs) employed by Volt Typhoon, we will also discuss known vulnerabilities associated with this threat actor.AnalysisVolt Typhoon is a sophisticated threat group whose expertise lies in maintaining persistence for as long as possible. They achieve this by blending in with seemingly normal-looking traffic using living off the land (LOTL) techniques, meaning they’ll utilize an operating system’s (OS) built-in tools. Additionally, this group works using hands-on-keyboard attacks, rather than relying on automated malware scripts. This allows them to customize their attacks and conduct reconnaissance of a target in a stealthy manner. Volt Typhoon typically gains initial access to targets by exploiting unpatched vulnerabilities including zero-day flaws. In an effort to make traffic to their targets seem more benign, they utilize compromised small-office home-office (SOHO) routers and network devices as intermediary devices to proxy their traffic. This makes their network traffic seem legitimate and helps to avoid any geolocation firewall rules. For more information, read the blog Volt Typhoon: What State and Local Government Officials Should Know.Source: Microsoft Threat IntelligenceInitial accessVolt Typhoon typically gains initial access to targeted systems by exploiting vulnerabilities in publicly exposed systems, specifically firewalls, VPN appliances and web servers. The group takes advantage of weak credentials and unpatched vulnerabilities in perimeter devices. Once inside, Volt Typhoon leverages legitimate tools already present within the system to avoid detection.SOHO devices: unsecured, unpatched and misconfiguredThanks to unpatched, end-of-life (EOL) or misconfigured network devices that are internet accessible, Volt Typhoon capitalizes on compromising these devices in order to proxy their traffic and utilize the devices as launch points for their attacks. This includes devices from ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe and Zyxel USG. These network devices are widely used and many EOL devices have known and exploitable vulnerabilities with readily available exploit code. Others may be misconfigured, leaving administrative portals internet accessible and utilizing default credentials. Once compromised, these devices are then implanted with the KV Botnet malware.Living-off-the-land tacticsRather than deploying custom malware or tools, Volt Typhoon uses native Windows tools like cmd.exe, netsh and PowerShell to execute commands and conduct lateral movement across compromised networks. By avoiding the use of external tools, the group minimizes their digital footprint, making detection through traditional signature-based antivirus systems more challenging. Many of these commands are not logged by the OS and, in cases where logging is enabled, the threat actors can rotate or delete the logs to hide evidence of the commands they executed.Credential harvesting and lateral movementVolt Typhoon utilizes credential dumping techniques to extract valuable login information from compromised systems. Tools like Mimikatz are deployed to extract credentials from memory, which are used to move laterally across the network. Remote desktop protocol (RDP) and other remote desktop tools are often used to facilitate further access to internal systems.Once inside, Volt Typhoon maintains persistence by modifying legitimate software and using the built-in Windows Task Scheduler to establish scheduled tasks for regular access, ensuring long-term surveillance capabilities. The threat actor focuses on exfiltrating sensitive data and monitoring critical infrastructure communications.Volt Typhoon has been observed creating a shadow copy of ntds.dit, the main Active Directory (AD) database. This file contains password hashes which the threat actor can attempt to crack offline and utilize any stolen passwords to continue exploitation of a network. Because they rely on using built-in OS commands, they are able to keep a low profile and evade endpoint detection and response (EDR) solutions in what seems like benign system activity.Known CVEs commonly exploited by Volt TyphoonWhile not an exhaustive list, the table below highlights some of the CVEs known to have been exploited by Volt Typhoon.CVEDescriptionCVSSv3 ScoreVPRCVE-2021-27860FatPipe WARP, IPVPN, MPVPN Unrestricted Upload of File with Dangerous Type8.87.4CVE-2021-40539Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability9.89CVE-2022-42475Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability9.88.9CVE-2023-27997Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability9.89CVE-2024-39717Versa Director File Upload Vulnerability7.28.4*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on November 19 and reflects VPR at that time.Unpatched VPNs targeted — a recurring trendVolt Typhoon’s exploitation of unpatched vulnerabilities in Virtual Private Network (VPN) solutions is part of a broader trend seen across many APT groups. Threat actors leverage these VPN flaws to bypass security controls and establish long-term access within networks. Their focus on exploiting unpatched VPNs mirrors tactics of other state-sponsored actors, such as the Iranian threat actors detailed in the AA24-241A Joint Cybersecurity Advisory, who similarly target and exploit known VPN vulnerabilities to gain initial access and carry out espionage or disruptive campaigns. This recurring pattern underscores the critical need for organizations, particularly those in critical infrastructure, to prioritize patch management and ensure robust security for VPN systems.Proof of conceptThe availability of proof-of-concept (PoC) exploits for the vulnerabilities exploited by Volt Typhoon varies across different CVEs. For CVE-2021-27860, there is no known public PoC currently available. In contrast, CVE-2021-40539, a vulnerability in Zoho ADSelfService Plus, has a partial PoC provided by Synacktiv, both in the form of a technical analysis and a working exploit shared on GitHub. This resource offers detailed guidance on how to achieve remote code execution by manipulating requests to the vulnerable service.For CVE-2022-42475 and CVE-2023-27997 impacting Fortinet’s FortiOS and FortiProxy SSL-VPN systems, public PoCs are readily available on platforms like GitHub (CVE-2023-27997 for example) and have been widely shared on X (formerly Twitter). These PoCs demonstrate how attackers can exploit heap-based buffer overflows to achieve remote code execution, highlighting the criticality of patching affected systems.Lastly, there is no publicly available PoC for CVE-2024-39717, a newly disclosed file upload vulnerability in Versa Director.The varying availability of these PoCs stresses the need for organizations to proactively patch and monitor for signs of exploitation.SolutionEach of the vulnerabilities flagged as targeted by Volt Typhoon have patches and mitigations released by the respective vendors. We recommend reviewing each of the vendors’ advisories shown below:FatPipe CVE-2021-27860 (FPSA006) AdvisoryZoho CVE-2021-40539 AdvisoryFortinet CVE-2022-42475 AdvisoryFortinet CVE-2023-27997 AdvisoryVersa CVE-2024-39717 AdvisoryIdentifying affected systemsTenable offers several solutions to help identify potential exposures and attack paths as well as identifying systems vulnerable to the CVEs mentioned in this blog. For a holistic approach, we recommend Tenable One. The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.Tenable Plugin CoverageA list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2021-40539, CVE-2021-27860, CVE-2022-42475, CVE-2023-27997 and CVE-2024-39717. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Tenable attach path techniquesMITRE ATT&CK IDDescriptionTenable attack path techniquesT1003.001OS Credential Dumping: LSASS MemoryT1003.001_WindowsT1003.003OS Credential Dumping: NTDST1003.003_WindowsT1012Query RegistryT1012_WindowsT1059.001Command and Scripting Interpreter: PowerShellT1059.001_WindowsT1059.003Command and Scripting Interpreter: Windows Command ShellT1059.003_WindowsT1069.001Permission Groups Discovery: Local GroupsT1069.001_WindowsT1069.002Permission Groups Discovery: Domain GroupsT1069.002_WindowsT1078.002Valid Accounts: Domain AccountsT1078.002_WindowsT1053Scheduled Task/Job: Scheduled TaskT1053.005_WindowsT1110.003Brute Force: Password SprayingT1110.003_WindowsT1518Software DiscoveryT1518.001_WindowsTenable Identity Exposure Indicators of Exposure and Indicators of AttackMITRE ATT&CK IDDescriptionIndicatorsT1003OS Credential DumpingC-ADM-ACC-USAGET1003.001OS Credential Dumping: LSASS MemoryC-PROTECTED-USERS-GROUP-UNUSEDI-ProcessInjectionLsassT1003.003OS Credential Dumping: NTDSI-NtdsExtractionT1069.001Permission Groups Discovery: Local GroupsI-ReconAdminsEnumT1110Brute ForceC-PASSWORD-HASHES-ANALYSISC-PASSWORD-POLICYMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNTMISSING-MFA-FOR-PRIVILEGED-ACCOUNTT1110.003Brute Force: Password SprayingI-PasswordSprayingTenable Web App ScanningMITRE ATT&CK IDDescriptionIndicatorsT1190Exploit Public-Facing ApplicationT1190_WASGet more informationCISA CSA: People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade DetectionCISA CSA: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical InfrastructureTenable Blog: Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat ActorTenable Blog: CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNsTenable Blog: AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475Tenable Blog: CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)Microsoft Blog: Volt Typhoon targets US critical infrastructure with living-off-the-land techniquesJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wildby Satnam Narang on November 18, 2024 at 2:22 pm
Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.Update November 19: The blog has been updated with a link to new technical analysis that could aid in the creation of a proof-of-concept, as well as guidance for identifying PAN-OS devices using Tenable Attack Surface Management.View Change LogBackgroundOn November 18, Palo Alto Networks updated its advisory (PAN-SA-2024-0015) for a critical flaw in its PAN-OS software to include a CVE identifier:CVEDescriptionCVSSCVE-2024-0012PAN-OS Authentication Bypass Vulnerability9.3In addition to CVE-2024-0012, Palo Alto Networks assigned a second CVE for a privilege escalation vulnerability (CVE-2024-9474).CVEDescriptionCVSSCVE-2024-9474PAN-OS Privilege Escalation Vulnerability6.9AnalysisCVE-2024-0012 is an authentication bypass vulnerability in the management web interface of PAN-OS devices. An unauthenticated, remote attacker could exploit this vulnerability to obtain administrator privileges on the vulnerable PAN-OS device, enabling follow-on activity including modifying device configuration, accessing other administrative functions as well as exploiting other vulnerabilities, such as CVE-2024-9474.CVE-2024-9474 is a privilege escalation vulnerability in the web management interface of PAN-OS devices. An authenticated, remote attacker could exploit this vulnerability to gain root privileges on the firewall.While not explicitly referenced in its advisory, based on the description, it is believed that CVE-2024-0012 and CVE-2024-9474 may have been used as part of an exploit chain.Attributed to Operation Lunar PeekIn a threat brief about the vulnerabilities, Palo Alto Networks’ Unit 42 have attributed the exploitation of CVE-2024-0012 to a campaign they call Operation Lunar Peek. As of November 18, no specific details have yet to be shared about Operation Lunar Peek or attribution to a specific threat actor or country of origin.While Unit 42 did not explicitly connect CVE-2024-9474 to this operation, they reference this flaw as part of follow-on activity and have stated they’ve “observed threat activity that exploits this vulnerability against a limited number of management web interfaces.”Initial advisory published on November 8PAN-SA-2024-0015 was first published on November 8, following reports of a zero-day vulnerability affecting the management interfaces of PAN-OS devices. Reports indicate that someone was selling access to a zero-day in PAN-OS. It wasn’t until November 14 that Palo Alto Networks confirmed “threat activity” associated with this zero-day.Proof of conceptAt the time this blog post was published, there was no proof-of-concept (PoC) available for this vulnerability. However, on November 19, researchers at watchTowr published a blog post outlining their research into both CVE-2024-0012 and CVE-2024-9474, including technical details which may aid in the construction of a PoC. The researchers are withholding a public PoC for at least one week.SolutionThe following table contains a list of affected and fixed versions of PAN-OS:ProductCVE-2024-0012CVE-2024-9474Fixed VersionPAN-OS 10.1Not Affected10.1.14-h4 and below10.1.14-h6 and abovePAN-OS 10.210.2.12-h1 and below10.2.12-h1 and below10.2.12-h2 and abovePAN-OS 11.011.0.5-h2 and below11.0.5-h2 and below11.0.6-h1 and abovePAN-OS 11.111.1.4-h7 and below11.1.4-h7 and below11.1.5-h1 and abovePAN-OS 11.211.2.3-h3 and below11.2.3-h3 and below11.2.4-h1 and aboveCloud NGFWNot AffectedNot Affected-Prsima AccessNot AffectedNot Affected-Equally as important as applying patches, organizations that utilize PAN-OS devices should secure the management web interface to prevent external access, opting instead to limit access to trusted internal IP addresses. For more information, please refer to Palo Alto’s guide, Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2024-0012 and CVE-2024-9474 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify PAN-OS devices. Get more informationThreat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012PAN-SA-2024-0015: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web InterfaceCVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management InterfaceChange LogUpdate November 19: The blog has been updated with a link to new technical analysis that could aid in the creation of a proof-of-concept, as well as guidance for identifying PAN-OS devices using Tenable Attack Surface Management.Join Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Microsoft’s November 2024 Patch Tuesday Addresses 87 CVEs (CVE-2024-43451, CVE-2024-49039)by Tenable Security Response Team on November 12, 2024 at 2:02 pm
4Critical82Important1Moderate0LowMicrosoft addresses 87 CVEs and one advisory (ADV240001) in its November 2024 Patch Tuesday release, with four critical vulnerabilities and four zero-day vulnerabilities, including two that were exploited in the wild.Microsoft patched 87 CVEs in its November 2024 Patch Tuesday release, with four rated critical, 82 rated important and one rated moderate.This month’s update includes patches for:.NET and Visual StudioAirlift.microsoft.comAzure CycleCloudAzure Database for PostgreSQLLightGBMMicrosoft Exchange ServerMicrosoft Graphics ComponentMicrosoft Office ExcelMicrosoft Office WordMicrosoft PC ManagerMicrosoft Virtual Hard DriveMicrosoft Windows DNSRole: Windows Hyper-VSQL ServerTorchGeoVisual StudioVisual Studio CodeWindows Active Directory Certificate ServicesWindows CSC ServiceWindows DWM Core LibraryWindows Defender Application Control (WDAC)Windows KerberosWindows KernelWindows NT OS KernelWindows NTLMWindows Package Library ManagerWindows RegistryWindows SMBWindows SMBv3 Client/ServerWindows Secure Kernel ModeWindows Task SchedulerWindows Telephony ServiceWindows USB Video DriverWindows Update StackWindows VMSwitchWindows Win32 Kernel SubsystemRemote code execution (RCE) vulnerabilities accounted for 58.6% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 29.9%.ImportantCVE-2024-43451 | NTLM Hash Disclosure Spoofing VulnerabilityCVE-2024-43451 is a NTLM hash spoofing vulnerability in Microsoft Windows. It was assigned a CVSSv3 score of 6.5 and is rated as important. An attacker could exploit this flaw by convincing a user to open a specially crafted file. Successful exploitation would lead to the unauthorized disclosure of a user’s NTLMv2 hash, which an attacker could then use to authenticate to the system as the user. According to Microsoft, CVE-2024-43451 was exploited in the wild as a zero-day. No further details about this vulnerability were available at the time this blog post was published.This is the second NTLM spoofing vulnerability disclosed in 2024. Microsoft patched CVE-2024-30081 in its July Patch Tuesday release.ImportantCVE-2024-49039 | Windows Task Scheduler Elevation of Privilege VulnerabilityCVE-2024-49039 is an EoP vulnerability in the Microsoft Windows Task Scheduler. It was assigned a CVSSv3 score of 8.8 and is rated as important. An attacker with local access to a vulnerable system could exploit this vulnerability by running a specially crafted application. Successful exploitation would allow an attacker to access resources that would otherwise be unavailable to them as well as execute code, such as remote procedure call (RPC) functions.According to Microsoft, CVE-2024-49039 was exploited in the wild as a zero-day. It was disclosed to Microsoft by an anonymous researcher along with Vlad Stolyarov and Bahare Sabouri of Google’s Threat Analysis Group. At the time this blog post was published, no further details about in-the-wild exploitation were available.ImportantCVE-2024-49019 | Active Directory Certificate Services Elevation of Privilege VulnerabilityCVE-2024-49019 is an EoP vulnerability affecting Active Directory Certificate Services. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation would allow an attacker to gain administrator privileges. The advisory notes that “certificates created using a version 1 certificate template with Source of subject name set to ‘Supplied in the request’” are potentially impacted if the template has not been secured according to best practices. This vulnerability is assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index. Microsoft’s advisory also includes several mitigation steps for securing certificate templates which we highly recommend reviewing.ImportantCVE-2024-49040 | Microsoft Exchange Server Spoofing VulnerabilityCVE-2024-49040 is a spoofing vulnerability affecting Microsoft Exchange Server 2016 and 2019. It was assigned a CVSSv3 score of 7.5 and rated as important. According to Microsoft, this vulnerability was publicly disclosed prior to a patch being made available. After applying the update, administrators should review the support article Exchange Server non-RFC compliant P2 FROM header detection. The supplemental guide notes that as part of a “secure by default” approach, the Exchange Server update for November will flag suspicious emails which may contain “malicious patterns in the P2 FROM header.” While this feature can be disabled, Microsoft strongly recommends leaving it enabled to provide further protection from phishing attempts and malicious emails.CriticalCVE-2024-43639 | Windows Kerberos Remote Code Execution VulnerabilityCVE-2024-43639 is a critical RCE vulnerability affecting Windows Kerberos, an authentication protocol designed to verify user or host identities. It was assigned a CVSSv3 score of 9.8 and is rated as “Exploitation Less Likely.”To exploit this vulnerability, an unauthenticated attacker needs to leverage a cryptographic protocol vulnerability in order to achieve RCE. No further details were provided by Microsoft about this vulnerability at the time this blog was published.Important29 CVEs | SQL Server Native Client Remote Code Execution VulnerabilityThis month’s release included 29 CVEs for RCEs affecting SQL Server Native Client. All of these CVEs received CVSSv3 scores of 8.8 and were rated as “Exploitation Less Likely.” Successful exploitation of these vulnerabilities can be achieved by convincing an authenticated user into connecting to a malicious SQL server database using an affected driver. A full list of the CVEs are included in the table below.CVEDescriptionCVSSv3CVE-2024-38255SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-43459SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-43462SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48993SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48994SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48995SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48996SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48997SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48998SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48999SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49000SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49001SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49002SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49003SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49004SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49005SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49006SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49007SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49008SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49009SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49010SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49011SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49012SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49013SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49014SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49015SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49016SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49017SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49018SQL Server Native Client Remote Code Execution Vulnerability8.8ImportantCVE-2024-43602 | Azure CycleCloud Remote Code Execution VulnerabilityCVE-2024-43602 is a RCE vulnerability in Microsoft’s Azure CycleCloud, a tool that helps in managing and orchestrating High Performance Computing (HPC) environments in Azure. This flaw received the highest CVSSv3 score of the month, a 9.9 and was rated as important. A user with basic permissions could exploit CVE-2024-43602 by sending specially crafted requests to a vulnerable AzureCloud CycleCloud cluster to modify its configuration. Successful exploitation would result in the user gaining root permissions, which could then be used to execute commands on any cluster in the Azure CycleCloud as well as steal admin credentials.Tenable SolutionsA list of all the plugins released for Microsoft’s November 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s November 2024 Security UpdatesTenable plugins for Microsoft November 2024 Patch Tuesday Security UpdatesJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- CVE-2024-47575: Frequently Asked Questions About FortiJump Zero-Day in FortiManager and FortiManager Cloudby Satnam Narang, Rody Quinlan, Scott Caveza on October 23, 2024 at 4:37 pm
Frequently asked questions about a zero-day vulnerability in Fortinet’s FortiManager that has reportedly been exploited in the wild.BackgroundThe Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a zero-day vulnerability in Fortinet’s FortiManager.Update October 23: The blog has been updated with new information about in-the-wild exploitation and threat actor activity associated with this vulnerability.View Change LogFAQWhat is FortiJump?FortiJump is a name given to a zero-day vulnerability in the FortiGate-FortiManager (FGFM) protocol in Fortinet’s FortiManager and FortiManager Cloud. It was named by security researcher Kevin Beaumont in a blog post on October 22. Beaumont also created a logo for FortiJump.What are the vulnerabilities associated with FortiJump?On October 23, Fortinet published an advisory (FG-IR-24-423) for FortiJump, assigning a CVE identifier for the flaw.CVEDescriptionCVSSv3CVE-2024-47575FortiManager Missing authentication in fgfmsd Vulnerability9.8What is CVE-2024-47575?CVE-2024-47575 is a missing authentication vulnerability in the FortiGate to FortiManager (FGFM) daemon (fgfmsd) in FortiManager and FortiManager Cloud.How severe is CVE-2024-47575?Exploitation of FortiJump could allow an unauthenticated, remote attacker using a valid FortiGate certificate to register unauthorized devices in FortiManager. Successful exploitation would grant the attacker the ability to view and modify files, such as configuration files, to obtain sensitive information, as well as the ability to manage other devices.Obtaining a certificate from a FortiGate device is relatively easy:Commentby from discussioninfortinet According to results from Shodan, there are nearly 60,000 FortiManager devices that are internet-facing, including over 13,000 in the United States, over 5,800 in China, nearly 3,000 in Brazil and 2,300 in India:When was FortiJump first disclosed?There were reports on Reddit that Fortinet proactively notified customers using FortiManager about the flaw ahead of the release of patches, though some customers say they never received any notifications. Beaumont posted a warning to Mastodon on October 13:Post by @GossiTheDog@cyberplace.socialView on Mastodon Was this exploited as a zero-day?Yes, according to both Beaumont and Fortinet, FortiJump has been exploited in the wild as a zero-day. Additionally, Google Mandiant published a blog post on October 23 highlighting its collaborative investigation with Fortinet into the “mass exploitation” of this zero-day vulnerability. According to Google Mandiant, they’ve discovered over 50 plus “potentially compromised FortiManager devices in various industries.”Which threat actors are exploiting FortiJump?Google Mandiant attributed exploitation activity to a new threat cluster called UNC5820, adding that the cluster has been observed exploiting the flaw since “as early as June 27, 2024.”Is there a proof-of-concept (PoC) available for this vulnerability/these vulnerabilities?As of October 23, there are no public proof-of-concept exploits available for FortiJump.Are patches or mitigations available for FortiJump?The following table contains a list of affected products, versions and fixed versions.Affected ProductAffected VersionsFixed VersionFortiManager 6.26.2.0 through 6.2.12Upgrade to 6.2.13 or aboveFortiManager 6.46.4.0 through 6.4.14Upgrade to 6.4.15 or aboveFortiManager 7.07.0.0 through 7.0.12Upgrade to 7.0.13 or aboveFortiManager 7.27.2.0 through 7.2.7Upgrade to 7.2.8 or aboveFortiManager 7.47.4.0 through 7.4.4Upgrade to 7.4.5 or aboveFortiManager 7.67.6.0Upgrade to 7.6.1 or aboveFortiManager Cloud 6.46.4 all versionsMigrate to a fixed releaseFortiManager Cloud 7.07.0.1 through 7.0.12Upgrade to 7.0.13 or aboveFortiManager Cloud 7.27.2.1 through 7.2.7Upgrade to 7.2.8 or aboveFortiManager Cloud 7.47.4.1 through 7.4.4Upgrade to 7.4.5 or aboveFortiManager Cloud 7.6Not affectedNot ApplicableFortinet’s advisory provides workarounds for specific impacted versions if patching is not feasible. These include blocking unknown devices from attempting to register to FortiManager, creating IP allow lists of approved FortiGate devices that can connect to FortiManager and the creation of custom certificates. Generally speaking, it is advised to ensure FGFM is not internet-facing.Has Tenable released any product coverage for these vulnerabilities?A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-47575 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Get more informationBurning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPsFortiGuard Labs PSIRT FG-IR-24-423 AdvisoryChange LogUpdate October 23: The blog has been updated with new information about in-the-wild exploitation and threat actor activity associated with this vulnerability.Join Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25by Tenable Security Response Team on October 22, 2024 at 11:11 am
Twenty five years after the launch of CVE, the Tenable Security Response Team has handpicked 25 vulnerabilities that stand out for their significance.BackgroundIn January 1999, David E. Mann and Steven M. Christey published the paper “Towards a Common Enumeration of Vulnerabilities” describing an effort to create interoperability between multiple vulnerability databases. To achieve a common taxonomy for vulnerabilities and exposures, they proposed Common Vulnerabilities and Exposures (CVE). In September 1999, the MITRE Corporation finalized the first CVE list, which included 321 records. CVE was revealed to the world the following month.As of October 2024, there are over 240,000 CVEs. including many that have significantly impacted consumers, businesses and governments. The Tenable Security Response Team has chosen to highlight the following 25 significant vulnerabilities, followed by links to product coverage for Tenable customers to utilize.25 Significant CVEsCVE-1999-0211: SunOS Arbitrary Read/Write VulnerabilityArbitrary ReadArbitrary WriteLocalCritical1999Why it’s significant: To our knowledge, there is no formally recognized “first CVE.” However, the GitHub repository for CVE.org shows that the first CVE submitted was CVE-1999-0211 on September 29, 1999 at 12:00AM. Because it was the first one, we’ve chosen to highlight it. The vulnerability was first identified in 1991 and a revised patch was issued in 1994.CVE-2010-2568: Windows Shell Remote Code Execution VulnerabilityRemote Code ExecutionExploitedZero-DayLocalStuxnetHigh2010Why it’s significant: Regarded as one of the most sophisticated cyberespionage tools ever created, Stuxnet was designed to target SCADA systems in industrial environments to reportedly sabotage Iran’s nuclear program. Stuxnet exploited CVE-2010-2568 as one of its initial infection vectors, spreading via removable drives. Once a compromised USB drive was inserted into a system, Stuxnet was executed automatically via the vulnerability, infecting the host machine, propagating to other systems through network shares and additional USB drives.CVE-2014-0160: OpenSSL Information Disclosure VulnerabilityHeartbleedInformation DisclosureExploitedZero-DayNetworkCybercriminalsHigh2014Why it’s significant: Dubbed “Heartbleed” because it was found in the Heartbeat extension of OpenSSL, this vulnerability allows an attacker, without prior authentication, to send a malicious heartbeat request with a false length field, claiming the packet contains more data than it does. The receiving system would then return data from its memory extending beyond the legitimate request, which may include sensitive private data, such as server keys and user credentials. OpenSSL is used by millions of websites, cloud services, and even VPN software, for encryption, making Heartbleed one of the most widespread vulnerabilities at the time.CVE-2014-6271: GNU Bash Shellshock Remote Code Execution VulnerabilityShellshock Bash Bug Remote Code ExecutionExploitedZero-DayNetworkCybercriminalsCritical2014Why it’s significant: An attacker could craft an environment variable that contained both a function definition and additional malicious code. When Bash, a command interpreter used by Unix-based systems including Linux and macOS, processed this variable, it would execute the function, but also run the arbitrary commands appended after the function definition. “Shellshock” quickly became one of the most severe vulnerabilities discovered, comparable to Heartbleed’s potential impact. Attackers could exploit Shellshock to gain full control of vulnerable systems, leading to data breaches, service interruptions and malware deployment. The impact extended far beyond local systems. Bash is used by numerous services, particularly web servers, via CGI scripts to handle HTTP requests.CVE-2015-5119: Adobe Flash Player Use After FreeRemote Code Execution Denial-of-ServiceExploitedZero-DayCybercriminalsAPT GroupsCritical2015Why it’s significant: Discovered during the Hacking Team data breach, it was quickly weaponized, appearing in multiple exploit kits. CVE-2015-5119 is a use-after-free flaw in Flash’s ActionScript ByteArray class, allowing attackers to execute arbitrary code by tricking users into visiting a compromised website. It was quickly integrated into attack frameworks used by Advanced Persistent Threat (APT) groups like APT3, APT18, and Fancy Bear (APT28). These groups, with ties to China and Russia, used the vulnerability to spy on and steal data from governments and corporations. Fancy Bear has been associated with nation-state cyber warfare, exploiting Flash vulnerabilities for political and military intelligence information gathering. This flaw, along with several other Flash vulnerabilities, highlighted Flash’s risks, accelerating its eventual phase-out.CVE-2017-11882: Microsoft Office Equation Editor Remote Code Execution VulnerabilityRemote Code ExecutionExploitedNetworkCybercriminalsAPT GroupsHigh2017Why it’s significant: The vulnerability existed for 17 years in Equation Editor (EQNEDT32.EXE), a Microsoft Office legacy component used to insert and edit complex mathematical equations within documents. Once CVE-2017-11882 became public, cybercriminals and APT groups included it in maliciously crafted Office files. It became one of 2018’s most exploited vulnerabilities and continues to be utilized by various threat actors including SideWinder.CVE-2017-0144: Windows SMB Remote Code Execution VulnerabilityEternalBlueRemote Code ExecutionExploitedNetworkWannaCry NotPetyaHigh2017Why it’s significant: CVE-2017-0144 was discovered by the National Security Agency (NSA) and leaked by a hacker group known as Shadow Brokers, making it widely accessible. Dubbed “EternalBlue,” its capacity to propagate laterally through networks, often infecting unpatched machines without human interaction, made it highly dangerous. It was weaponized in the WannaCry ransomware attack in May 2017 and spread globally. It was reused by NotPetya, a data-destroying wiper originally disguised as ransomware. NotPetya targeted companies in Ukraine before spreading worldwide. This made it one of history’s costliest cyberattacks.CVE-2017-5638: Apache Struts 2 Jakarta Multipart Parser Remote Code Execution VulnerabilityRemote Code ExecutionExploitedNetworkEquifax BreachCritical2017Why it’s significant: This vulnerability affects the Jakarta Multipart Parser in Apache Struts 2, a popular framework for building Java web applications. An attacker can exploit it by injecting malicious code into HTTP headers during file uploads, resulting in remote code execution (RCE), giving attackers control of the web server. CVE-2017-5638 was used in the Equifax breach, where personal and financial data of 147 million people was stolen, emphasizing the importance of patching widely-used frameworks, particularly in enterprise environments, to prevent catastrophic data breaches.CVE-2019-0708: Remote Desktop Services Remote Code Execution VulnerabilityBlueKeep DejaBlue Remote Code ExecutionExploitedNetworkRansomware GroupsCybercriminalsCritical2019Why it’s significant: Dubbed “BlueKeep,” this vulnerability in Windows Remote Desktop Services (RDS) was significant for its potential for widespread, self-propagating attacks, similar to the infamous WannaCry ransomware. An attacker could exploit this flaw to execute arbitrary code and take full control of a machine through Remote Desktop Protocol (RDP), a common method for remote administration. BlueKeep was featured in the Top Routinely Exploited Vulnerabilities list in 2022 and was exploited by affiliates of the LockBit ransomware group.CVE-2020-0796: Windows SMBv3 Client/Server Remote Code Execution VulnerabilitySMBGhost EternalDarknessRemote Code ExecutionExploited NetworkCybercriminalsRansomware GroupsCritical2020Why it’s significant: Its discovery evoked memories of EternalBlue because of the potential for it to be wormable, which is what led to it becoming a named vulnerability. Researchers found it trivial to identify the flaw and develop proof-of-concept (PoC) exploits for it. It was exploited in the wild by cybercriminals, including the Conti ransomware group and its affiliates.CVE-2019-19781: Citrix ADC and Gateway Remote Code Execution VulnerabilityPath TraversalExploitedNetworkAPT GroupsRansomware GroupsCybercriminalsCritical2019Why it’s significant: This vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway is significant due to its rapid exploitation by multiple threat actors, including state-sponsored groups and ransomware affiliates. By sending crafted HTTP requests, attackers could gain RCE and take full control of affected devices to install malware or steal data. The vulnerability remained unpatched for a month after its disclosure, leading to widespread exploitation. Unpatched systems are still being targeted today, highlighting the risk of ignoring known vulnerabilities.CVE-2019-10149: Exim Remote Command Execution VulnerabilityRemote Command ExecutionExploitedNetworkAPT GroupsCybercriminalsCritical2019Why it’s significant: This vulnerability in Exim, a popular Mail Transfer Agent, allows attackers to execute arbitrary commands with root privileges simply by sending a specially crafted email. The availability of public exploits led to widespread scanning and exploitation of vulnerable Exim servers, with attackers using compromised systems to install cryptocurrency miners (cryptominers), launch internal attacks or establish persistent backdoors. The NSA warned that state-sponsored actors were actively exploiting this flaw to compromise email servers and gather sensitive information.CVE-2020-1472: Netlogon Elevation of Privilege VulnerabilityZerologonElevation of PrivilegeExploitedLocalRansomware GroupsAPT GroupsCybercriminalsCritical2020Why it’s significant: This vulnerability in the Netlogon Remote Protocol (MS-NRPC) allows attackers with network access to a Windows domain controller to reset its password, enabling them to impersonate the domain controller and potentially take over the entire domain. Its severity was underscored when Microsoft reported active exploitation less than two months after disclosure and the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to patch the flaw. Despite available patches, it continues to be exploited by ransomware groups, APT groups, and others, highlighting its broad and ongoing impact on network security.CVE-2017-5753: CPU Speculative Execution Bounds Check Bypass VulnerabilitySpectreSpeculative Execution Bounds Check BypassLocalMedium2018Why it’s significant: In a speculative execution process, an idle microprocessor waiting to receive data speculates what the next instruction might be. Although meant to enhance performance, this process became a fundamental design flaw affecting the security of numerous modern processors. In Spectre’s case, an attacker-controlled process could read arbitrary memory belonging to another process. Since its discovery in January 2018, Spectre has affected nearly all modern processors from Intel, AMD and ARM. While it’s difficult to execute a successful Spectre attack, fully remediating the root cause is hard and requires microcode as well as operating system updates to mitigate the risk.CVE-2017-5754: CPU Speculative Execution Rogue Data Cache Load VulnerabilityMeltdownSpeculative Execution Rogue Data Cache LoadLocalHigh2018Why it’s significant: Meltdown, another speculative execution vulnerability released alongside Spectre, can allow a userspace program to read privileged kernel memory. It exploits a race condition between the memory access and privilege checking while speculatively executing instructions. Meltdown impacts desktop, laptop and cloud systems and, according to researchers, may affect nearly every Intel processor released since 1995. With a wide reaching impact, both Spectre and Meltdown sparked major interest in a largely unexplored security area. The result: a slew of research and vulnerability discoveries, many of which were also given names and logos. While there’s no evidence of a successful Meltdown exploit, the discovery showcased the risk of security boundaries enforced by hardware.CVE-2021-36942: Windows LSA Spoofing VulnerabilityPetitPotamSpoofingExploitedZero-DayNetworkRansomware GroupsHigh2021Why it’s significant: This vulnerability can force domain controllers to authenticate to an attacker-controlled destination. Shortly after a PoC was disclosed, it was adopted by ransomware groups like LockFile, which have chained Microsoft Exchange vulnerabilities with PetitPotam to take over domain controllers. Patched in the August 2021 Patch Tuesday release, the initial patch for CVE-2021-36942 only partially mitigated the issue, with Microsoft pushing general mitigation guidance for defending against NTLM Relay Attacks.CVE-2022-30190: Microsoft Windows Support Diagnostic Tool Remote Code ExecutionFollinaRemote Code ExecutionExploitedZero-DayLocalQakbot RemcosHigh2022Why it’s significant: Follina, a zero-day RCE vulnerability in MSDT impacting several versions of Microsoft Office, was later designated CVE-2022-30190. After public disclosure in May 2022, Microsoft patched Follina in the June 2022 Patch Tuesday. After disclosure, reports suggested that Microsoft dismissed the flaw’s initial disclosure as early as April 2022. Follina has been widely adopted by threat actors and was associated with some of 2021’s top malware strains in a joint cybersecurity advisory from CISA and the Australian Cyber Security Centre (ACSC), operating under the Australian Signals Directorate (ASD).CVE-2021-44228: Apache Log4j Remote Code Execution VulnerabilityLog4ShellRemote Code ExecutionExploitedNetworkCybercriminalsAPT GroupsCritical2021Why it’s significant: Log4j, a Java logging library widely used across many products and services, created a large attack surface. The discovery of CVE-2021-44228, dubbed “Log4Shell,” caused great concern, as exploitation simply requires sending a specially crafted request to a server running a vulnerable version of Log4j. After its disclosure, Log4Shell was exploited in attacks by cryptominers, DDoS botnets, ransomware groups and APT groups including those affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC).CVE-2021-26855: Microsoft Exchange Server Server-Side Request Forgery VulnerabilityProxyLogonServer-Side Request Forgery (SSRF)ExploitedZero-DayNetworkAPT Groups Ransomware GroupsCybercriminalsCritical2021Why it’s significant: CVE-2021-26855 was discovered as a zero-day along with four other vulnerabilities in Microsoft Exchange Server. It was exploited by a nation-state threat actor dubbed HAFNIUM. By sending a specially crafted HTTP request to a vulnerable Exchange Server, an attacker could steal the contents of user mailboxes using ProxyLogon. Outside of HAFNIUM, ProxyLogon has been used by ransomware groups and other cybercriminals. Its discovery created a domino effect, as other Exchange Server flaws, including ProxyShell and ProxyNotShell, were discovered, disclosed and subsequently exploited by attackers.CVE-2021-34527: Microsoft Windows Print Spooler Remote Code Execution VulnerabilityPrintNightmareRemote Code ExecutionExploitedLocalAPT GroupsRansomware GroupsCybercriminalsHigh2021Why it’s significant: This RCE in the ubiquitous Windows Print Spooler could grant authenticated attackers arbitrary code execution privileges as SYSTEM. There was confusion surrounding the disclosure of this flaw, identified as CVE-2021-34527 and dubbed “PrintNightmare.” Originally, CVE-2021-1675, disclosed in June 2021, was believed to be the real PrintNightmare. However, Microsoft noted CVE-2021-1675 is “similar but distinct” from PrintNightmare. Since its disclosure, several Print Spooler vulnerabilities were disclosed, while a variety of attackers, including the Magniber and Vice Society ransomware groups exploited PrintNightmare.CVE-2021-27101: Accellion File Transfer Appliance (FTA) SQL Injection VulnerabilitySQL InjectionExploitedZero-DayNetworkRansomware GroupCritical2021Why it’s significant: The file transfer appliance from Accellion (now known as Kiteworks) was exploited as a zero-day by the CLOP ransomware group between December 2020 and early 2021. Mandiant, hired by Kiteworks to investigate, determined that CLOP (aka UNC2546) exploited several flaws in FTA including CVE-2021-27101. This was CLOP’s first foray into targeting file transfer solutions, as they provide an easy avenue for the exfiltration of sensitive data that can be used to facilitate extortion.CVE-2023-34362: Progress Software MOVEit Transfer SQL Injection VulnerabilitySQL InjectionExploitedZero-DayNetworkRansomware GroupCritical2023Why it’s significant: CLOP’s targeting of file transfer solutions culminated in the discovery of CVE-2023-34362, a zero-day in Progress Software’s MOVEit Transfer, a secure managed file transfer software. CLOP targeted MOVEit in May 2023 and the ramifications are still felt today. According to research conducted by Emsisoft, 2,773 organizations have been impacted and information on over 95 million individuals has been exposed as of October 2024. This attack underscored the value in targeting file transfer solutions.CVE-2023-4966: Citrix NetScaler and ADC Gateway Sensitive Information Disclosure VulnerabilityCitrixBleedInformation DisclosureExploitedZero-DayNetworkRansomware GroupsAPT GroupsCritical2023Why it’s significant: CVE-2023-4966, also known as “CitrixBleed,” is very simple to exploit. An unauthenticated attacker could send a specially crafted request to a vulnerable NetScaler ADC or Gateway endpoint and obtain valid session tokens from the device’s memory. These session tokens could be replayed back to bypass authentication, and would persist even after the available patches had been applied. CitrixBleed saw mass exploitation after its disclosure, and ransomware groups like LockBit 3.0 and Medusa adopted it.CVE-2023-2868: Barracuda Email Security Gateway (ESG) Remote Command Injection VulnerabilityRemote Command InjectionExploitedZero-DayNetworkAPT GroupsCritical2023Why it’s significant: Researchers found evidence of zero-day exploitation of CVE-2023-2868 in October 2022 by the APT group UNC4841. While Barracuda released patches in May 2023, the FBI issued a flash alert in August 2023 declaring them “ineffective,” stating that “active intrusions” were being observed on patched systems. This led to Barracuda making an unprecedented recommendation for the “immediate replacement of compromised ESG appliances, regardless of patch level.”CVE-2024-3094: XZ Utils Embedded Malicious Code VulnerabilityEmbedded Malicious CodeZero-DayUnknown Threat Actor (Jia Tan)Critical2024Why it’s significant: CVE-2024-3094 is not a traditional vulnerability. It is a CVE assigned for a supply-chain backdoor discovered in XZ Utils, a compression library found in various Linux distributions. Developer Andres Freund discovered the backdoor while investigating SSH performance issues. CVE-2024-3094 highlighted a coordinated supply chain attack by an unknown individual that contributed to the XZ GitHub project for two and a half years, gaining the trust of the developer before introducing the backdoor. The outcome of this supply chain attack could have been worse were it not for Freund’s discovery.Identifying affected systemsA list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:CVE-1999-0211CVE-2010-2568CVE-2014-0160CVE-2014-6271CVE-2015-5119CVE-2017-11882CVE-2017-0144CVE-2017-5638CVE-2019-0708CVE-2020-0796CVE-2019-19781CVE-2019-10149CVE-2020-1472CVE-2017-5753CVE-2017-5754CVE-2021-36942CVE-2022-30190CVE-2021-44228CVE-2021-26855CVE-2021-34527CVE-2021-27101CVE-2023-34362CVE-2023-4966CVE-2023-2868CVE-2024-3094
- Oracle October 2024 Critical Patch Update Addresses 198 CVEsby Tenable Security Response Team on October 15, 2024 at 6:50 pm
Oracle addresses 198 CVEs in its fourth quarterly update of 2024 with 334 patches, including 35 critical updates.BackgroundOn October 15, Oracle released its Critical Patch Update (CPU) for October 2024, the fourth and final quarterly update of the year. This CPU contains fixes for 198 CVEs in 334 security updates across 28 Oracle product families. Out of the 334 security updates published this quarter, 10.5% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 44.6%, followed by medium severity patches at 39.5%.This quarter’s update includes 35 critical patches across 16 CVEs.SeverityIssues PatchedCVEsCritical3516High14986Medium13280Low1816Total334198AnalysisThis quarter, the Oracle Commerce product family contained the highest number of patches at 100, accounting for 29.9% of the total patches, followed by Oracle Hyperion at 45 patches, which accounted for 13.5% of the total patches.A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthenticationOracle Commerce10081Oracle Hyperion4512Oracle Financial Services Applications3225Oracle E-Business Suite2015Oracle Communications Applications181Oracle SQL Developer1310Oracle Food and Beverage Applications127Oracle Java SE122Oracle Secure Backup95Oracle Hospitality Applications88Oracle Autonomous Health Framework74Oracle Communications73Oracle Siebel CRM75Oracle Database Server62Oracle Systems50Oracle Essbase41Oracle MySQL44Oracle Application Express31Oracle Enterprise Manager33Oracle Fusion Middleware33Oracle Analytics31Oracle Retail Applications33Oracle Supply Chain33Oracle Graph Server and Client22Oracle PeopleSoft22Oracle Blockchain Platform11Oracle GoldenGate10Oracle NoSQL Database11SolutionCustomers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the October 2024 advisory for full details.Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.Get more informationOracle Critical Patch Update Advisory – October 2024Oracle October 2024 Critical Patch Update Risk MatricesOracle Advisory to CVE MapJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Microsoft’s October 2024 Patch Tuesday Addresses 117 CVEs (CVE-2024-43572, CVE-2024-43573)by Tenable Security Response Team on October 8, 2024 at 2:01 pm
3Critical113Important1Moderate0LowMicrosoft addresses 117 CVEs with three rated as critical and four zero-day vulnerabilities, two of which were exploited in the wild.Microsoft patched 117 CVEs in October 2024 Patch Tuesday release, with three rated critical, 113 rated important and one rated moderate. Our counts omitted one vulnerability reported by Hackerone.This month’s update includes patches for:.NET and Visual Studio.NET,.NET Framework, Visual StudioAzure CLIAzure MonitorAzure StackBranchCacheCode Integrity GuardDeepSpeedInternet Small Computer Systems Interface (iSCSI)Microsoft ActiveXMicrosoft Configuration ManagerMicrosoft Defender for EndpointMicrosoft Graphics ComponentMicrosoft Management ConsoleMicrosoft OfficeMicrosoft Office ExcelMicrosoft Office SharePointMicrosoft Office VisioMicrosoft Simple Certificate Enrollment ProtocolMicrosoft WDAC OLE DB provider for SQLMicrosoft Windows SpeechOpenSSH for WindowsOutlook for AndroidPower BIRPC Endpoint Mapper ServiceRemote Desktop ClientRole: Windows Hyper-VService FabricSudo for WindowsVisual C++ Redistributable InstallerVisual StudioVisual Studio CodeWindows Ancillary Function Driver for WinSockWindows BitLockerWindows Common Log File System DriverWindows Cryptographic ServicesWindows EFI PartitionWindows Hyper-VWindows KerberosWindows KernelWindows Kernel-Mode DriversWindows Local Security Authority (LSA)Windows MSHTML PlatformWindows Mobile BroadbandWindows NT OS KernelWindows NTFSWindows NetlogonWindows Network Address Translation (NAT)Windows Online Certificate Status Protocol (OCSP)Windows Print Spooler ComponentsWindows Remote DesktopWindows Remote Desktop Licensing ServiceWindows Remote Desktop ServicesWindows Resilient File System (ReFS)Windows Routing and Remote Access Service (RRAS)Windows ScriptingWindows Secure ChannelWindows Secure Kernel ModeWindows ShellWindows Standards-Based Storage Management ServiceWindows StorageWindows Storage Port DriverWindows Telephony ServerWinlogonRemote code execution (RCE) vulnerabilities accounted for 35.9% of the vulnerabilities patched this month, followed by elevation of privilege (EOP) vulnerabilities at 23.9%.ImportantCVE-2024-43572 | Microsoft Management Console Remote Code Execution VulnerabilityCVE-2024-43572 is a RCE vulnerability in Microsoft Management Console (MMC). It was assigned a CVSSv3 score of 7.8 and is rated as important. An attacker could exploit this vulnerability by convincing a vulnerable target through the use of social engineering tactics to open a specially crafted file. Successful exploitation would allow the attacker to execute arbitrary code. According to Microsoft, CVE-2024-43572 was exploited in the wild as a zero-day. This is the second month in a row that Microsoft patched a RCE vulnerability in the MMC, as Microsoft addressed CVE-2024-38259 in its September 2024 Patch Tuesday release.As part of its patch for CVE-2024-43572, Microsoft has altered the behavior for Microsoft Saved Console (MSC) files, preventing untrusted MSC files from being opened on a system.ModerateCVE-2024-43573 | Windows MSHTML Platform Spoofing VulnerabilityCVE-2024-43573 is a spoofing vulnerability in the Windows MSHTML Platform. It was assigned a CVSSv3 score of 6.5 and is rated as moderate. An unauthenticated, remote attacker could exploit this vulnerability by convincing a potential target to open a malicious file. According to Microsoft, CVE-2024-43573 was exploited in the wild as a zero-day.This is the fourth zero-day vulnerability in the Windows MSHTML Platform that was exploited in the wild in 2024, which include CVE-2024-30040, a security feature bypass flaw that was patched in May 2024, CVE-2024-38112, a spoofing vulnerability that was patched in July 2024 and CVE-2024-43461, a spoofing vulnerability that was patched on September 10, 2024, though details about in-the-wild exploitation was not known until September 13, 2024. Both CVE-2024-38112 and CVE-2024-43461 were used as part of an exploit chain by an advanced persistent threat (APT) actor known as Void Banshee.ImportantCVE-2024-20659 | Windows Hyper-V Security Feature Bypass VulnerabilityCVE-2024-20659 is a security feature bypass vulnerability in Windows Hyper-V. It was assigned a CVSSv3 score of 7.1, is rated as important and assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index. This is likely due to the fact that there are multiple conditions that need to be met in order for exploitation to be feasible, such as a user rebooting their machine and application specific behavior among other user-required actions. Successful exploitation would allow an attacker to bypass a Virtual Machine’s Unified Extensible Firmware Interface (UEFI) on the host machine, resulting in both the hypervisor and secure kernel being compromised. According to Microsoft, CVE-2024-20659 was publicly disclosed prior to a patch being made available.In addition to CVE-2024-20659, Microsoft also addressed three denial of service (DoS) vulnerabilities and one RCE in Windows Hyper-V:CVEVulnerability TypeSeverityCVSSv3CVE-2024-30092RCEImportant8CVE-2024-43521DoSImportant7.5CVE-2024-43567DoSImportant7.5CVE-2024-43575DoSImportant7.5ImportantCVE-2024-43583 | Winlogon Elevation of Privilege VulnerabilityCVE-2024-43583 is an EoP vulnerability in Winlogon. It was assigned a CVSSv3 score of 7.8 and is rated as important. A local, authenticated attacker could exploit this vulnerability to gain SYSTEM privileges. According to Microsoft, CVE-2024-43583 was publicly disclosed prior to a patch being made available.In addition to applying the available patch for CVE-2024-43583, Microsoft recommends enabling Microsoft first-party Input Method Editor (IME) in order to thwart vulnerabilities within third-party IMEs. For more information on enabling first-party IME, please refer to the knowledge base article KB5046254.ImportantCVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityCVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft’s descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.ImportantCVE-2024-43533 and CVE-2024-43599 | Remote Desktop Client Remote Code Execution VulnerabilityCVE-2024-43533 and CVE-2024-43599 are a pair of RCE vulnerabilities in Microsoft Remote Desktop Client, both with a CVSSv3 score of 8.8 and flagged by Microsoft as “Exploitation Less Likely.” The attack vector noted by Microsoft lists a prerequisite of an attacker first compromising a Remote Desktop Server. Once compromised, the attacker can leverage RCE against vulnerable connecting devices. As a mitigating factor and part of security best practices, it is suggested that the Remote Desktop service should be disabled if not needed. Microsoft’s advisory further explains that disabling unused services can help reduce exposure.CriticalCVE-2024-43468 | Microsoft Configuration Manager Remote Code Execution VulnerabilityCVE-2024-43468 is a RCE in Microsoft Configuration Manager listed as “Exploitation Less Likely” by Micorosft despite having a critical CVSSv3 score of 9.8, the highest in October’s Patch Tuesday update. An attacker can leverage this vulnerability without prior authentication by sending a specially crafted request to a vulnerable machine resulting in RCE on the machine or its underlying database.Microsoft has advised impacted users to install an in-console update as the only mitigation path, but has listed a workaround for users who cannot immediately implement the updates. The workaround suggested by Microsoft is to use an alternate service account for the Management point connection account in place of the default “Computer” account.ImportantCVE-2024-38124 | Windows Netlogon Elevation of Privilege VulnerabilityCVE-2024-38124 is a EoP vulnerability in Windows Netlogon assessed as “Exploitation Less Likely” with a CVSSv3 score of 9, the second highest in the October Patch Tuesday update. An attacker would need authenticated access to the same network as a vulnerable device and rename their machine to match the domain controller in order to establish a secure channel. If these prerequisites are met, the attacker would then need to rename their machine back to its original name and “once the new domain controller is promoted, the attacker could use the secure channel to impersonate the domain controller and potentially compromise the entire domain.”There are no workarounds listed for this vulnerability, but if immediate patching is not an option, Microsoft has listed a handful of mitigating factors to consider:Avoid using predictable naming conventions on Domain ControllersEnsure Secure Channel validation requires more than just a matching computer name.Monitoring for the renaming of computers within the network.Consider enhanced authentication mechanisms.Tenable SolutionsA list of all the plugins released for Microsoft’s October 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s October 2024 Security UpdatesTenable plugins for Microsoft October 2024 Patch Tuesday Security UpdatesJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilitiesby Tenable Security Response Team on September 26, 2024 at 7:02 pm
Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.Update September 27: The blog has been updated to include information about in-the-wild exploitation attempts, information on detecting external assets using Tenable Attack Surface Management and the upcoming availability of a remote direct check plugin. View Change LogBackgroundThe Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a series of vulnerabilities in the Common UNIX Printing System (CUPS). We will update this blog as more information becomes available.FAQWhat is CUPS?Common UNIX Printing System (CUPS) is an open-source printing system for Linux and other UNIX-like operating systems. CUPS uses the IPP (Internet Printing Protocol) to allow for printing with local and network printers.What are the vulnerabilities associated with the recent CUPS disclosure?As of September 26, the following four CVE identifiers were assigned for vulnerabilities related to CUPS:CVEDescriptionAffected ComponentCVSSv3*CVE-2024-47076libscupsfilters Improper Input Validation or Sanitization Vulnerabilitylibcupsfilters8.6CVE-2024-47175libppd Improper Input Validation or Sanitization Vulnerabilitylibppd8.6CVE-2024-47176cups-browsed Binding to an Unrestricted IP Address Vulnerabilitycups-browsed8.4CVE-2024-47177cups-filters Command Injection Vulnerabilitycups-filters9.1*These CVSSv3 scores are current as of September 26..What are CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177?CVE-2024-47076 is a flaw in the libcupsfilters library in which IPP packets are not validated or sanitized. This provides the attacker the ability to send malicious data to the CUPS system.CVE-2024-47175 affects the libppd library and is an input validation issue. IPP data is not properly validated or sanitized before being written to a temporary PostScript Printer Description (PPD) file. This can result in an attacker injecting malicious data into the PPD file.CVE-2024-47176 was assigned to a bug affecting the cups-browsed library. According to the blog post from Simone Margaritelli, the package allows any packet from any source to be trusted on the IPP port (default 631). Because of this, an attacker could send a crafted packet that would trigger a Get-Printer-Attributes IPP request, which would then reach out to an attacker controller URL.CVE-2024-47177 impacts the cups-filters library and could allow an attacker to execute arbitrary commands using “via the FoomaticRIPCommandLine PPD parameter.”The combination of these vulnerabilities could result in an attacker crafting a fake printer, thereby allowing them to execute arbitrary code whenever a print job has been started by the impacted host.How severe are these vulnerabilities?While there has been a lot of attention given to these vulnerabilities prior to disclosure, based on what has been disclosed as of September 26, these flaws are not at the level of something like Log4Shell or Heartbleed. We encourage organizations not to panic about these flaws as most attackers continue to exploit known vulnerabilities in internet facing assets.When were these vulnerabilities first disclosed?On September 23, Simone Margaritelli posted on X (formerly Twitter) that he recently reported a critical severity, CVSSv3 9.9 unauthenticated remote code execution (RCE) vulnerability that affects “all GNU/Linux systems” to Canonical, Red Hat and others. According to Margaritelli, disclosure and coordination with multiple Linux vendors was not a smooth process. Over the next several days, Margaritelli provided additional details about the disclosure woes and several media outlets began publishing warnings over this critical vulnerability.* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.* Full disclosure happening in less than 2 weeks (as agreed with devs).* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).* Still no working fix.* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR— Simone Margaritelli (@evilsocket) September 23, 2024On September 26, Margaritelli posted on X that full disclosure would be happening at 20:00 UTC despite the early posts suggesting that full disclosure would be withheld until early October.Full disclosure happening at 20:00 UTC today, in a bit more than 2 hours.— Simone Margaritelli (@evilsocket) September 26, 2024Were these exploited as zero-days?No. There is currently no evidence that these vulnerabilities have been exploited in the wild as zero-days prior to disclosure on September 26.Were these exploited after the public disclosure?Yes. According to researchers at Datadog Security Labs, opportunistic scanning was detected for vulnerable systems in the “first hours following disclosure” which included exploitation attempts to install a malicious printer on a targeted system.Is there a proof-of-concept (PoC) available for these vulnerabilities?A proof-of-concept (PoC) developed by Margaritelli is included in the GitHub advisory for CVE-2024-47176. Additionally, a PoC has been published on GitHub based on a commit in the OpenPrinting CUPS repository.Are patches or mitigations available?Due to the early public disclosure, there are currently no patches available for the four vulnerabilities disclosed on September 26. However, to mitigate these flaws until the patches are available, it is advised to disable and remove cups-browsed from vulnerable systems. Additionally, CUPS is set to listen on UDP port 631, so it is advised to block all traffic to UDP port 631.A security bulletin published by Red Hat highlights mitigations for high availability and non-high availability scenarios, the latter essentially stopping and disabling the cups-browsed service. In high availability scenarios they advised changing the BrowseRemoteProtocols directive values from default “dnssd cups” to “none.”How many internet facing assets are potentially impacted by these vulnerabilities?CUPS is not installed by default with many *nix distributions. In many distributions, the default configuration should limit the ability to access the default port.As of September 26, a search on Shodan.io showed just over 75,000 internet-accessible hosts running CUPS. A search on the FOFA Search Engine returned over 270,000 unique IP addresses with nearly 70,000 linked specifically to IPP. Based on these findings, there are a significant number of hosts that do appear to be internet-accessible with a majority of the results using the default port, 631.Source: Shodan.ioSource: FOFAHow can I detect if any of my external assets have the CUPS service running?Tenable Attack Surface Management is able to detect various versions of the CUPS service running on internet connected assets. With robust filtering, this allows precise identification of these affected assets. Has Tenable released any product coverage for these vulnerabilities?A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:CVE-2024-47076CVE-2024-47175CVE-2024-47176CVE-2024-47177This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, a remote direct check for CVE-2024-47176 has been developed and will be available soon.Get more informationBlog: Attacking UNIX Systems via CUPS, Part IGitHub Advisory for CVE-2024-47076 in libcupsfiltersGitHub Advisory for CVE-2024-47175 in libppdGitHub Advisory for CVE-2024-47176 in cups-browsedGitHub Advisory for CVE-2024-47177 in cups-filtersGitHub: Leaked CUPS disclosure prior to publicationChange LogUpdate September 27: The blog has been updated to include information about in-the-wild exploitation attempts, information on detecting external assets using Tenable Attack Surface Management and the upcoming availability of a remote direct check plugin.Join Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.