It’s been a startling week in vulnerability news, mainly due to a few older vulnerabilities coming to light. While it doesn’t look like they’ve been exploited yet, threat actors may make a move now that the flaws have been publicized.
The other major news — which could affect both businesses and individuals — is a zero-day vulnerability found in most major web browsers on both Mac and Linux machines. You’ll want to update your computer as soon as you learn about this — I certainly did. Look at our rundown, and make sure your security teams are apprised of any relevant vulnerabilities from this past week’s news.
August 5, 2024
Another Apache OfBiz Vulnerability to Watch
Type of vulnerability: Remote code execution.
The problem: Last week, I mentioned a path traversal vulnerability in the open-source framework Apache OfBiz that had been patched earlier in the year but was more recently being exploited. This new OfBiz flaw is a separate one. It’s tracked as CVE-2024-38856 and allows a threat actor to use a specifically created request to execute code on endpoints without authorization.
The vulnerability has a CVSS severity rating of 9.8 and affects all versions of Apache OfBiz up to 18.12.14.
The fix: Upgrade to version 18.12.15.
August 7, 2024
18-Year-Old Browser Flaw Requires Immediate Updates
Type of vulnerability: Zero-day code execution.
The problem: Researchers from application security vendor Oligo recently discovered a web browser vulnerability 18 years in the making. The flaw allows threat actors to fingerprint and identify browser users and to use an IP address of 0.0.0.0 to execute unauthorized code. The vulnerability applies to all major browsers running on macOS and Linux systems but not on Windows.
“Public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor’s host by using the address 0.0.0.0 instead of localhost/127.0.0.1,” Oligo researcher Avi Lumelsky said.
According to Oligo, the initial vulnerability, designed to identify browser users for legitimacy, also allows threat actors to fingerprint users by port-scanning them. By the time this was recognized as a major threat, it already existed in most browsers and would be quite challenging to solve, Lumelsky explained.
The fix: If you use Google Chrome, click the three vertical dots at the top of the right corner of the browser window. Select “Help” and then “About Google Chrome.” From there, select the option to upgrade to a new browser. If you see “Relaunch,” click that, or Chrome may relaunch the browser automatically after closing the windows.
If you use Safari, click the Apple icon to open the menu and choose “System Settings.” Select “General” and then “Software Update.” Select “Update Now” if there’s a new update available, and follow any further instructions.
Microsoft Edge users should open the browser and select the three dots in the upper right-hand corner. Then, choose “Help and feedback” and select “About Microsoft Edge.” If there are updates available, Edge should automatically perform them. Then, you’ll need to restart Edge as prompted to apply those software updates.
If you use Mozilla Firefox, open Firefox and select the three horizontal lines at the top right of the browser. Click “Help” and then “About Firefox,” where Firefox will execute any available updates automatically. After the update process, select “Restart to Update Firefox.”
For further details on updating your browsers, Fox News provides instructions here.
If your security team has started to feel overwhelmed by tracking down vulnerability news, consider a scanning product that helps automate vulnerability tracking procedures. We’ve selected the best vulnerability scanners for businesses so you can pick a good option for your team.
Sinkclose Vulnerability Affects 18 Years of Processors
Type of vulnerability: Improper validation and potentially arbitrary code execution.
The problem: This week, we have not one but two 18-year-old vulnerabilities: researchers at IOActive discovered a flaw in AMD central processing units that has existed in processors made as early as 2006. It’s only just now been discovered and is known as Sinkclose. If exploited, the vulnerability would allow a threat actor to execute their own code within the processor’s firmware using System Management Mode (SMM). This can happen even when SMM is locked.
To successfully complete the attack, the malicious program would need to have access to ring0, which is the layer of the firmware with the highest privileges and with access to the system kernel. The threat actor must get there first before they can exploit this flaw; this could be part of the reason it hasn’t been heavily exploited. The vulnerability is tracked as CVE-2023-31315 and has a CVSS score of 7.5.
The fix: AMD will patch some of its processors but not all; check out AMD’s security bulletin for a list of hardware that will receive a patch.
Windows Downgrade Attack Puts Operating System in Danger
Type of attack: OS version rollback.
The problem: A recently discovered flaw in Windows systems allows threat actors to roll operating systems back to older versions that have vulnerabilities in them. The researcher who discovered the flaw six months ago, Alon Leviev, presented his findings at the Black Hat conference last week. He was able to use the Windows Updates function to create OS downgrading updates and bypass the verification steps typically required for a system update.
“Armed with these capabilities, we managed to downgrade critical OS components, including DLLs, drivers, and even the NT kernel,” Leviev said. “Afterwards, the OS reported it’s fully updated, unable to install future updates, with recovery and scanning tools unable to detect issues.”
The vulnerability also applied to Microsoft Hyper-V, the vendor’s hypervisor for supporting virtual environments. Leviev was able to downgrade Hyper-V, as well as the Isolated User Mode process within Windows Credential Guard.
In this scenario, a computer that appears to be fully patched could actually be running an older operating system with multiple open vulnerabilities.
Microsoft hasn’t officially spoken on the vulnerability, but it published advisories for CVE-2024-38202 and CVE-2024-21302 around the same time that Leviev presented at Black Hat.
The fix: The vendor currently offers no solution. If your business uses Windows, restrict administrative privileges as much as you can and require password resets as soon as possible.
August 10, 2024
Google Quick Share Has 10 Flaws on Windows
Type of vulnerability:
The problem: SafeBreach researchers discovered 10 different vulnerabilities in Google Quick Share, a wireless data transfer utility. When put together, some of them could lead to remote code execution attacks against Quick Share on Windows machines. This potential attack chain is now known as QuickShell.
The vulnerabilities included remote unauthorized file writes, remote forced Wi-Fi connection, and remote denial-of-service. According to SafeBreach, Google has fixed all the vulnerabilities and issued two CVEs: CVE-2024-38271 and CVE-2024-38272.
According to the researchers, a significant portion of the application code resides in an open-source repository, which could make it a valuable target for threat actors.
The fix: Google has fixed the flaws, so update your Android, Windows, and Chrome systems to the most recent versions.
August 12, 2024
OpenSSH Flaw Opens the Door for RCE
Type of vulnerability: Remote code execution.
The problem: OpenSSH, a network utilities suite based on the Secure Shell protocol, has a signal safety flaw, according to researchers at FreeBSD. FreeBSD, an open-source operating system project, released a security bulletin about the vulnerability, which occurs in a signal handler in sshd(8). According to the researchers, the logging function that the handler calls isn’t automatically async-signal-safe.
“The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default),” FreeBSD said in its notice. “This signal handler executes in the context of the sshd(8)’s privileged code, which is not sandboxed and runs with full root privileges.”
If exploited, the vulnerability allows a threat actor to execute remote code as root in OpenSSH. This affects the safety of OpenSSH’s encryption and transport security features.
The vulnerability is tracked as CVE-2024-7589 and has a CVSS score of 7.4.
The fix: FreeBSD instructs users to upgrade their system to a supported FreeBSD stable or release / security branch (releng) from after the date the flaw was fixed. After you’ve upgraded, restart sshd. FreeBSD provides more specific upgrade details as well.
Read next: