The past week and the long weekend have had plenty of vulnerabilities to keep your IT and security teams busy. Both SonicWall and Juniper Networks have seen vulnerabilities that allow remote code execution and denial-of service attacks.
Keep an eye out for security announcements from your firewall vendors; it’s possible additional similar vulnerabilities will come to light. Continue to monitor all of your software for potential malicious behavior, but this week, monitor network appliances in particular.
January 10, 2024
Thousands of WordPress Sites Vulnerable to Malware Injection
Type of vulnerability: Cross-site scripting flaw in Popup Builder that allows a malware injection.
The problem: WordPress plugin Popup Builder is vulnerable to exploitation through a flaw that allows attackers to perform administrator-level actions like installing new rogue plugins or creating new admin accounts. Researcher Marc Montpas from WPScan discovered and reported this vulnerability to the creators of the plugin.
Security provider Sucuri has researched the malware Balada Injector that takes advantage of this vulnerability and found that it’s compromised over 6,000 sites that have an old version of Popup Builder installed.
The fix: Popup Builder released version 4.2.3 with a patch for the vulnerability, but older versions are still being exploited. Update your instance of Popup Builder to 4.2.3 if you haven’t already. An existing injection can also be removed in the Custom JS or CSS section of Popup Builder; Sucuri offers instructions for doing this.
Juniper Networks SRX & EX Series Compromised
Type of vulnerability: Remote code execution and denial-of-service attacks.
The problem: Juniper Networks released a bulletin about a remote code execution vulnerability in its SRX firewalls and EX switches. The issue is an out-of-bounds write vulnerability, according to Juniper. When exploited, it allows an unauthenticated attacker to execute remote code and a denial-of-service attack. The attacker would also obtain root privileges on the compromised firewall appliance.
This vulnerability is tracked as CVE-2024-21591. Affected versions include:
- Junos OS versions earlier than 20.4R3-S9
- Junos OS 21.2 versions earlier than 21.2R3-S7
- Junos OS 21.3 versions earlier than 21.3R3-S5
- Junos OS 21.4 versions earlier than 21.4R3-S5
- Junos OS 22.1 versions earlier than 22.1R3-S4
- Junos OS 22.2 versions earlier than 22.2R3-S3
- Junos OS 22.3 versions earlier than 22.3R3-S2
- Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3
The fix: Juniper Networks has the following Junos OS versions that fix the vulnerability:
- 20.4R3-S9
- 21.2R3-S7
- 21.3R3-S5
- 21.4R3-S5
- 22.1R3-S4
- 22.2R3-S3
- 22.3R3-S2
- 22.4R2-S2
- 22.4R3
- 23.2R1-S1
- 23.2R2
- 23.4R1
- All subsequent releases
Ivanti Zero-Days Leave the Door Open for Command Injection
Type of attack: Zero-day vulnerability potentially leading to authentication bypass and command injection.
The problem: Ivanti announced two vulnerabilities that affect Ivanti Connect Secure VPN and Ivanti Policy Secure products. Potential results of the exploits include authentication bypass and command injection. Versions 9.x and 22.x of both products are affected.
Security researchers from Mandiant discovered the vulnerability and identified active exploits of it, perpetrated by a threat actor that Mandiant is tracking as UNC5221. This threat actor has deployed at least five malware families using the Ivanti products.
The fix: Ivanti is currently developing patches for the vulnerabilities. In the meantime, they’ve offered a mitigation strategy: Users can import the file mitigation.release.20240107.1.xml through the download portal. Follow this page for updates on patches.
Privilege Escalation Vulnerability Affects Microsoft SharePoint
Type of attack: Privilege escalation attack.
The problem: The United States Cybersecurity and Infrastructure Security Agency (CISA) has announced a vulnerability in Microsoft SharePoint that allows a threat actor to escalate their privileges on the network. Microsoft provided patches for the vulnerability last year, but it’s still being exploited, according to the CISA.
The vulnerability can be tracked as CVE-2023-29357.
The fix: Look at Microsoft’s Patch Tuesday update from last June to find patch information for the SharePoint vulnerability.
January 11, 2024
Smart Thermostat from Bosch Puts Offices in Danger
Type of vulnerability: Malicious commands sent from an attacker to the thermostat, including potentially replacing firmware with rogue code.
The problem: Technology company Bosch has a thermostat, the BCC100, that’s vulnerable to firmware replacement from a threat actor. Bitdefender discovered this vulnerability and first reported it to Bosch in August 2023. The report didn’t become publicly available until January 11.
The microcontroller of the thermostat is unable to distinguish between legitimate messages from the cloud server and falsified messages from TCP port 8899 on the local area network. According to Bitdefender, the thermostat does not validate the authenticity of a new firmware update.
The danger of compromised IoT devices is that threat actors could move laterally from a compromised thermostat onto a business’s computer systems if the thermostat resides in the same office as the network.
The fix: Bitdefender offers a smart home scanner app to locate vulnerable IoT devices. While it’s designed for home use, your business can use it to search for vulnerabilities in your office smart devices. If you have the BCC100 installed, either replace it or segment it on its own network.
January 15, 2024
Hundreds of Thousands of SonicWall Firewalls Could Be Exploited
Type of vulnerability: Possible denial-of-service attack and remote code execution by an unauthenticated attacker.
The problem: SonicWall’s series 6 and 7 next-gen firewalls are susceptible to vulnerabilities that can result in denial of service attacks and remote code execution. According to researchers at Bishop Fox, they scanned firewalls with management consoles that are exposed to the internet and learned that 76% of the firewalls were vulnerable to at least one flaw.
CVE-2022-22274 is a stack-based buffer overflow vulnerability in SonicOS, the firewall’s operating system. When exploited, it can allow a threat actor to launch a denial-of-service attack and potentially also execute remote code. CVE-2023-0656 is the same vulnerability at its root, but it was announced a year later. The code occurs in a different place and was discovered at a different time, so it’s considered a separate vulnerability.
The fix: Bishop Fox provides a test script that engineers can use to determine if their firewall instance is vulnerable. In their analysis, the researchers also gave examples of vulnerable code versus safe code. If your device is vulnerable, Bishop Fox recommends disconnecting the management interface from the internet and updating the appliance’s firmware to the most recent version.
Read next: