Today, we’re looking at this past week’s critical vulnerabilities in networking products, browsers, and DevOps platforms. Microsoft also published its monthly patch roundup; fortunately, only two vulnerabilities were critical. Recent news includes malware attacks and nation-state exploits. As attempted attacks continue, businesses in high-risk verticals, like government, healthcare, and finance, should be particularly vigilant.
October 1, 2024
CISA Releases Notice About Optigo Switch Vulnerability
Type of vulnerability: Improper filename control and weak authentication.
The problem: The Cybersecurity and Infrastructure Security Agency (CISA) is recommending mitigation actions for Optigo Networks customers regarding the ONS-S8 – Spectra Aggregation Switch. The switch’s vulnerabilities include improper filename control for include/require statements in the PHP program (or PHP Remote File Inclusion) and weak authentication.
The vulnerability has a critical CVSS score of 9.3. It affects versions 1.3.7 and earlier of the switch.
The fix: In the absence of a patch or dedicated fix, CISA lists Optigo Networks’ suggested mitigations for the vulnerabilities:
- “Use a dedicated NIC on the BMS computer and exclusively this computer for connecting to OneView to manage your OT network configuration.
- Set up a router firewall with a white list for the devices permitted to access OneView.
- Connect to OneView via secure VPN.”
Watch for any potential future notifications from Optigo Networks about a dedicated fix in case it develops one.
October 8, 2024
Patch Tuesday Clocks a Whopping 117 Vulnerabilities
Type of vulnerability: Multiple, including elevation of privilege and remote code execution.
The problem: For this month’s patch Tuesday, Microsoft announced 117 vulnerabilities. Only two had a CVSS score of 9.0 or above — a Windows Netlogon EoP flaw, CVE-2024-38124, and a Microsoft Configuration Manager RCE vulnerability, CVE-2024-43468. Other products addressed in October’s Patch Tuesday include Microsoft Hyper-V, Windows Kernel, Azure Monitor, Microsoft Office SharePoint, and Excel.
The fix: Check Microsoft’s Patch Tuesday rundown for any products your business uses and follow any mitigation or patch instructions.
If your security team is overwhelmed by manual vulnerability tracking, consider using one of the top vulnerability scanning tools, Tenable, Invicti, and Wiz.
October 9, 2024
GitLab Updates Vulnerable Community & Enterprise Versions
Type of vulnerability: Multiple, including running pipelines and template disclosure.
The problem: GitLab released updated versions of GitLab Community and Enterprise to fix eight vulnerabilities. The one critical flaw allows attackers to run pipelines on arbitrary project branches. It exists in versions 12.5 before 17.2.9, starting from 17.3, before 17.3.5, and starting from 17.4 before 17.4.2.
There are four high-severity flaws, two medium, and one low. Check GitLab’s security notice for the specific versions where these vulnerabilities exist.
The fix: GitLab has released versions 17.4.2, 17.3.5, and 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Time to Upgrade Mozilla Firefox
Type of vulnerability: Use-after-free.
The problem: Mozilla has fixed a critical vulnerability in Firefox versions Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1. Damien Schaeffer of ESET reported the vulnerability to Mozilla.
“An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines,” Mozilla said in its security advisory. The vendor has received reports of active exploitation.
The fix: Upgrade Firefox to the most recent version available.
October 10, 2024
Ransomware is Actively Exploiting Critical Veeam Flaw
Type of attack: Ransomware exploit.
The problem: A critical vulnerability I mentioned in a recap a few weeks ago is now being exploited. CVE-2024-40711, a flaw in Veeam Backup and Recovery, has seen Akira and Fog ransomware attacks, according to Sophos. Sophos X-Ops, the vendor’s MDR and incident response service, has been tracking exploits of the Veeam vulnerability over the past few weeks.
Sophos found that the attackers initially used compromised VPN gateways to access their targets in each studied case of a ransomware attack.
“Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe,” Sophos X-Ops said on Mastodon. “The exploit creates a local account, “point,” adding it to the local Administrators and Remote Desktop Users groups.”
The fix: Upgrade Veeam Backup and Replication to version 12.2.0.334, which fixes the flaw.
October 11, 2024
Fortinet Updates Critical February Vulnerability
Type of vulnerability: Format string vulnerability.
The problem: A Fortinet bug from February was updated in October due to potential wild exploitation cases. The flaw is an externally controlled format string bug in fgfmd that could lead to remote code execution if an attacker made specially crafted requests. The flaw is tracked as CVE-2024-23113 and has a critical severity rating.
According to FortiGuard Labs’ Advisories list, the flaw affects the following software versions:
- FortiOS 7.4.2, 7.4.1, 7.4.0, 7.2.6, 7.2.5
- FortiPAM 1.2.0, 1.1.2, 1.1.1, 1.1.0, 1.0.3
- FortiProxy 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7
- FortiWeb 7.4.2, 7.4.1, 7.4.0
The fix: Upgrade to the most recent version of the affected software.
Ivanti CSA Vulnerabilities Have Already Been Exploited
Type of vulnerability: Multiple, including path traversal and command injection.
The problem: Fortinet’s FortiGuard Labs has found that threat actors — suspected nation—state attackers—exploit a previously discovered vulnerability in Ivanti Cloud Services Appliance, an authenticated access flaw. The exploits affect versions 4.6 and prior of the software. FortiGuard Labs was called to investigate when a customer’s network was communicating a malicious IP address, and FortiGuard tracked the issue to Ivanti CSA.
The vulnerability, CVE-2024-8190, came to light in September, and Fortinet has seen threat actors use it in conjunction with two other CSA flaws, a path traversal and a command injection vulnerability. Neither of the two additional flaws is publicly known. They affect the PHP front-end of CSA.
Fortinet says the exploits are an example of threat actors chaining zero-days together.
The fix: If you haven’t yet done so, upgrade Ivanti Cloud Services Appliance to version 5.0.
Read next: