DrayTek routers and Linux servers are in particular danger this week, with fourteen vulnerabilities plaguing the routers and a malware strain threatening the servers. Additionally, keep an eye out for new iOS and iPadOS updates, and get ready to review system logs if you’ve had Okta Classic since July. Check your vendors’ security bulletins regularly, and make sure your team is prepared to fix vulnerabilities when they’re made known.
October 2, 2024
Zimbra Email Servers Could See RCE Attacks
Type of attack: Remote code execution.
The problem: In late September, researchers from Proofpoint uncovered attempted exploits of Zimbra email servers. Using Zimbra Collaboration’s post-journal service, an unauthenticated threat actor could execute commands remotely on the email server.
Affected versions include:
- Joule: version 8.8.15
- Kepler: version 9.0.0
- Daffodil: versions 10.0.x before 10.0.9
- Daffodil: version 10.1.0
The vulnerability is already being exploited, and download and exploit instructions are already available on GitHub, so you should immediately patch your Zimbra installation before threat actors can follow proofs of concept.
This flaw is tracked as CVE-2024-45519 and has a critical base score of 9.8.
The fix: Apply the most recent patch that’s available for your version of Zimbra as soon as you can.
If your security team needs a more consistent method of tracking vulnerabilities, check out our guide to the best vulnerability scanning tools next.
New LiteSpeed Cache Vulnerability Allows Privilege Escalation
Type of vulnerability: Cross-site scripting.
The problem: Months after a LiteSpeed Cache flaw that could be used to escalate privileges, researcher TaiYou found a new vulnerability in the popular WordPress plugin. The flaw is an unauthenticated stored cross-site scripting vulnerability. The researcher reported it to Patchstack’s bug bounty program and worked with Patchstack on an article covering the vulnerability.
“It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request,” said Patchstack.
It occurs “because the code that handles the view of the queue doesn’t implement sanitization and output escaping,” according to Patchstack.
The fix: Update your version of the LiteSpeed Cache plugin to 6.5.1 or higher.
Thousands of DrayTek Routers Vulnerable to Attack
Type of vulnerability: Multiple, including OS command injection and stack-based buffer overflow.
The problem: DrayTek routers have several vulnerabilities that researchers just discovered, including two flaws with critical scores. The fourteen vulnerabilities together expose more than 704,000 DrayTek routers in 168 countries, say researchers from Vedere Labs, the research arm of cyber risk management provider Forescout Technologies.
The researchers released a report on the vulnerabilities named Dray: Break. While most of the risk affects the United Kingdom and European Union, Asia, the Middle East, Australia, New Zealand, and North and Latin America are also at risk.
The two critical flaws include CVE-2024-41585, which could lead to OS command execution, and CVE-2024-41592, which is vulnerable to buffer overflow and could lead to RCE.
The fix: Each vulnerability has a patch available from DrayTek, so your security team should apply those immediately. Additionally, Forescout recommends disabling remote access on the routers and enabling access control lists to reduce potential exposure.
October 3, 2024
Apple Flaws Fixed in New iOS & iPadOS Versions
Type of vulnerability: Audio capture and password exposure.
The problem: Apple recently patched a vulnerability in its iOS and iPadOS software. If exploited, the iOS vulnerability could allow audio messages to capture seconds of audio input prior to activation of the microphone indicator. This vulnerability is tracked as CVE-2024-44207 and has a base CVSS score of 4.3.
In iPadOS, the flaw allowed VoiceOver to read a user’s saved passwords out loud. Apple addressed the flaw, which was reportedly a logic issue, by improving validation.
This issue is tracked as CVE-2024-44204 and has a base score of 5.5.
The fix: Apple has released version 18.0.1 for both operating systems, which fixes the issue.
Perfectl Malware Threatens Thousands of Linux Servers
Type of attack: Malware.
The problem: Aqua Security researchers posted on their blog about attempted Linux server exploits through a type of malware dubbed perfctl. The malware has been active for the last few years, and the researchers warn that it’s possible every Linux server could be at risk.
According to the report, perfctl malware uses rootkits to avoid discovery and remains dormant while a user is active on the server. Aqua Security’s researchers observed that attackers used the perfctl malware to run a cryptominer and, occasionally, proxy-jacking software. The malware’s name could look legitimate if found running on a system because it combines perf, a Linux monitoring tool, with ctl, a common CLI command for control.
“After exploiting a vulnerability (as in our case) or a misconfiguration, the main payload is downloaded from an HTTP server controlled by the attacker,” researchers Assaf Morag and Idan Revivo said.
The fix: While this malware has no patch, the researchers provide multiple indicators of compromise (IOCs) at the end of their report that you can use to identify a potential exploit.
Ivanti Vulnerability from This Spring Is Being Actively Exploited
Type of vulnerability: SQL injection.
The problem: In a June vulnerability recap, I addressed a critical vulnerability in Ivanti Endpoint Manager that would allow unauthenticated attackers to execute commands on the software. Now, the vulnerability is being actively exploited, and the Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities catalog.
The vulnerability is tracked as CVE-2024-29824 and has a critical base score of 9.8.
“The specific flaw exists within the implementation of the RecordGoodApp method,” said a May security notice from the Zero Day Initiative. “The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries.”
The fix: If you haven’t yet patched your instance of Ivanti EPM, immediately upgrade it to the most recent product version.
October 4, 2024
Okta Urges Users to Review System Logs for Unexpected Authentication
Type of vulnerability: Configuration bypass.
The problem: Okta recently notified customers of a potential vulnerability affecting instances of Okta Classic as of July 17, 2024. Certain configurations of Okta could allow a threat actor with valid user credentials to bypass configurations for specific applications’ sign-on policies, Okta said.
The vendor resolved the issue on October 4 in its production environment.
The fix: Okta published the following recommendation:
“Customers who were on Okta Classic as of July 17, 2024, and who meet the above conditions are advised to review the Okta System Log for unexpected authentications from user-agents evaluated by Okta as “unknown” between July 17, 2024 and October 4, 2024 using the following query: outcome.result eq “SUCCESS” and (client.device eq “Unknown” OR client.device eq “unknown”) and eventType eq “user.authentication.sso”.”
Okta also suggested that customers watch applications with default policy rules that can’t be configured and check for deviant user behavior like strange geolocation data or IP addresses.
Read next: