Recent vulnerability news disclosed significant endpoint vulnerabilities, including side-channel attacks, command injection, remote code execution (RCE), SQL injection, and keystroke interference. Notable events last week include the RAMBO attack, command injection problems in Progress Software’s LoadMaster, and several zero-day vulnerabilities in Microsoft products that may cause privilege escalation and RCE.
Ivanti and Zyxel also fixed their software vulnerabilities, while WhatsUp Gold users encountered vulnerabilities invulnerable to SQL injection attacks. Apple’s Vision Pro headset was also tested for gaze-based keystroke interference. To protect your devices, update and patch your software frequently, use strong passwords, install intrusion detection systems, and watch for any suspicious activity.
September 9, 2024
RAMBO Attack Exploits Radio Signals to Steal Sensitive Data
Type of vulnerability: Side-channel attack.
The problem: RAMBO, a unique side-channel attack, leverages electromagnetic emissions from a device’s RAM to exfiltrate sensitive data in air-gap networks. Attackers use malware to modify RAM, generating radio signals that can be intercepted remotely. The tool can transmit files, keystrokes, and encryption keys, providing a significant danger of data theft.
The fix: To protect against RAMBO attacks, use “red-black” zone limits for information transfer, intrusion detection systems to monitor memory access, radio jammers, and Faraday cages to isolate vital systems. These approaches disable hidden radio signals in RAM, avoiding data leakage from air-gapped situations.
Progress Software Fixes Flaws in LoadMaster & Multi-Tenant Hypervisor
Type of vulnerability: Command injection.
The problem: Progress Software has published fixes to solve CVE-2024-7591, a significant incorrect input validation flaw in LoadMaster and Multi-Tenant Hypervisor rated CVSS 10.0. The vulnerability enables remote, unauthenticated attackers to execute arbitrary operating system instructions by sending a crafted HTTP request to the administration interface. There’s no indication of exploitation in the wild.
The fix: Progress Software addressed the vulnerability by sanitizing user input to prevent OS command injection. Users should immediately update to the most recent versions by going to System Configuration > System Administration > Update Software. It’s strongly advised that you follow the company’s security hardening requirements to protect your systems further.
September 10, 2024
Microsoft Releases Patches for Actively Exploited Zero-Day Flaws
Type of vulnerability: Multiple, including privilege escalation, security feature bypass, remote code execution, and spoofing.
The problem: Microsoft’s September 2024 Patch Tuesday fixed 79 vulnerabilities, four of which were actively exploited zero days: CVE-2024-38014 (Windows Installer Privilege Escalation), CVE-2024-38217 (MotW Security Bypass), CVE-2024-38226 (Publisher Security Bypass), CVE-2024-43461, and more. Attackers use these weaknesses to run arbitrary instructions, circumvent security measures, and install malware like the Atlantida stealer.
The fix: To address these issues, users must apply the servicing stack update (KB5043936) and cumulative update for Windows 10 Version 1507 (KB5043083). Microsoft mitigated CVE-2024-43461 by interrupting the attack chain associated with CVE-2024-38112. Updates should be installed as soon as possible to avoid exploitation, and security hardening techniques should be followed.
Ivanti & Zyxel Address Critical Security Vulnerabilities
Type of vulnerability: Multiple, including remote code execution, SQL injection, and command injection.
The problem: Ivanti has issued patches for Endpoint Manager (EPM), which address ten serious vulnerabilities. CVE-2024-29847 enables remote unauthenticated code execution through the deserialization of untrusted data. Nine SQL injection vulnerabilities (CVE-2024-32840 to 32848, CVE-2024-34779, 34783, 34785) allow remote attackers with admin privileges to execute code. These affect EPM versions 2024, 2022 SU5, and prior.
Meanwhile, Zyxel fixed a command injection vulnerability (CVE-2024-6342) in NAS devices that might allow attackers to execute OS commands using crafted HTTP requests.
The fix: To mitigate the risks, users must upgrade to EPM 2024 SU1 or 2022 SU6. Ivanti has improved its vulnerability identification and disclosure methods. Additionally, Zyxel also patched CVE-2024-6342, a major command injection vulnerability in NAS devices, with new hotfix updates.
Compare the different endpoint protection solutions to know the most ideal tool to secure yourself and your devices against various cyber threats.
September 11, 2024
Hackers Exploit Flaws in WhatsUp Gold to Deploy Remote Access Tools
Type of vulnerability: Multiple, including RCE and SQL injection.
The problem: Attackers use two serious SQL injection flaws (CVE-2024-6670, CVE-2024-6671) in Progress Software’s WhatsUp Gold to retrieve encrypted credentials without authentication. Despite the release of patches on August 16, many organizations have yet to update. Hackers are deploying remote access tools (RATs) using PowerShell scripts, putting the system at risk of additional exploitation and persistent compromise.
The fix: Progress Software published a security update on August 16. To identify potential breaches and avoid continued exploitation, organizations should update WhatsUp Gold immediately and follow the detection measures outlined in the security alert.
September 12, 2024
GitLab Patches Critical Vulnerability Allowing Arbitrary Pipeline Job Execution
Type of vulnerability: Privilege escalation.
The problem: GitLab has disclosed a major vulnerability (CVE-2024-6678, CVSS score: 9.9) that affects versions 8.14 to 17.3. This issue allows attackers to launch pipeline jobs as arbitrary users, which poses serious security implications. The vulnerability and three high-severity and 13 medium- and low-severity problems required immediate upgrades to prevent exploitation.
The fix: GitLab fixed the problems in versions 17.3.2, 17.2.5, and 17.1.7 for Community and Enterprise Editions. Users should update to these versions right away to avoid potential exploitation.
September 13, 2024
Hadooken Malware Campaign Targets Linux & Oracle WebLogic Servers
Type of vulnerability: Botnet deployment.
The problem: A new malware campaign using Hadooken malware to target Linux environments, notably Oracle WebLogic servers, has emerged. This campaign spreads Tsunami malware for botnet operations and illegal bitcoin mining. Using known vulnerabilities and weak credentials, attackers use Python and shell script payloads to disseminate Hadooken and establish persistence.
The fix: To secure themselves against this malicious campaign, administrators should quickly safeguard the systems by updating and patching vulnerabilities, strengthening credentials, and monitoring for suspicious activity. Regularly examine and secure cron jobs and other scheduled operations to prevent malware persistence and to ensure your network defenses are strong against unauthorized lateral movements.
Apple Addresses GAZEploit Vulnerability in Vision Pro Headset
Type of vulnerability: Keystroke interference.
The problem: A recently disclosed issue in Apple’s Vision Pro headset, CVE-2024-40865, allows attackers to deduce text input on the virtual keyboard by studying the virtual avatar’s eye movements. This exploit, GAZEploit, violates user privacy by recreating keystrokes from gaze data.
The fix: Apple resolved the GAZEploit issue in visionOS 1.3 by suspending the Persona component when the virtual keyboard was engaged. This upgrade reduces the risk of gaze-based keyboard inference and improves privacy by avoiding unwanted data extraction using virtual avatars. Update to the most recent version of visionOS to protect your devices.
Read next:
- Vulnerability Recap 9/9/24: Exploited Vulnerabilities Persist
- What is Patch Management? Vulnerability Protection Done Right
