Vulnerability Recap 9/23/24 – Remote Code Execution Steals the Show

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Our security overview for the week includes Veeam and ServiceNow flaws and a vulnerability within the web browser Arc. Also, we get some more information on related macOS vulnerabilities fixed in 2022 and 2023. And Ivanti’s issues unfortunately keep coming, this time in its Cloud Service Appliance product.

This week, RCE is in our (unwanted) starring role, with multiple opportunities for threat actors to execute malicious code. As always, keep up to date on all your vendors’ security updates and patches as soon as possible. The danger of security bulletins and proofs of concept is how quickly a threat actor can utilize them for an exploit.

September 12, 2024

Researcher Updates Info on Old macOS Vulnerability

Type of vulnerability: Arbitrary file write and potential remote code execution.

The problem: Security researcher Mikko Kenttala recently reported on a zero-click RCE flaw in macOS that didn’t receive much publicity when it was first discovered. According to Kenttala, an attacker could send malicious file attachments via calendar invites to victims, where the filename attachments aren’t sanitized.

“The attacker can exploit this to conduct a successful directory traversal attack by setting an arbitrary path to a file in the ATTACH section with: “FILENAME=../../../PoC.txt,” Kenttala said. “This will cause the file to be added to ~/Library/Calendar/PoC.txt instead of ~/Library/Calendar/[CalendarID]/Attachments/[eventid]/ .”

This is an arbitrary file write vulnerability. Additionally, Kenttala also found that the vulnerability could be exploited to execute code remotely using macOS Calendar’s Open File functionality. If an attacker uses this exploit chain successfully, they could compromise other macOS applications, not just Calendar. Kenttala found he could steal users’ iCloud Photos by sending malicious calendar invites to them — no user interaction required.

Kenttala’s report from a couple of weeks ago updates the timeline of events for these issues, adding that there’s still no bounty issued for the original vulnerability.

The fix: Both vulnerabilities, CVE-2022–46723 and CVE-2023–40434, have been fixed by Apple in previous years. macOS Monterey 12.6.1 and Ventura 13 fix the original vulnerability. macOS Ventura 13.3 fixed the code execution issue.

If your business needs to automate tracking vulnerabilities, check out our picks for the best vulnerability scanning tools for organizations.

September 17, 2024

ServiceNow Misconfigurations Leave Over 1,000 KBs Vulnerable

Type of vulnerability: Misconfigured access controls.

The problem: Research conducted by Aaron Costello, chief of SaaS security research at AppOmni, revealed data exposure on over one thousand instances of knowledge bases hosted by ServiceNow. Costello was studying the platform to discover potential routes for data exfiltration, and his research led to some new security developments for ServiceNow’s solution. But it also unearthed a history of exposed data.

Costello found that often, businesses with multiple instances of ServiceNow had at least one with misconfigured access controls. ServiceNow developed a major security mechanism to protect hosted knowledge bases, but it isn’t enabled by default for all the older instances of the solution.

“The main guardrail, a security property that denies access by default to KBs without User Criteria, is enabled by default for instances created since the Orlando release,” Costello said. “Most enterprise instances have been around for far longer, causing them to still retain the previously insecure ‘allow public access by default’ value.” He cited several other reasons for continued exposure, including multiple criteria allowing access by unauthenticated users.

Costello also provided a proof of concept for the vulnerability. 

The fix: Check your access control configurations on each instance of ServiceNow and ensure they’re correctly set. Costello provides a chart for ServiceNow users to follow if they want to set further guardrails, as he puts it, for the solution.

September 19, 2024

Ivanti’s Cloud Service Appliance Runs Into Issues

Type of vulnerability: Unauthenticated access to the appliance.

The problem: According to the vendor, Ivanti’s Cloud Service Appliance version 4.6 has been exploited. The flaw would “allow remote unauthenticated attackers to access restricted functionality,” the security bulletin said, though it didn’t specify what restricted functions could be affected.

Ivanti didn’t realize it then, but the vulnerability was addressed in the vendor’s Patch 519 earlier in September. Shortly after, Ivanti discovered the flaw through researching another recently disclosed vulnerability. The flaw is tracked as CVE-2024-8963 and has a severity rating of 9.4 out of 10.

Ivanti also noted that if the vulnerability is used alongside CVE-2024-8190, a threat actor could bypass administrative authentication requirements and execute commands on Cloud Service Appliance.

Ivanti CSA 4.6 and any earlier versions are end-of-life products, so they won’t be patched —the only patched and supported software version is CSA 5.0.

The Cybersecurity and Infrastructure Security Agency (CISA) listed the vulnerability in its Known Exploited Vulnerabilities catalog and set a due date of October 10 for all federal agencies to fix it.

The fix: Upgrade any instances of Cloud Service Appliance to version 5.0.

Enterprise Veeam Solution Susceptible to RCE

Type of vulnerability: Unauthenticated remote code execution.

The problem: A critical RCE vulnerability affects instances of Veeam’s Backup and Replication product running version 12.1.2.172 or lower. Florian Hauser of Code White Gmbh discovered and reported the vulnerability. The flaw allows threat actors to execute code remotely on the enterprise backup solution. It’s tracked as CVE-2024-40711, mentioned briefly in our vulnerability recap from September 9.

According to researchers at Watchtower Labs, the vulnerability is more complicated than it first appeared — and potentially more dangerous than Veeam initially revealed. Veeam’s latest release, which fixed the bug, also fixed multiple other CVEs, so it was hard for the researchers to determine which were associated with CVE-2024-40711.

They finally found that version 12.1.0.2131 initially contained the unauthenticated RCE issue, and the version implemented to fix it, 12.1.2.172, upgraded the flaw to an authenticated-only vulnerability. Version 12.2.0.334 of the Veeam software implemented the true patch, so technically Veeam patched twice before the issue was solved.

The fix: Upgrade any Veeam Backup and Replication instances to version 12.2.0.334.

Microchip ASF Vulnerability Could Lead to RCE

Type of vulnerability: Stack-based overflow.

The problem: Microchip’s Advanced Software Framework (ASF) has a stack-based overflow vulnerability in its implementation of tinydhcp servers. The implementation fails its input validation, which results in the stack-based overflow issue. According to Carnegie Mellon Software Engineering Institute’s CERT Coordination Center, Microchip no longer supports the software. This means no official fixes or patches.

The flaw is tracked as CVE-2024-7490 and could lead to remote code execution if exploited. It could potentially affect IoT devices where the microchips are installed.

The fix: The Institute doesn’t know of a solution to the vulnerability besides using a different service than tinydhcp.

September 20, 2024

Two Flaws Fixed in VMware Products

Type of vulnerability: Heap overflow and privilege escalation.

The problem: Two vulnerabilities affecting VMware vCenter Server were reported to the vendor, also impacting VMware Cloud Foundation. The first flaw, a heap overflow vulnerability, is tracked CVE-2024-38812 and has a critical severity rating of 9.8. 

“A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution,” the security bulletin said.

The second, a privilege escalation vulnerability, is tracked as CVE-2024-38813 and has a base score of 7.5. A threat actor that has network access to vCenter Server could send a specific network packet that allows them to escalate their privileges to root, according to VMware. 

The fix: Install the updates listed in the Fixed Version column in VMware’s notice, which solve both flaws. 

September 21, 2024

Arc Browser Vulnerability Was Fixed in August

Type of vulnerability: Malicious payloads added to customizable web pages.

The problem: Web browser Arc, which allows its users to customize website viewing based on their preferences, recently saw a security threat to this customization feature, called “Boosts.”

The Browser Company, which created Arc, uses Firebase’s database backend to support Boosts and allow users to sync their website customizations between their devices. To do this, the browser relies on the creator’s ID. According to Engadget, a threat actor could have created a new Boost with a legitimate ID, including Boosts with malicious payloads. Ultimately, the unsuspecting victim could have downloaded malware by simply going to that website.

A security researcher known as xyzeva notified the Browser Company of this vulnerability in late August, and the vendor reportedly fixed it on August 26 before anyone exploited the issue.

The fix: Update your instance of Arc to the latest version.

Read next:

Featured Partners: Vulnerability Management Software

eSecurity Planet may receive a commission from merchants for referrals from this website

Jenna Phipps Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required