Vulnerability Recap 9/9/24 – Exploited Vulnerabilities Persist

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Last week’s vulnerability news highlighted major security problems that affect a wide range of technologies. These vulnerabilities represent significant dangers for end users and organizations — from the remote code execution vulnerabilities in Veeam Backup & Replication and Apache OFBiz to the severe access control issues in SonicWall and Google Android.

Zyxel routers and Cisco’s Smart Licensing Utility also faced privilege escalation and command injection issues. RansomHub used multiple vulnerabilities to launch ransomware attacks, emphasizing the critical need for updates and strong security measures. Organizations and end users need prompt patching and thorough security policies to protect systems and data from high-risk vulnerabilities.

September 2, 2024

RansomHub Exploits Multiple Vulnerabilities to Attack Critical Sectors

Type of vulnerability: Multiple security flaws from major organizations.

The problem: RansomHub, a ransomware-as-a-service group, targeted security vulnerabilities in Apache ActiveMQ (CVE-2023-46604), Atlassian Confluence (CVE-2023-22515), Citrix ADC (CVE-2023-3519), and Fortinet devices (CVE-2023-27997). The attackers encrypted and stole data from 210 victims in major businesses, threatening data leaks if ransoms weren’t paid.

The fix: Prevent these attacks by rapidly upgrading and patching all impacted software. Companies should improve security by deploying endpoint detection and response (EDR), limiting remote access, and utilizing multi-factor authentication. To avoid further exploitation, impacted organizations should implement incident response policies and consult with cybersecurity specialists.

Manage your organization’s endpoint security through EDR solutions. Explore our review of the top products, their features, pros, and cons.

September 3, 2024

D-Link Vulnerability Enables Remote Code Execution

Type of vulnerability: Stack-based buffer overflow.

The problem: D-Link’s DAP-2310 Wireless Access Point vulnerability known as “BouncyPufferfish” allows for unauthenticated remote code execution. It has been identified as a stack-based buffer overflow (CVE pending) that exploits PHP HTTP queries to the Apache HTTP Server, allowing attackers to execute arbitrary instructions via a specially crafted HTTP GET request.

The fix: D-Link recommends its retirement and replacement due to the DAP-2310’s End-of-Life (EOL) status. Sevco’s CSO Brian Contos states, “6% of all IT assets have reached EOL, and known but unpatched vulnerabilities are a favorite target for attackers.” To reduce risks, replace unsupported equipment, apply available firmware updates, and keep an accurate IT asset inventory.

Zyxel Fixes Critical Vulnerability in Business Routers

Type of vulnerability: OS command injection.

The problem: CVE-2024-7261 affects Zyxel routers, including those from the NWA and WAC series. The bug enables remote attackers to execute arbitrary OS commands via forged cookies by leveraging an input validation issue in the CGI program’s “host” argument. The vulnerability affects all versions before 7.00, with a CVSS v3 score of 9.8 (critical).

The fix: Zyxel has published security upgrades, and end users must immediately upgrade impacted devices to the most recent firmware releases. All impacted models must be updated to version 7.00 or later to fix the vulnerability. Zyxel further suggests enabling automated updates to ensure protection against future threats.

September 4, 2024

Google Patches Actively Exploited Android Vulnerabilities

Type of vulnerability: Multiple, including elevation of privilege and more.

The problem: Google’s September 2024 Android security update fixes 34 vulnerabilities, including CVE-2024-32896, an elevation of privilege problem used in targeted attacks that allow attackers to bypass defenses via a logic error without requiring additional permissions.

The update also addresses CVE-2024-33042 and CVE-2024-33052 — memory corruption problems in Qualcomm’s WLAN subcomponent that might be exploited locally. These critical vulnerabilities affect Android versions 12, 12L, 13, and 14. Two new critical Pixel device vulnerabilities, CVE-2024-44092 and CVE-2024-44093, grant elevated privileges within the Local Control Subsystem and Low-level Device Firmware, increasing risk if left unpatched.

The fix: Google’s September 2024 updates address vulnerabilities in Android versions 12 to 14. All users should upgrade their systems to protect against this and other vulnerabilities. Pixel users should’ve received added safety fixes, which address significant elevation of privilege problems. Update through Settings > System > Software updates.

Cisco Addresses Critical Smart Licensing Utility Vulnerabilities

Type of vulnerability: Privilege escalation.

The problem: Cisco recently resolved two significant issues in its Smart Licensing Utility: CVE-2024-20439, which used undocumented, static admin credentials that allowed attackers to log in remotely, and CVE-2024-20440, which was caused by verbose debug logs that could be accessed via crafted HTTP requests. 

Both vulnerabilities have a CVSS score of 9.8, allowing attackers to gain elevated access or retrieve sensitive credentials. Cisco also patched a different command injection flaw, CVE-2024-20469, which affected the Cisco Identity Services Engine (ISE) and allowed local privilege escalation.

The fix: Cisco has released Smart Licensing Utility patches that address CVE-2024-20439 and CVE-2024-20440, advising customers to upgrade to version 2.3.0. Updates for ISE users are now available to address CVE-2024-20469, reducing the risk of privilege escalation attacks. Ensure systems are regularly updated via Cisco’s official website to avoid exploitation.

September 5, 2024

Apache Fixes RCE Vulnerability in OFBiz

Type of vulnerability: Remote code execution.

The problem: Apache resolved CVE-2024-45195 in OFBiz, a remote code execution vulnerability caused by a forced browsing issue that allowed unauthenticated attackers to exploit missing authorization checks and execute arbitrary code. Rapid7’s Ryan Emmons discovered the weakness, which exposes limited pathways to direct request attacks. 

This vulnerability circumvents prior updates for CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, affecting both Linux and Windows servers.

The fix: Apache fixed CVE-2024-45195 in OFBiz version 18.12.16 by implementing the necessary authorization checks. Users should upgrade to this or a later version to prevent potential attacks. This update resolves a vulnerability in previous security patches and helps prevent unauthorized code execution by increasing access constraints.

Veeam Releases Updates to Address Vulnerabilities Across Their Products

Type of vulnerability: Multiple, including remote code execution (RCE), sensitive data exposure, authentication bypass, and more.

The problem: Veeam’s September 2024 security bulletin addresses its products’ 18 high and critical severity vulnerabilities. Particular issues include CVE-2024-40711, a severe RCE vulnerability in Veeam Backup & Replication (VBR) versions 12.1.2.172 and earlier that allows unauthenticated attackers to compromise systems. 

Other significant problems include RCE, credential theft, and MFA bypass. Additionally, Veeam Service Provider Console and ONE contain severe vulnerabilities such as CVE-2024-38650 and CVE-2024-39714, which allow low-privileged attackers to read sensitive data and execute arbitrary files.

The fix: To address these issues, users should upgrade to Veeam Backup & Replication 12.2.0.334, Veeam ONE 12.2.0.4093, and Veeam Service Provider Console 8.1.0.21377. These updates address vulnerabilities and reduce the risk of exploitation.

LiteSpeed Publishes Upgrades vs Account Takeover Vulnerability

Type of vulnerability: Unauthenticated account takeover.

The problem: CVE-2024-44000 is a vulnerability in the LiteSpeed Cache plugin. Over 6 million WordPress sites utilize the plugin. The debug logging feature writes session cookies to a file. Attackers who gain access to ‘/wp-content/debug.log’ can steal these cookies and take control of admin accounts. The issue affects sites where debug logging was enabled, possibly revealing old session cookies.

The fix: LiteSpeed Technologies published version 6.5.0.1 to address the problem. The upgrade moves logs to a secure directory, randomizes filenames, disables cookie logging, and includes a dummy index file. To prevent unwanted access, users should remove old ‘debug.log’ files and set up .htaccess rules.

Learn more about cookie theft and explore our guide on preventing it.

September 6, 2024

SonicWall Urges Immediate Update vs Critical Access Control Flaw

Type of vulnerability: Multiple, including access control and denial-of-service.

The problem: CVE-2024-40766 is a serious access control vulnerability that affects SonicWall Firewall Gen 5, Gen 6, and Gen 7 devices (CVSS v3 score: 9.3). It permits unauthorized access to resources and can cause the firewall to crash, undermining network security. The vulnerability affects both SonicOS administration access and SSLVPN functionalities.

The fix: To address CVE-2024-40766, deploy the most recent patches immediately. Update SonicOS versions 5.9.2.14-13o or 6.5.4.15-116n for Gen 5 and Gen 6 devices, respectively. Limit firewall administration to trusted sources, disable unneeded services, and enable multi-factor authentication (MFA) for SSLVPN customers.

Read next:

Featured Partners: Vulnerability Management Software

eSecurity Planet may receive a commission from merchants for referrals from this website

Maine Basan Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required