Cyber Exposure Alerts

CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor

Satnam Narang — Thu, 25 Apr 2024 20:01:44

Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.

Background

The Tenable Security Response Team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding an espionage campaign called ArcaneDoor.

FAQ

What is ArcaneDoor?

ArcaneDoor is the name given to an espionage-focused campaign disclosed by researchers at Cisco Talos on April 24. The campaign involves a reported state-sponsored actor who has been targeting vulnerable network devices including Cisco’s Adaptive Security Appliances (ASA). The campaign included the exploitation of at least two zero-day vulnerabilities.

What are the vulnerabilities associated with ArcaneDoor?

As of April 25, the following vulnerabilities are attributed to the ArcaneDoor campaign:

CVE	Description	CVSSv3
CVE-2024-20353	Cisco ASA and Firepower Threat Defense (FTD) Software Web Services Denial of Service Vulnerability	8.6
CVE-2024-20359	Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability	6.0

Who is the group behind ArcaneDoor?

The group has been labeled UAT4356 by Cisco and STORM-1849 by Microsoft. Cisco attributes this activity with “high confidence” to a state-sponsored actor, though it is unconfirmed which state the group is associated with.

What is the initial access vector for ArcaneDoor?

As of April 25, the initial access vector for the ArcaneDoor campaign is unknown. The investigation into ArcaneDoor is ongoing. We will update this blog post once additional information becomes available.

When did the ArcaneDoor campaign begin?

Cisco says UAT4356 began the development and testing phase for this campaign back in July 2023, setting up the infrastructure for the campaign in November 2023. However, malicious activity associated with ArcaneDoor occurred between December 2023 and early January 2024.

Is any malware associated with ArcaneDoor?

Yes, it appears that UAT4356 deployed two types of malware in the ArcaneDoor campaign:

Line Dancer: in-memory malware for executing commands and evading analysis
Line Runner: backdoor malware to maintain persistence

For analysis of Line Dancer and Line Runner, please refer to the Cisco Talos blog post.

Are there any other good sources of information about ArcaneDoor?

Yes, the Canadian Centre for Cyber Security (Cyber Centre) published an article providing additional insights into the malicious activity associated with ArcaneDoor. In it, the Cyber Centre says that Cisco ASA series ASA55xx running firmware versions 9.12 and 9.14 have been targeted by malicious actors that “established unauthorized access through WebVPN sessions,” which are “commonly associated with Clientless SSLVPN services.”

Are patches available for the vulnerabilities associated with ArcaneDoor?

Yes, Cisco released patches for affected versions of ASA and FTD. For more information, refer to the individual advisory pages for CVE-2024-20353 and CVE-2024-20359.

Cisco published an advisory CVE-2024-20358. Is this CVE associated with ArcaneDoor?

No. While this vulnerability affects the same products and was published alongside the advisories for CVE-2024-20353 and CVE-2024-20359, it was reportedly discovered by Cisco during internal security testing and is not associated with ArcaneDoor.

Are there indicators of compromise (IOCs) associated with ArcaneDoor?

Yes, Cisco published IOCs for ArcaneDoor in its blog post and on GitHub.

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:

This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited

Satnam Narang — Tue, 23 Apr 2024 12:56:43

A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.

Background

On April 19, CrushFTP published an advisory for a zero-day vulnerability in its file transfer tool which bears the same name.

CVE	Description	CVSSv3	Severity
CVE-2024-4040	CrushFTP VFS Sandbox Escape Vulnerability	7.7	High

No CVE identifier was initially assigned for this vulnerability. However, on April 22, h4sh, a security engineer and founder of DirectCyber, an Australian Cyber Security Incident Response Team (CSIRT), assigned a CVE for this flaw.

Analysis

CVE-2024-4040 is an improper input validation vulnerability in CrushFTP. An authenticated attacker with low privileges could exploit this vulnerability on a vulnerable CrushFTP server to escape the virtual file system (VFS) sandbox. Successful exploitation would allow an attacker to download system files.

Zero-day exploitation of VFS sandbox escape flaw

According to researchers at CrowdStrike, CVE-2024-4040 has been exploited in the wild as a zero-day. Specifically, its report notes that these attacks are targeted in nature and that intrusions have been discovered at “multiple U.S. entities” with a focus on “intelligence-gathering” that is “possibly politically motivated.” No further details about attribution of these targeted attacks are available as of April 23.

Attackers are probing for vulnerable CrushFTP servers

In a statement to The Record, an official from CrushFTP says that they have seen “a customer who was already patched who was probed for the vulnerability” adding that if the patch had not been applied “important config info would have been stolen.” This official stressed that customers “need to update ASAP.”

Over 7,100 CrushFTP servers publicly accessible and potentially vulnerable

Based on a shodan query in a Nuclei template created by h4sh to identify potentially vulnerable CrushFTP servers, there are reportedly over 7,100 CrushFTP servers publicly accessible. It is unclear how many of these systems are potentially vulnerable.

Shodan query results as of April 22 for publicly accessible CrushFTP servers

Proof of concept

On April 23, a public proof-of-concept (PoC) for this vulnerability was posted to GitHub. It was created by Simon Garrelou of Airbus Community Emergency Response Team (CERT), who is credited with discovering and reporting CVE-2024-4040 to CrushFTP.

Additionally, it is important to highlight that it is common practice for attackers to seed fake PoCs on public source code repositories like GitHub in an effort to target both researchers and would-be attackers looking for exploit code. In the case of CVE-2024-4040, we’ve seen a repository published to GitHub directing users to a third-party site called SatoshiDisk that requests a payment of 0.00735 Bitcoin ($513.30 USD as of April 22).

Example repository on GitHub seeking Bitcoin payment for a fake exploit for CVE-2024-4040

It is unlikely that the exploit code will work and we do not expect it to be malicious in nature. Instead, it is more likely that the attackers are seeking to make money from the interest in the exploit code for this vulnerability.

Solution

On April 23, CrushFTP released fixes for version 10 and version 11 of CrushFTP:

Affected Versions	Fixed Version
11.0.1	11.1.0
10.0.0 through 10.6.1	10.7.1
Below 10.0.0	Upgrade to 11.1.0

Previously, reports suggested that if CrushFTP was behind a demilitarized zone (DMZ) then users would be protected against this flaw. However, as of April 22, CrushFTP disputed this claim, noting that a DMZ “does not fully protect you.” Customers using a vulnerable version of CrushFTP are advised to update to a fixed version as soon as possible.

Garrelou also developed a script to scan CrushFTP logs to search for potential indicators of compromise.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-4040 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Oracle April 2024 Critical Patch Update Addresses 239 CVEs

Scott Caveza — Wed, 17 Apr 2024 09:03:48

Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.

Background

On April 16, Oracle released its Critical Patch Update (CPU) for April 2024, the second quarterly update of the year. This CPU contains fixes for 239 CVEs in 441 security updates across 30 Oracle product families. Out of the 441 security updates published this quarter, 8.6% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 44.4%, followed by high severity patches at 42.6%.

This quarter’s update includes 38 critical patches across 21 CVEs.

Severity	Issues Patched	CVEs
Critical	38	21
High	188	79
Medium	196	122
Low	19	17
Total	441	239

Analysis

This quarter, the Oracle Commerce product family contained the highest number of patches at 93, accounting for 21.1% of the total patches, followed by Oracle Financial Services Applications at 51 patches, which accounted for 11.6% of the total patches.

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product Family	Number of Patches	Remote Exploit without Authentication
Oracle Commerce	93	71
Oracle Financial Services Applications	51	35
Oracle E-Business Suite	49	30
Oracle Communications	47	43
Oracle Insurance Applications	36	9
Oracle Supply Chain	22	16
Oracle TimesTen In-Memory Database	14	10
Oracle Hyperion	13	10
Oracle Systems	13	1
Oracle Food and Beverage Applications	12	5
Oracle Construction and Engineering	11	7
Oracle Java SE	10	5
Oracle MySQL	10	9
Oracle Database Server	8	3
Oracle GoldenGate	8	6
Oracle Communications Applications	7	4
Oracle Hospitality Applications	6	2
Oracle Retail Applications	6	3
Oracle Siebel CRM	6	6
Oracle Enterprise Manager	4	2
Oracle Analytics	3	1
Oracle Fusion Middleware	2	0
Oracle HealthCare Applications	2	0
Oracle Support Tools	2	2
Oracle Autonomous Health Framework	1	1
Oracle Big Data Spatial and Graph	1	1
Oracle Essbase	1	1
Oracle Global Lifecycle Management	1	1
Oracle Health Sciences Applications	1	1
Oracle PeopleSoft	1	0

Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2024 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild

Scott Caveza — Fri, 12 Apr 2024 12:42:33

A critical severity command injection vulnerability in Palo Alto Networks PAN-OS has been exploited in limited targeted attacks. While a fix is not yet available, patches are expected to be released on April 14 and mitigation steps are available.

Update April 26: The Solution section has been updated to include a link to a Palo Alto Networks knowledge base article with remediation instructions.

View Change Log

Background

On April 12, Palo Alto Networks released a security advisory for a critical command injection vulnerability affecting PAN-OS, the custom operating system (OS) Palo Alto Networks (PAN) uses in their next-generation firewalls.

CVE	Description	CVSSv3	Severity
CVE-2024-3400	Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS	10.0	Critical

Analysis

CVE-2024-3400 is a critical command injection vulnerability affecting the GlobalProtect Gateway feature of PAN-OS. An unauthenticated, remote attacker could exploit this vulnerability to execute code on an affected firewall with root privileges. According to the advisory, this vulnerability impacts PAN-OS versions 10.2, 11 and 11.1 only when both GlobalProtect gateway and device telemetry are enabled. On April 16, Palo Alto updated the security advisory to reflect that firewalls with GlobalProtect gateway or GlobalProtect portal (or both) configured are impacted by this vulnerability. The advisory went further to note that device telemetry does not have to be enabled in order to be vulnerable to CVE-2024-3400.

Palo Alto Networks reports limited exploitation in the wild

According to the advisory, Palo Alto Networks confirmed that this vulnerability has been exploited in-the-wild in a “limited number of attacks.” While no specific details about these attacks were available at the time this blog was published, researchers at Volexity are credited with discovering the flaw. Steven Adair, President at Volexity, posted that exploitation was observed “at multiple customers” and that his team discovered in-the-wild exploitation “just two days ago.”

We have seen limited exploitation but impact at multiple customers. We first detected this just two days ago. Impressive response from the Palo Alto Networks team, as they quickly worked with us and have now pushed a Threat Protection signature with a fix to come April 14.
— Steven Adair (@stevenadair) April 12, 2024

On April 12, Volexity published a blog post detailing the observations they made from one of their customers who was impacted by CVE-2024-3400. According to Volexity, exploitation was observed on April 10 and attributed to a threat actor they track as UTA0218. The threat actor pivoted from the compromised device to move laterally on the victims network. As their investigation continued, they discovered other customers impacted as far back as March 26. For more information on the threat actor activity observed, we recommend reviewing Volexity's blog post.

Palo Alto Networks Unit 42 also published a blog on April 12, noting that they are actively tracking exploitation activity that they are calling Operation MidnightEclipse. According to Unit 42, the exploitation they've analyzed appears to be limited to a "single threat actor," however they do not rule out that other threat actors may attempt to exploit this flaw soon.

Historical exploitation of PAN-OS flaws

Network edge devices are frequently targeted by attackers. CVE-2020-2021, a critical authentication bypass vulnerability in PAN-OS, which also received a CVSSv3 score of 10.0, was highlighted as a frequently exploited vulnerability by advanced persistent threat (APT) actors in a joint Cyber Security Advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

CVE-2019-1579, a remote code execution vulnerability affecting PAN-OS devices, is another frequently exploited vulnerability by APT attackers as the National Security Agency (NSA) warned on October 7, 2019.

In addition to APT actors, both CVE-2020-2021 and CVE-2019-1579 have been exploited in the wild by ransomware groups, which was highlighted in our Ransomware Ecosystem report.

Proof of concept

At the time this blog post was published on April 12, no public proof-of-concept (PoC) exploit for CVE-2024-3400 was available. On April 16, watchTowr released a blog post detailing how they were able to reproduce the vulnerability, providing detailed steps on how to verify the command injection vulnerability. In addition, a post on X from Justin Elze, Chief Technology Officer at TrustedSec shows a payload observed in-the-wild:

Since it's out there now this is what I caught in wild CVE-2024-3400

GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br…
— Justin Elze (@HackingLZ) April 16, 2024

With details around the exploitation of this flaw publicly released and multiple PoC exploits publicly available, it's likely we will see an uptick in attacks very soon.

Solution

As of when this blog was published on April 12, Palo Alto Networks had not released patches for this vulnerability. However hotfix releases of PAN-OS were released on April 14 and additional hotfix versions are expected to be released between April 14 and April 19.

Affected Version	Hotfix Release Version	Expected Release Date
PAN-OS 10.2	PAN-OS 10.2.9-h1	Released on April 14
	PAN-OS 10.2.8-h3	Released on April 15
	PAN-OS 10.2.7-h8	Released on April 15
	PAN-OS 10.2.6-h3	Released on April 16
	PAN-OS 10.2.5-h6	Released on April 16
	PAN-OS 10.2.3-h13	April 17
	PAN-OS 10.2.1-h2	April 17
	PAN-OS 10.2.2-h5	April 18
	PAN-OS 10.2.0-h3	April 18
	PAN-OS 10.2.4-h16	April 19
PAN-OS 11.0	PAN-OS 11.0.4-h1	Released on April 14
	PAN-OS 11.0.3-h10	Released on April 16
	PAN-OS 11.0.2-h4	Released on April 16
	PAN-OS 11.0.1-h4	April 17
	PAN-OS 11.0.0-h3	April 18
PAN-OS 11.1	PAN-OS 11.1.2-h3	Released on April 14
	PAN-OS 11.1.1-h1	Released on April 16
	PAN-OS 11.1.0-h3	Released on April 16

If immediate patching cannot be completed, Palo Alto Networks does provide the following mitigation options:

Threat ID 95187, 95189, and 95191 can block attacks for those customers who have a Threat Prevention subscription
Additionally, vulnerability protection must be applied to the GlobalProtect interface to prevent exploitation

If the Threat Protection mitigation cannot be applied, Palo Alto Networks recommends disabling device telemetry until the patch can be applied. However in an update to their security advisory on April 16, Palo Alto notes that "disabling device telemetry is no longer an effective mitigation." As these mitigations may be updated in the future, we recommend reviewing the advisory for the most up-to-date mitigation guidance.

On April 23, Palo Alto Networks published a knowledge base article titled "How to Remedy CVE-2024-3400" and it was updated on April 25 with additional remediation instructions. The article lists four scenarios and provides suggested remediation guidance, including if potential exfiltration has occurred. In this scenario, customers are instructed to update to one of the latest hotfix versions and perform a Private Data Reset.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-3400 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Change Log

Update April 26: The Solution section has been updated to include a link to a Palo Alto Networks knowledge base article with remediation instructions.

Update April 17: The Analysis and Solution sections have been updated to reflect updates in Palo Alto's security advisory.

Update April 16: The Proof of Concept section has been updated to include newly released exploit details.

Update April 15: The Solution section has been updated to include the currently released hotfixes and additional upcoming hotfix releases.

Update April 12: The Analysis section has been updated to include an additional information about in-the-wild exploitation.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Microsoft’s April 2024 Patch Tuesday Addresses 147 CVEs (CVE-2024-29988)

Tenable Security Response Team — Tue, 09 Apr 2024 14:06:20

3Critical
142Important
2Moderate
0Low

Microsoft addresses 147 CVEs in its April 2024 Patch Tuesday release with three critical vulnerabilities and no zero-day or publicly disclosed vulnerabilities.

Update April 10: The blog has been updated to include reference to exploitation for CVE-2024-29988 and the addition of CVE-2024-26234.

View Change Log

Microsoft patched 147 CVEs in its April 2024 Patch Tuesday release, with three rated critical, 142 rated as important, and two rated as moderate.

This month’s update includes patches for:

.NET and Visual Studio
Azure
Azure AI Search
Azure Arc
Azure Compute Gallery
Azure Migrate
Azure Monitor
Azure Private 5G Core
Azure SDK
Intel
Internet Shortcut Files
Microsoft Azure Kubernetes Service
Microsoft Brokering File System
Microsoft Defender for IoT
Microsoft Edge (Chromium-based)
Microsoft Install Service
Microsoft Office Excel
Microsoft Office Outlook
Microsoft Office SharePoint
Microsoft WDAC ODBC Driver
Microsoft WDAC OLE DB provider for SQL
Role: DNS Server
Role: Windows Hyper-V
SQL Server
Windows Authentication Methods
Windows BitLocker
Windows Compressed Folder
Windows Cryptographic Services
Windows DHCP Server
Windows DWM Core Library
Windows Defender Credential Guard
Windows Distributed File System (DFS)
Windows File Server Resource Management Service
Windows HTTP.sys
Windows Internet Connection Sharing (ICS)
Windows Kerberos
Windows Kernel
Windows Local Security Authority Subsystem Service (LSASS)
Windows Message Queuing
Windows Mobile Hotspot
Windows Proxy Driver
Windows Remote Access Connection Manager
Windows Remote Procedure Call
Windows Routing and Remote Access Service (RRAS)
Windows Secure Boot
Windows Storage
Windows Telephony Server
Windows USB Print Driver
Windows Update Stack
Windows Virtual Machine Bus
Windows Win32K - ICOMP

Remote code execution (RCE) vulnerabilities accounted for 45.6% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 21.1%.

Important

CVE-2024-29988 | SmartScreen Prompt Security Feature Bypass Vulnerability

CVE-2024-29988 is a security feature bypass vulnerability in Microsoft Defender SmartScreen. It was assigned a CVSSv3 score of 8.8 and is rated as important. An attacker could exploit this vulnerability by convincing a target to open a specially crafted file using social engineering tactics such as an external link or malicious attachment sent over email, instant messages or social media. This flaw was reported to Microsoft by some of the same researchers that disclosed CVE-2024-21412, an Internet Shortcut Files security feature bypass that was associated with a DarkGate campaign using fake installer files impersonating Apple iTunes, Notion, NVIDIA and others.

The Zero Day Initiative (ZDI) says one of the researchers credited with reporting this flaw through ZDI discovered it being exploited in the wild as a zero-day. However, Microsoft has yet to update its advisory to reflect this finding. We will update this blog once Microsoft confirms exploitation.

Important

CVE-2024-26234 | Proxy Driver Spoofing Vulnerability

CVE-2024-26234 is a spoofing vulnerability in the Proxy Driver of Microsoft Windows. It was assigned a CVSSv3 score of 6.7 and is rated as important. Initially, Microsoft did not flag this as being exploited. However, researchers at Sophos published a blog post that confirmed exploitation, which is now reflected in the Microsoft advisory for this vulnerability. According to Sophos, this was bundled as part of a fake Android Screen Mirroring application, LaiXi, which was signed using the Microsoft Windows Hardware Compatibility Program (WHCP). It has now been added to the Windows Driver.STL revocation list.

Important

CVE-2024-29990 | Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

CVE-2024-29990 is an EoP vulnerability in the Azure Kubernetes Service Confidential Containers (AKSCC). It was assigned a CVSSv3 score of 9 and is rated important. Exploitation of this flaw hinges on the preparation of a target environment by an attacker. Successful exploitation would enable an attacker to “steal credentials and affect resources beyond the security scope managed by AKSCC.” This includes taking over both “confidential guests and containers beyond the network stack it might be bound to.”

This is the third month in a row that a flaw in AKSCC was patched as part of Patch Tuesday:

CVE	Description	CVSSv3	Patch Tuesday
CVE-2024-21400	Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability	9	March 2024
CVE-2024-21376	Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability	9	February 2024
CVE-2024-21403	Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability	9	February 2024

All four of these vulnerabilities were reported to Microsoft by Yuval Avrahami of Palo Alto Networks.

Important

41 CVEs | Microsoft ODBC Driver, WDAC OLE DB Driver and OLE DB Driver for SQL Server Remote Code Execution Vulnerability

This month's release included 41 CVEs affecting multiple drivers for SQL Server, the Open Database Connectivity (ODBC) driver, WDAC OLE DB Driver and OLE DB driver. All but one of these CVEs received CVSSv3 scores of 8.8, with the lone exception, CVE-2024-29045 receiving a 7.5. All were rated as “Exploitation Less Likely” according to the Microsoft Exploitability Index, with none being publicly disclosed or exploited in the wild. A full list of the CVEs is included in the table below.

CVE	Description	CVSSv3
CVE-2024-28929	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28930	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28931	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28932	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28933	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28934	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28935	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28936	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28937	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28938	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28941	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28943	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-29043	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28906	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28908	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28909	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28910	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28911	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28912	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28913	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28914	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28915	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28926	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28927	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28939	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28940	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28942	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28944	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-28945	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-29044	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-29045	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	7.5
CVE-2024-29047	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-29048	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-29982	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-29983	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-29984	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-29985	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-26210	Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-26214	Microsoft WDAC SQL Server ODBC Driver Remote Code Execution Vulnerability	8.8
CVE-2024-26244	Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability	8.8
CVE-2024-29046	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	8.8

Important

24 CVEs | Secure Boot Security Feature Bypass Vulnerability

Microsoft patched 24 CVEs in Windows Secure Boot in as part of the April 2024 Patch Tuesday release. All are rated as “Exploitation Less Likely” and vary in CVSSv3 scores from 4.1 to 8.0.

CVE	Description	CVSSv3
CVE-2024-26240	Secure Boot Security Feature Bypass Vulnerability	8
CVE-2024-26189	Secure Boot Security Feature Bypass Vulnerability	8
CVE-2024-28925	Secure Boot Security Feature Bypass Vulnerability	8
CVE-2024-26180	Secure Boot Security Feature Bypass Vulnerability	8
CVE-2024-29061	Secure Boot Security Feature Bypass Vulnerability	7.8
CVE-2024-28920	Secure Boot Security Feature Bypass Vulnerability	7.8
CVE-2024-26175	Secure Boot Security Feature Bypass Vulnerability	7.8
CVE-2024-28896	Secure Boot Security Feature Bypass Vulnerability	7.5
CVE-2024-26194	Secure Boot Security Feature Bypass Vulnerability	7.4
CVE-2024-20688	Secure Boot Security Feature Bypass Vulnerability	7.1
CVE-2024-29062	Secure Boot Security Feature Bypass Vulnerability	7.1
CVE-2024-20689	Secure Boot Security Feature Bypass Vulnerability	7.1
CVE-2024-28897	Secure Boot Security Feature Bypass Vulnerability	6.8
CVE-2024-26168	Secure Boot Security Feature Bypass Vulnerability	6.8
CVE-2024-28919	Secure Boot Security Feature Bypass Vulnerability	6.7
CVE-2024-26250	Secure Boot Security Feature Bypass Vulnerability	6.7
CVE-2024-20669	Secure Boot Security Feature Bypass Vulnerability	6.7
CVE-2024-28924	Secure Boot Security Feature Bypass Vulnerability	6.7
CVE-2024-26171	Secure Boot Security Feature Bypass Vulnerability	6.7
CVE-2024-28921	Secure Boot Security Feature Bypass Vulnerability	6.7
CVE-2024-28923	Secure Boot Security Feature Bypass Vulnerability	6.4
CVE-2024-28898	Secure Boot Security Feature Bypass Vulnerability	6.3
CVE-2024-28922	Secure Boot Security Feature Bypass Vulnerability	4.1

Four of the 24 CVEs were assigned a CVSSv3 score of 8.0. They include CVE-2024-26240, CVE-2024-26189, CVE-2024-28925 and CVE-2024-26180. Exploitation of all of these flaws do require an attacker to have either physical access or local administrator privileges on the vulnerable device.

These 24 CVEs are the first bundle of Secure Boot vulnerabilities we’ve seen since May 2023, when Microsoft patched CVE-2023-24932, another security feature bypass flaw in Secure Boot that was exploited in the wild as part of the BlackLotus UEFI bootkit.

Tenable Solutions

A list of all the plugins released for Tenable’s April 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Change Log

Update April 10: The blog has been updated to include reference to exploitation for CVE-2024-29988 and the addition of CVE-2024-26234.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Frequently Asked Questions About CVE-2024-3094, A Backdoor in XZ Utils

Satnam Narang, Scott Caveza — Fri, 29 Mar 2024 17:17:27

Frequently asked questions about CVE-2024-3094, a supply-chain attack responsible for a backdoor in XZ Utils, a widely used library found in multiple Linux distributions.

Update April 1: The "What Linux distributions are affected?" section has been updated to include additional affected and not affected distributions. In addition, updates to the "Has Tenable released any product coverage for these vulnerabilities?" section have been made.

View Change Log

Background

The Tenable Security Response Team has put together this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2024-3094, a backdoor in XZ Utils, a widely used compression library found in multiple Linux distributions.

FAQ

What is XZ Utils and what is the library used for?

XZ is a type of lossless data compression on Unix-like operating systems, which is often compared to other common data compression formats such as gzip and bzip2. XZ Utils is a command line tool that contains functionality for both compression and decompression of XZ files and liblzma, a zlib-like API used for data compression and also supports the legacy .lzma format.

How was this backdoor discovered?

On March 29, Andres Freund, a PostgreSQL developer at Microsoft, posted on the Open Source Security Mailing List that he had discovered a supply-chain compromise involving obfuscated malicious code in the XZ package while investigating SSH performance issues. According to both Freund and RedHat, the malicious code is not present in the Git distribution for XZ and only in the full download package.

Which versions of the library are affected?

According to Freund, XZ Utils versions 5.6.0 and 5.6.1 are impacted.

Has this backdoor code been exploited?

No information regarding exploitation has been observed for this backdoor code as of March 29. Because this situation is still developing, we anticipate more information will come to light in the coming days and weeks. We will update this portion of the FAQ once such information is available.

What is the impact of this backdoor?

According to Red Hat, the malicious code modifies functions within the liblzma code, which is part of the XZ Utils package. This modified code can then be used by any software linked to the XZ library and allow for the interception and modification of data used with the library. In the example observed by Freund, under certain conditions, this backdoor could allow a malicious actor to “break sshd authentication,” allowing the attacker to gain access to an affected system.

Is there a CVE assigned for this issue?

Yes, Red Hat assigned CVE-2024-3094 for this issue and it has been given a CVSSv3 score of 10.0.

How was this backdoor inserted into the code?

At the time this blog was published, it’s unclear how this backdoor code was placed into the affected builds of XZ utils. According to Freund, it's likely the individual who made the code commits is directly involved with the XZ project or had their system or developer account compromised.

What Linux distributions are affected?

As of the time this blog was published on March 29, the following distributions are known to be affected:

Distribution	Advisory	Notes
Fedora Rawhide	https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users	Fedora Rawhide is the development distribution of Fedora Linux
Fedora 40 Beta	https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users	Fedora Linux 40 beta does contain two affected versions of xz libraries, however does not appear to be affected. All Fedora 40 beta users are still encouraged to revert to 5.4.x versions of XZ.
Fedora 41	https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.	https://lists.debian.org/debian-security-announce/2024/msg00057.html https://security-tracker.debian.org/tracker/CVE-2024-3094
openSUSE Tumbleweed and openSUSE MicroOS	https://news.opensuse.org/2024/03/29/xz-backdoor/	Backdoored version of xz was included in Tumbelweed and MicroOS between March 7 and March 28
Kali Linux	https://www.kali.org/blog/about-the-xz-backdoor/	Backdoored version of xz was included in Kali Linux (xz-utils 5.6.0-0.2) between March 26 and March 28
Arch Linux	https://archlinux.org/news/the-xz-package-has-been-backdoored//	The following release artifacts contain the compromised xz: installation medium 2024.03.01 virtual machine images 20240301.218094 and 20240315.221711 container images created between and including 2024-02-24 and 2024-03-28

The following Linux distributions are confirmed to not be affected:

Distribution	Advisory	Notes
Fedora Linux 40	https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users	RedHat recommends that users downgrade to a 5.4 build of XZ as a precaution
Red Hat Enterprise Linux (RHEL)	https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users	No versions of RHEL are affected.
Debian	https://lists.debian.org/debian-security-announce/2024/msg00057.html	No Debian stable versions are known to be affected.
Amazon Linux	https://aws.amazon.com/security/security-bulletins/AWS-2024-002/	Amazon Linux customers are not affected and AWS Infrastructure and services do not utilize xz.
SUSE Linux Enterprise and Leap	https://news.opensuse.org/2024/03/29/xz-backdoor/	Both Enterprise and Leap are isolated from OpenSUSE and are unaffected.
Alpine Linux	https://twitter.com/alpinelinux/status/1773781993844519408	No Alpine Linux xz binary is affected.
Gentoo Linux	https://security.gentoo.org/glsa/202403-04	Based on the current understanding of the backdoor, Gentoo is not affected.
Ubuntu	https://ubuntu.com/security/CVE-2024-3094	No released versions of Ubuntu are affected.

Additionally, the macOS Homebrew package manager reverted its version of xz from 5.6.x to 5.4.6. Bo Anderson, a member of the technical steering committee and a maintainer of Homebrew, confirmed that they do not believe Homebrew’s builds “were compromised” but because these versions of xz are not considered trustworthy, they have chosen to force downgrades “as a precaution.”

As this is a developing situation, we anticipate we will have further clarity for additional Linux distributions soon and will continue to update this blog as necessary.

Are patches or mitigations available?

Both developers and users of XZ Utils are advised to downgrade to known, unaffected versions of XZ Utils, such as 5.4.6 Stable. However, in addition to downgrading, it is strongly advised that developers and users conduct incident response to determine if they have been impacted as a result of this backdoor and to share “positive findings” with agencies like the Cybersecurity and Infrastructure Security Agency (CISA). You can check your installed version by running the command strings which xz` | egrep '$XZ Utils$ or to determine if you have an affected version installed, you can run strings `which xz` | grep '5\.6\.[01]'

In the above image, our second command does not return a result as the affected version is not installed on this host.

Has Tenable released any product coverage for these vulnerabilities?

Tenable Research released product coverage on March 29 and additional coverage is expected to be released as its available. A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-3094 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Change Log

Update March 29: The "What Linux distributions are affected?" section has been updated to include additional affected and not affected distributions and a note about the Homebrew package manager.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability

Chris Boyd — Thu, 14 Mar 2024 13:19:45

Fortinet warns of a critical SQL Injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code on vulnerable FortiClientEMS software.

Update March 21: The Analysis section has been updated to include confirmation by Fortinet that in-the-wild exploitation of this flaw has been observed.

View Change Log

Background

On March 12, Fortinet published an advisory (FG-IR-24-007) to address a critical flaw in its FortiClient Enterprise Management Server (FortiClientEMS), a solution which enables centralized management of multiple endpoints.

CVE	Description	CVSSv3	Severity
CVE-2023-48788	Critical SQL Injection Vulnerability (or Improper neutralization of special elements in an SQL command)	9.3	Critical

At the time this blog was published, Fortinet’s advisory assigned a CVSSv3 score of 9.3 to this flaw, while the entry on the National Vulnerability Database (NVD) lists the CVSSv3 score as 9.8 and also links to an advisory that is not currently available. This blog will be updated to reflect the correct CVSSv3 score if the advisory or NVD record are updated.

Analysis

CVE-2023-48788 is a critical SQL injection vulnerability that could allow an unauthenticated, remote attacker to execute commands or arbitrary code through specifically crafted requests. At the time this blog was published, Fortinet’s advisory did not include any messaging about known exploitation of this vulnerability. However, due to prior targeting of Fortinet devices and word of an upcoming proof-of-concept (PoC) exploit for the flaw, in-the-wild exploitation is likely to occur.

Researchers at GreyNoise have published a tag for CVE-2023-48788 on the GreyNoise platform that can be used to monitor for in-the-wild exploitation attempts.

On March 21, Fortinet updated its advisory with a note confirming this vulnerability "is exploited in the wild." However, no further details were shared outside of this update and we are not aware of any other confirmations of in-the-wild exploitation.

Historical exploitation of Fortinet devices

Fortinet devices have been frequently targeted by attackers with several noteworthy flaws observed since 2019.

Fortinet’s FortiOS and FortiProxy have been popular targets for threat actors, including CVE-2023-27997, a critical heap-based buffer overflow and CVE-2022-40684, a critical authentication bypass vulnerability. Other vulnerabilities in Fortinet devices have attracted the attention of multiple nation-state threat actors and ransomware groups like Conti. Fortinet vulnerabilities have been included as part of the top routinely exploited vulnerability lists in recent years.

Last month, Fortinet released an advisory and patch for CVE-2024-21762, an out-of-bound write vulnerability which had been exploited in the wild as a zero-day. Just days prior to that announcement, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a cybersecurity advisory (CSA) warning of state-sponsored threat actors from the People’s Republic of China (PRC) pre-positioning themselves in United States networks across critical infrastructure using vulnerabilities in Fortinet devices as well as other SSL VPN devices from other vendors. In the CSA, CVE-2022-42475, a heap-based buffer overflow in FortiOS, was specifically mentioned based on observed exploitation of the flaw, highlighting the continued use of vulnerabilities affecting Fortinet devices by a variety of threat actors.

Proof of concept

At the time this blog was published, no public proof-of-concept had been identified for this vulnerability, however, the Horizon3 Attack Team has stated a PoC will be published next week along with indicators of compromise (IoCs). On March 21, the Horizon3 Attack Team released their PoC code along with a detailed write-up about how they reproduced the issue and developed a functional exploit that demonstrates the vulnerability without allowing for remote code execution.

As exploit code has been released and with past abuse of Fortinet flaws by threat actors, including advanced persistent threat (APT) actors and nation-state groups, we highly recommend remediating this vulnerability as soon as possible.

The recent #Fortinet #FortiClient Endpoint Management Server (EMS) SQL injection vulnerability, CVE-2023-48788, allows an unauth attacker to obtain RCE as SYSTEM on the server.

IOCs, POC, and deep-dive blog to be released next week. In the meantime, check DAS service logs for… pic.twitter.com/57ps2WiY8R
— Horizon3 Attack Team (@Horizon3Attack) March 13, 2024

Solution

Fortinet has released patches to address this SQL injection vulnerability as outlined in the table below:

Affected Product	Affected Version	Fixed Version
FortiClientEMS 7.2	7.2.0 through 7.2.2	7.2.3 or above
FortiClientEMS 7.0	7.0.1 through 7.0.10	7.0.11 or above

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2023-48788 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Change Log

Update March 21: The Analysis section has been updated to include confirmation by Fortinet that in-the-wild exploitation of this flaw has been observed.

Update March 21: The Proof of Concept section has been updated to reflect that exploit code has been released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Microsoft’s March 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-21407)

Tenable Security Response Team — Tue, 12 Mar 2024 14:03:18

2Critical
57Important
0Moderate
0Low

Microsoft addresses 59 CVEs in its March 2024 Patch Tuesday release with no zero-day or publicly disclosed vulnerabilities.

Microsoft patched 59 CVEs in its March 2024 Patch Tuesday release, with 2 rated critical and 57 rated as important.

This month’s update includes patches for:

.NET
Azure Data Studio
Azure SDK
Microsoft Authenticator
Microsoft Azure Kubernetes Service
Microsoft Dynamics
Microsoft Edge for Android
Microsoft Exchange Server
Microsoft Graphics Component
Microsoft Intune
Microsoft Office
Microsoft Office SharePoint
Microsoft QUIC
Microsoft Teams for Android
Microsoft WDAC ODBC Driver
Microsoft WDAC OLE DB provider for SQL
Microsoft Windows SCSI Class System File
Open Management Infrastructure
Outlook for Android
Role: Windows Hyper-V
Skype for Consumer
Software for Open Networking in the Cloud (SONiC)
SQL Server
Visual Studio Code
Windows AllJoyn API
Windows Cloud Files Mini Filter Driver
Windows Composite Image File System
Windows Compressed Folder
Windows Defender
Windows Error Reporting
Windows Hypervisor-Protected Code Integrity
Windows Installer
Windows Kerberos
Windows Kernel
Windows NTFS
Windows ODBC Driver
Windows OLE
Windows Print Spooler Components
Windows Standards-Based Storage Management Service
Windows Telephony Server
Windows Update Stack
Windows USB Hub Driver
Windows USB Print Driver
Windows USB Serial Driver

Elevation of privilege (EoP) vulnerabilities accounted for 40.7% of the vulnerabilities patched this month, followed by Remote code execution (RCE) at 30.5%.

Important

CVE-2024-21334 | Open Management Infrastructure (OMI) Remote Code Execution Vulnerability

CVE-2024-21334 is a RCE affecting the open-source Open Management Infrastructure (OMI) management server. It was assigned a CVSSv3 score of 9.8 and is rated important. To exploit this vulnerability, a remote unauthenticated attacker could use a specially crafted request to trigger a use-after-free vulnerability. In addition, OMI received another patch this month, CVE-2024-21330 to address an EoP vulnerability.

In 2022, Microsoft patched two EoP flaws in OMI (CVE-2022-33640 and CVE-2022-29149), as well as an information disclosure vulnerability (CVE-2023-36043) in November 2023. This RCE is a first for OMI and despite the critical CVSS score, Microsoft rates this vulnerability as “Exploitation Less Likely” according to the Microsoft Exploitability Index.

Critical

CVE-2024-21407 | Windows Hyper-V Remote Code Execution Vulnerability

CVE-2024-21407 is a RCE vulnerability in Windows Hyper-V. This vulnerability was assigned a CVSSv3 score of 8.1 and is rated critical. Successful exploitation of this vulnerability requires that an attacker be authenticated and gather information about the target environment in order to craft their exploit. While the attack complexity is high, exploitation could result in code execution on the host server.

Including this month, nine RCE vulnerabilities affecting Windows Hyper-V have been disclosed since 2022, with seven of them rated as Critical. While these flaws generally are more difficult to exploit, successfully breaking out of a VM and executing code on the host is a significant risk and these flaws should be remediated quickly to avoid any potential misuse.

Important

CVE-2024-21433 | Windows Print Spooler Elevation of Privilege Vulnerability

CVE-2024-21433 is an EoP vulnerability in Windows Print Spooler. This vulnerability is rated as ”Exploitation More Likely,” and was assigned a CVSSv3 score of 7.0. Exploitation of this vulnerability would require an attacker to win a race condition which could grant the attacker SYSTEM privileges.

Over the last few years, we’ve seen a sharp decline in the number of Print Spooler related vulnerabilities patched as part of Patch Tuesday since the disclosure of CVE-2021-34527, the original PrintNightmare vulnerability and the torrent of Print Spooler vulnerabilities that followed. In 2023, there were only four Print Spooler related bugs patched, including CVE-2023-35325, an information disclosure vulnerability in Print Spooler disclosed in July 2023, as well as three Print Spooler EoP vulnerabilities disclosed in January 2023. In 2022, there were 35 Print Spooler related vulnerabilities patched as part of Patch Tuesday, with the biggest concentration of disclosures occurring in April 2022, with 15 Print Spooler vulnerabilities patched.

CVE	Description	Patch Tuesday Release
CVE-2023-35325	Windows Print Spooler Information Disclosure Vulnerability	Jul 2023
CVE-2023-21678	Windows Print Spooler Elevation of Privilege Vulnerability	Jan 2023
CVE-2023-21765	Windows Print Spooler Elevation of Privilege Vulnerability	Jan 2023
CVE-2023-21760	Windows Print Spooler Elevation of Privilege Vulnerability	Jan 2023
CVE-2022-44681	Windows Print Spooler Elevation of Privilege Vulnerability	Dec 2022
CVE-2022-44678	Windows Print Spooler Elevation of Privilege Vulnerability	Dec 2022
CVE-2022-41073	Windows Print Spooler Elevation of Privilege Vulnerability	Nov 2022
CVE-2022-38028	Windows Print Spooler Elevation of Privilege Vulnerability	Oct 2022
CVE-2022-38005	Windows Print Spooler Elevation of Privilege Vulnerability	Sep 2022
CVE-2022-35755	Windows Print Spooler Elevation of Privilege Vulnerability	Aug 2022
CVE-2022-35793	Windows Print Spooler Elevation of Privilege Vulnerability	Aug 2022
CVE-2022-22022	Windows Print Spooler Elevation of Privilege Vulnerability	Jul 2022
CVE-2022-22041	Windows Print Spooler Elevation of Privilege Vulnerability	Jul 2022
CVE-2022-30206	Windows Print Spooler Elevation of Privilege Vulnerability	Jul 2022
CVE-2022-30226	Windows Print Spooler Elevation of Privilege Vulnerability	Jul 2022
CVE-2022-29104	Windows Print Spooler Elevation of Privilege Vulnerability	May 2022
CVE-2022-29132	Windows Print Spooler Elevation of Privilege Vulnerability	May 2022
CVE-2022-29114	Windows Print Spooler Information Disclosure Vulnerability	May 2022
CVE-2022-29140	Windows Print Spooler Information Disclosure Vulnerability	May 2022
CVE-2022-26796	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26802	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26795	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26801	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26791	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26790	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26794	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26793	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26786	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26789	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26797	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26798	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26792	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26787	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-26803	Windows Print Spooler Elevation of Privilege Vulnerability	Apr 2022
CVE-2022-23284	Windows Print Spooler Elevation of Privilege Vulnerability	Mar 2022
CVE-2022-22718	Windows Print Spooler Elevation of Privilege Vulnerability	Feb 2022
CVE-2022-21999	Windows Print Spooler Elevation of Privilege Vulnerability	Feb 2022
CVE-2022-21997	Windows Print Spooler Elevation of Privilege Vulnerability	Feb 2022
CVE-2022-22717	Windows Print Spooler Elevation of Privilege Vulnerability	Feb 2022

Important

CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 | Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 are EoP vulnerabilities affecting the Windows Kernel. These vulnerabilities are all rated as important, and each was assigned a CVSSv3 score of 7.8 with the exception of CVE-2024-21443 which was scored as 7.3. CVE-2024-26182 was the only Windows Kernel EoP rated as “Exploitation More Likely.” Successful exploitation of these vulnerabilities could lead to an attacker gaining SYSTEM privileges.

Important

CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 are RCE vulnerabilities affecting the Microsoft WDAC OLE DB provider for SQL Server. These vulnerabilities are rated as important, and were assigned CVSSV3 scores of 8.8. Successful exploitation requires an authenticated user to be enticed to connect to a malicious SQL database. Once a connection is made, specially crafted replies can be sent to the client in order to exploit the vulnerability and allow the execution of arbitrary code.

Tenable Solutions

A list of all the plugins released for Tenable’s March 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about https://www.tenable.com/products/tenable-one">Tenable One, the Exposure Management Platform for the modern attack surface.

CVE-2024-27198, CVE-2024-27199: Two Authentication Bypass Vulnerabilities in JetBrains TeamCity

Chris Boyd — Wed, 06 Mar 2024 10:06:33

Two vulnerabilities with publicly available exploit code in JetBrains TeamCity on-premises software could result in attackers bypassing authentication and achieving code execution.

Update March 7: The blog has been updated to include information in-the-wild exploitation of CVE-2024-27198.

View Change Log

Background

On March 4, JetBrains published a blog post regarding two security issues affecting TeamCity On-Premises, a software solution for build management. The issues were disclosed to JetBrains in February by the researchers who discovered these vulnerabilities. In the March 4 release notes, no mention was made of what security issues were patched, however later in the day, a blog post regarding the release of TeamCity 2023.11.4 was published which included details about the two vulnerabilities.

CVE	Description	CVSSv3	Severity
CVE-2024-27198	Authentication bypass vulnerability	9.8	Critical
CVE-2024-27199	Path traversal vulnerability which allows for authentication bypass	7.3	High

Analysis

CVE-2024-27198 is an authentication bypass vulnerability with a critical CVSSv3 rating of 9.8. The vulnerability is within the web component of TeamCity and stems from an alternate path issue. Exploitation of this vulnerability could allow an attacker to bypass authentication in order to take administrative control of an affected TeamCity server. With this level of access, the attacker could execute arbitrary code and abuse this access for a supply chain attack.

CVE-2024-27199 is another authentication bypass vulnerability in the web component of TeamCity, made possible by a path traversal issue. The vulnerability received a CVSSv3 score of 7.3 and while this vulnerability is less severe, it can still be abused by an unauthenticated attacker.

These CVE alerts are primarily a concern for organizations running on-premises installations of TeamCity, and it is crucial that administrators of on-premises servers take steps to update their systems immediately. JetBrains has confirmed TeamCity Cloud customers have already had their servers patched, and have confirmed no evidence of exploitation has occurred for cloud customers.

Historical exploitation of TeamCity vulnerabilities

Unfortunately, this is not the first authentication bypass vulnerability to impact TeamCity servers. CVE-2023-42793, another authentication bypass vulnerability patched in September, saw a variety of exploitation attempts within days of exploit details being released. In October, it was claimed that state sponsored North Korean hackers were responsible for impersonating IT workers and attacking software developers via CVE-2023-42793.

Shortly after, in December, law enforcement from Poland, the United States, and the United Kingdom warned that CVE-2023-42793 was being used by Russian state sponsored groups to target unpatched instances of TeamCity servers. APT 29, also known as Cozy Bear, is a threat actor well known for supply chain and malware attacks across a variety of industries and sectors including energy companies and political organizations. Their abuse of CVE-2023-42793 and the exploitation from a wide range of threat actor groups are a reminder of the severe damage that can be inflicted in well organized attacks. We expect to see continued attacks on TeamCity instances and organizations running vulnerable versions of TeamCity should take the latest warnings seriously and remediate these vulnerabilities as soon as possible.

Exploitation has been observed

In a post on X (formerly Twitter), LeakIX revealed that they have observed over 1400 instances of compromised TeamCity servers with evidence of "clear signs of rogue user creation."

⚠️We added detection for compromised #TeamCity instances:

1711 vulnerable instances were found during our last scan, 1442 show clear signs of rogue user creation.

If you were/are still running a vulnerable system, assume compromise. pic.twitter.com/BIvscjRxZJ
— LeakIX (@leak_ix) March 6, 2024

With in-the-wild exploitation already underway, it's imperative to take action to remediate these vulnerabilities as well as begin incident response processes to identify if your server has been compromised.

Proof of concept

At the time this blog was published, public proof-of-concept (PoC) code is available. Additionally, active exploitation attempts of CVE-2024-27198 have been observed.

If running JetBrains TeamCity on-prem - make sure to patch for latest CVE-2024-27198 (remote auth bypass) & CVE-2024-27199 vulns NOW!

We started seeing exploitation activity for CVE-2024-27198 around Mar 4th 22:00 UTC. 16 IPs seen scanning so far.https://t.co/zZ0iU5MD8S
— Shadowserver (@Shadowserver) March 5, 2024

Solution

JetBrains has released TeamCity version 2023.11.4 to address both of these authentication bypass vulnerabilities.

JetBrains advises customers to update or patch as soon as possible. In situations where either of these options are not available and devices are internet facing, JetBrains recommends taking impacted devices offline until the patch can be applied.

In instances where upgrading to version 2023.11.4 is not possible, JetBrains offers a standalone security patch, with versions available for TeamCity 2018.2 and newer as well as TeamCity 2018.1 and older.

With public PoC code available and historical exploitation of TeamCity servers, we recommend patching or updating your installation as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify affected systems can be found on the individual CVE pages for CVE-2024-27198 and CVE-2024-27199. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Change Log

Update March 7: The blog has been updated to include information in-the-wild exploitation of CVE-2024-27198.

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Frequently Asked Questions about ScreenConnect Vulnerabilities

Scott Caveza — Tue, 20 Feb 2024 18:08:46

Frequently asked questions about two vulnerabilities affecting ConnectWise ScreenConnect

Update February 23: The blog has been updated to include information about ransomware attacks involving vulnerable ScreenConnect servers.

View Change Log

Background

The Tenable Security Response Team has put together this blog to answer Frequently Asked Questions (FAQ) regarding two vulnerabilities impacting ScreenConnect, a Remote Monitoring and Management (RMM) solution from ConnectWise.

FAQ

What are the ScreenConnect vulnerabilities and when were they disclosed?

On February 19, ConnectWise released a security advisory for two vulnerabilities affecting their RMM product, ScreenConnect. At the time the advisory was released, no CVE identifiers had been released for the vulnerabilities. On February 21, three CVEs were assigned for these vulnerabilities. Two CVEs were reserved by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) (CVE-2024-1708 and CVE-2024-1709) and another was reserved by MITRE (CVE-2024-27215). CVE-2024-27215 was later updated and listed as REJECTED.

CVE	Description	CVSSv3
CVE-2024-1709	Authentication bypass that could allow an attacker to execute remote code or directly impact confidential data or critical systems.	10
CVE-2024-1708	A path traversal vulnerability that could allow an attacker to access confidential data	8.4

Which versions of ConnectWise are affected?

ScreenConnect versions 23.9.7 and prior are affected by these vulnerabilities. These vulnerabilities only impact self-hosted or on-premise installations. Cloud customers who have ScreenConnect servers hosted on the “screenconnect.com” or “hostedrmm.com” are not impacted as updates have been made to the cloud service to address these vulnerabilities.

The advisory also notes that updated versions of ScreenConnect 22.4 through 23.9.7 will be released, however they still strongly recommend upgrading to ScreenConnect version 23.9.8.

Have any of these vulnerabilities been exploited?

On February 20, ConnectWise updated its security advisory to share indicators of compromise (IOCs) relating to malicious activity. In this update, ConnectWise notes that they have "received updates of compromised accounts" that were investigated and confirmed by its incident response team, indicating in-the-wild exploitation of these flaws. The update includes IOCs of IP addresses reportedly associated with threat actor activity.

On February 20, Huntress posted a blog post with detection guidance to aid defenders into identifying impacted systems.

On February 23, Sophos reported that ransomware attacks have been observed exploiting vulnerable ScreenConnect servers. A variant of the LockBit ransomware known as buhtiRansom has been observed and according to Sophos, this variant appears to have been generated using the leaked LockBit builder. As ransomware groups and affiliates begin targeting vulnerable instances of ScreenConnect, it's imperative that immediate action is taken to remediate these vulnerabilities.

Has any Proof-of-Concept (PoC) code been released?

As of February 20, a blog by Huntress indicates that their researchers have reproduced these vulnerabilities and developed a working PoC, however they have chosen not to release the exploit code. Later that day, Huntress posted another blog post with their analysis of the vulnerabilities as well as how they discovered them. This blog included information on how to exploit these vulnerabilities citing that other vendors have released their own PoCs and that "the cat is out of the bag."

In addition to Huntress, researchers at Horizon3 Attack Team posted to X (formerly known as Twitter) about their own PoC for the authentication bypass vulnerability, adding that it is “extremely trivial to reverse and exploit” that they plan to publish it along with a blog post soon.

The recent #ConnectWise #ScreenConnect authentication bypass vulnerability is extremely trivial to reverse and exploit. Blog and exploit POC will drop soon. pic.twitter.com/mEIaRetKxQ
— Horizon3 Attack Team (@Horizon3Attack) February 20, 2024

On February 21, Horizon3 released their write up and PoC and researchers at watchTowr posted on X that they have created a PoC for the authentication bypass issue and posted a link to their PoC on GitHub.

Here's our PoC for the Connectwise ScreenConnect Auth Bypass:https://t.co/C17vJWygf6

The vuln is the definition of trivial and thus we won't release any analysis. Not sure what we would share - "Add a / and you too can pwn the world"? pic.twitter.com/oVh2LNCqb6
— watchTowr (@watchtowrcyber) February 21, 2024

Are patches or mitigations available?

As of February 19 when the security advisory was released, ScreenConnect version 23.9.8 has been released to address these vulnerabilities. No mitigation steps were provided by ConnectWise.

Has Tenable released any product coverage for these vulnerabilities?

Yes, product coverage for these vulnerabilities is now available in the following plugins:

Nessus Plugin ID 190883: ConnectWise ScreenConnect Installed (Windows)
Nessus Plugin ID 190894: ConnectWise ScreenConnect HTTP Detection
Nessus Plugin ID 190886: ConnectWise ScreenConnect < 23.9.8 Multiple Vulnerabilities
Nessus Plugin ID 190893: ConnectWise ScreenConnect < 23.9.8 Authentication Bypass (Direct Check)
Web App Scanning ID 114214: ConnectWise ScreenConnect < 23.9.8 Authentication Bypass

Additional coverage can be found on the individual CVE pages for CVE-2024-1708 and CVE-2024-1709 as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

ConnectWise ScreenConnect 23.9.8 Security Advisory
Huntress Blog Post: Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8
Huntress Blog Post: A Catastrophe For Control: Understanding the ScreenConnect Authentication Bypass
Horizon3 Attack Team Blog: ConnectWise ScreenConnect: Authentication Bypass Deep Dive

Change Log

Update February 23: The blog has been updated to include information about ransomware attacks involving vulnerable ScreenConnect servers.

Update February 22: The blog has been updated with Tenable product coverage.

Update February 21 (Second Update): The blog has been updated to announce that CVE identifiers have been reserved for these vulnerabilities.

Update February 21: The blog has been updated to announce that public proof-of-concept code is now available.

Update February 20: The blog has been updated with confirmation from ConnectWise of in-the-wild exploitation.

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.