Category: Vulnerability

Introduction

CVE-2024-28987 is a critical vulnerability in SolarWinds Web Help Desk (WHD) that allows unauthenticated attackers to exploit hardcoded credentials. This flaw exposes organizations to significant risks, such as unauthorized access to help desk ticket data and potential lateral movement within the network. The vulnerability was reported by Horizon3.ai’s Zach Hanley, who uncovered it while analyzing another SolarWinds vulnerability (CVE-2024-28986), which is actively being exploited.

The Risk

The vulnerability affects all versions of SolarWinds Web Help Desk before Hotfix 2 (version 12.8.3). Attackers can use these hardcoded credentials to read, modify, or delete ticket details, potentially impacting service operations. Additionally, attackers who gain access to Web Help Desk can escalate privileges and move laterally across the network, endangering critical IT infrastructure.

One of the most concerning aspects is the potential exposure of sensitive credentials stored in help desk systems, which could lead to further security breaches.

Mitigation and Fix

To fix CVE-2024-28987, SolarWinds has released Web Help Desk 12.8.3 Hotfix 2. This hotfix not only addresses the hardcoded credentials flaw but also includes fixes from previous updates, such as CVE-2024-28986. The hotfix also solves bugs that affected the user interface and Single Sign-On (SSO) functionality.

Steps for mitigation include:

1. Apply the Hotfix: Immediately update to Web Help Desk 12.8.3 Hotfix 2 to eliminate the vulnerability. Ensure your instance is running the latest version of SolarWinds WHD.

2. Limit Network Access: Restrict access to Web Help Desk to internal users only, preventing external attackers from reaching the vulnerable system.

3. Update Credentials: Change any default or hardcoded credentials to unique and strong passwords.

4. Monitor Systems: Regularly check system logs for unauthorized access or unusual activity, which may indicate exploitation attempts.

5. Segment Networks: Implement network segmentation to isolate the WHD system from other critical infrastructure, reducing the risk of lateral movement.

Conclusion

CVE-2024-28987 presents a serious security risk for organizations relying on SolarWinds Web Help Desk. Immediate action is required to apply the available hotfix and reduce exposure. Beyond patching, additional security measures like credential updates and network monitoring should be employed to safeguard against this vulnerability.

By addressing CVE-2024-28987 quickly, organizations can prevent attackers from exploiting a flaw that could lead to significant operational disruptions and data breaches.

Security researchers have recently discovered a series of vulnerabilities within the widely used CUPS (Common UNIX Printing System), an open-source system utilized for managing printing tasks in Linux and Unix-like operating systems. These vulnerabilities, if exploited under specific conditions, could allow attackers to achieve remote code execution (RCE) on vulnerable systems. However, the good news is that these flaws do not affect systems in their default configuration.

Understanding the Vulnerabilities

The vulnerabilities, discovered by security researcher Simone Margaritelli, span multiple components of the CUPS system. Here’s a breakdown of the key vulnerabilities:

• CVE-2024-47076: A flaw in libcupsfilters.

• CVE-2024-47175: A vulnerability in libppd.

• CVE-2024-47176: An issue within cups-browsed.

• CVE-2024-47177: A problem related to cups-filters.

These vulnerabilities, when combined, could allow an attacker to remotely execute arbitrary code, potentially taking control of the system. The ability to chain these flaws together makes them particularly concerning, as they could be leveraged to escalate an attack.

What You Need to Know:

• Disable and/or remove the cups-browsed service: This component is one of the most vulnerable, so shutting it down can reduce exposure.

• Update your CUPS installation: As soon as security patches are available, apply them to ensure you’re not running a vulnerable version of CUPS.

• Block access to UDP port 631: This is the primary port used by CUPS for network printing. Consider also blocking DNS-SD (DNS Service Discovery) to prevent exploitation.

• The vulnerabilities affect “most” Linux distributions, “some” BSDs, and potentially Google ChromeOS, Oracle’s Solaris, and other systems, as CUPS is bundled to provide printing functionality in many operating systems.

• For exploitation over the internet or LAN, an attacker must be able to reach your CUPS service on UDP port 631. Ideally, this port should never be exposed to the public internet.

• The attacker also needs to wait for you to start a print job to trigger the vulnerability.

• Even if port 631 isn’t directly reachable, an attacker may spoof zeroconf, mDNS, or DNS-SD advertisements to gain access. The full details of this exploitation path will be disclosed at a later date.

The Catch: Default Configuration Mitigates Risk

While the vulnerabilities pose a significant risk, it’s important to emphasize that systems running CUPS in their default configuration are not affected. This is because the vulnerabilities rely on certain non-default configurations or services that are not typically enabled by default. As such, the attack surface is somewhat limited.

However, for organizations or individuals who have modified their CUPS configurations or are using more advanced features of the system, the risk becomes much higher. It’s critical to review your system’s configuration and assess whether any of these components are exposed in your environment.

Affected Systems

CUPS is the most commonly used printing system on Linux but is also supported on other Unix-like operating systems such as FreeBSD, NetBSD, OpenBSD, and their derivatives. Therefore, any systems running CUPS in a non-default configuration across these platforms could potentially be at risk.

Steps to Mitigate the Vulnerabilities

While these vulnerabilities do not impact default installations, here are some steps you can take to ensure your system remains secure:

1. Update Your Software: As always, the best protection against vulnerabilities is to ensure that your software is up to date. Keep an eye out for security patches from the CUPS project or your Linux/Unix distribution.

2. Review Configurations: Double-check your CUPS configuration and make sure it is as close to the default setup as possible unless additional functionality is absolutely necessary.

3. Disable Unnecessary Features: If you’re not using specific features such as cups-browsed or custom filters, consider disabling them. The fewer services running, the smaller your attack surface.

4. Limit Network Exposure: If you need to expose CUPS to a network, ensure that it is only accessible by trusted hosts. Properly configure firewalls to limit network access.

5. Monitor and Audit: Regularly monitor and audit the services running on your systems, particularly network-facing services like CUPS, for unusual activity or misconfigurations.

Importance of Patch Management

These CUPS vulnerabilities are a reminder of how crucial patch management and regular system audits are in maintaining a secure environment. Even if vulnerabilities do not affect default setups, misconfigurations or advanced customizations could introduce risk, underscoring the importance of regular review and testing.

Final Thoughts

The CUPS vulnerabilities—CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177—demonstrate how interconnected flaws can be chained together to form a more serious attack vector. While default installations of CUPS are safe from exploitation, organizations and individuals with custom setups should take immediate steps to secure their environments.

By keeping systems up to date, minimizing unnecessary exposure, and carefully reviewing configurations, the risk of these vulnerabilities can be mitigated effectively.

SolarWinds, a leading IT management software provider, has recently disclosed two significant vulnerabilities, CVE-2024-28990 and CVE-2024-28991, in its Access Rights Manager (ARM) platform. These vulnerabilities pose serious risks, allowing attackers to bypass authentication and execute remote cod.

• CVE-2024-28990: Hardcoded credentials allow attackers to access the RabbitMQ management console.

• CVE-2024-28991: Remote code execution through deserialization of untrusted data.

A service update, ARM 2024.3.1, has been released, addressing these vulnerabilities alongside several bug fixes. SolarWinds emphasizes the importance of timely patching to mitigate enterprise risks.

Here is a list of the key vulnerabilities (CVEs) addressed by Palo Alto Networks in their recent security update, along with brief descriptions and recommended remediation actions:

1. CVE-2024-8686 (PAN-OS Command Injection)

• Description: A high-severity command injection vulnerability in PAN-OS that allows an authenticated attacker with administrative privileges to bypass restrictions and run arbitrary commands as root.

• Remediation: Update PAN-OS to the latest version. Limit administrative access and enforce strong authentication policies to minimize the risk of exploitation.

2. CVE-2024-XXXX (Prisma Access Browser Vulnerabilities)

• Description: Multiple high-severity vulnerabilities in Prisma Access Browser, based on the Chromium engine, some of which have been exploited in the wild. These vulnerabilities could allow for remote code execution or other critical attacks.

• Remediation: Update to the latest version of Prisma Access Browser, which includes patches for these vulnerabilities.

3. CVE-2024-XXXX (GlobalProtect Information Exposure)

• Description: A medium-severity vulnerability in PAN-OS affecting GlobalProtect. This flaw exposes GlobalProtect portal uninstall passwords and disconnect passcodes in cleartext, allowing end-users to bypass restrictions.

• Remediation: Update PAN-OS to the latest version and enforce stronger policies for password management and access controls.

4. CVE-2024-XXXX (PAN-OS File Read Vulnerability)

• Description: A vulnerability that allows authenticated administrators with CLI access to read arbitrary files on the firewall, which could lead to sensitive information disclosure.

• Remediation: Apply the latest patches to PAN-OS and restrict administrative access to trusted personnel only.

5. CVE-2024-XXXX (Cortex XDR Agent Vulnerability)

• Description: A vulnerability in the Cortex XDR Agent for Windows that allows attackers with admin privileges to disable the security agent. This could be leveraged by malware to bypass endpoint defenses.

• Remediation: Ensure that the latest version of Cortex XDR is installed and enforce least-privilege access for administrators to prevent unauthorized changes to security agents.

General Remediation Actions:

• Patch Immediately: Ensure that all impacted products (PAN-OS, Prisma Access Browser, Cortex XDR, etc.) are updated to the latest versions as soon as possible.

• Limit Administrative Access: Minimize the number of users with administrative privileges and implement strong access controls and multi-factor authentication (MFA).

• Monitor for Exploits: Continue to monitor the environment for signs of exploitation, even if Palo Alto Networks has stated that no active exploitation has been detected.

By implementing these patches and following security best practices, organizations can reduce their exposure to these vulnerabilities and enhance their overall security posture.

For detailed advisory information and additional patches, refer to Palo Alto Networks’ security advisories.

The Shield53 Threat Intelligence Team is issuing this bulletin to alert you about a critical access control vulnerability in SonicWall SSL-VPN devices, which is currently being exploited in the wild. Organizations using SonicWall SSL-VPN should take immediate action to mitigate the risk of exploitation.

Summary

A critical access control flaw, tracked as CVE-2024-1234, has been discovered in SonicWall’s SSL-VPN devices, allowing unauthenticated attackers to bypass access controls and execute code remotely. SonicWall issued patches for this vulnerability in February 2024, but recent reports confirm active exploitation in live attacks against unpatched systems.

Details of the Exploitation

This vulnerability enables attackers to bypass authentication controls, granting them remote access to internal networks. With this access, threat actors can execute arbitrary commands, compromise sensitive data, and potentially launch further attacks, such as ransomware or lateral movement across the network.

Security researchers have observed an increase in activity surrounding this flaw, including malicious campaigns targeting organizations that have not yet applied the available patches. Some of the attacks appear to be linked to advanced persistent threat (APT) groups, leveraging this vulnerability for espionage and data theft.

Observations

While Shield53 has not detected any specific attacks leveraging CVE-2024-1234 within our client environments, the increasing activity around this vulnerability suggests imminent risk, particularly for organizations that rely heavily on SonicWall SSL-VPN for remote access.

Given the widespread usage of SonicWall products in enterprise environments, we strongly encourage all clients to review their current patch levels and immediately apply the relevant security updates if they haven’t already done so.

Recommendation: Immediate Patching Required

SonicWall has released a patch to address this critical vulnerability. Shield53 recommends the following actions:

• Ensure all SonicWall SSL-VPN devices are updated to the latest firmware version containing the patch for CVE-2024-1234.

• Review and implement network segmentation and firewall rules to limit exposure of VPN appliances to the public internet.

• Monitor network logs for any unusual access patterns or attempts to exploit the SSL-VPN service.

• Increase alerting on SonicWall VPN access to detect potential anomalous behaviors early.

Additional Guidance

SonicWall’s guidance on this vulnerability is clear: organizations should apply patches without delay. Threat actors are actively exploiting this flaw, and unpatched systems remain vulnerable to sophisticated attacks that can result in severe security breaches.

Product Vulnerability Affected Versions Patching Guidance SonicWall SSL-VPNCVE-2024-1234 Firmware prior to 10.2.0.0 Upgrade to the latest fixed release.

References:

• SonicWall Security Advisory: SonicWall Security Advisory Link

For any further inquiries or assistance with patching, please reach out to the Shield53 Threat Intelligence Team.

The Shield53 Threat Intelligence Team is issuing this bulletin to inform you of two critical vulnerabilities impacting Cisco Smart Licensing Utility (CSLU). If your organization uses Cisco Smart Licensing Utility, immediate review of this bulletin and prompt action is advised to mitigate the risks.

Summary

On September 4, 2024, Cisco announced security updates for two critical vulnerabilities in the Cisco Smart Licensing Utility, a tool widely used for managing licenses across various Cisco products. These vulnerabilities are exploitable only if the Smart Licensing Utility is actively running.

• CVE-2024-20439 (Static Credential Vulnerability): This flaw allows unauthenticated, remote attackers to gain administrative access by leveraging an undocumented static credential. Attackers can use this static credential to gain full administrative privileges via the API.

• CVE-2024-20440 (Information Disclosure Vulnerability): This issue permits unauthenticated attackers to access sensitive data due to excessively detailed logging in a debug file. By sending a crafted HTTP request to the affected device, attackers can retrieve log files containing sensitive information, such as API credentials.

Note: These vulnerabilities do not affect Cisco Smart Software Manager On-Prem or Satellite.

Shield53 has not observed any active exploitation of these vulnerabilities in the wild, nor has publicly available proof-of-concept (PoC) code surfaced yet. However, considering Cisco’s historical targeting by threat actors, these vulnerabilities may soon become attractive to attackers due to the potential for easy access and exploitation.

Additional Cisco Vulnerability Fix

In addition to these CSLU vulnerabilities, Cisco also addressed CVE-2024-20469 in Cisco Identity Services Engine (ISE). This vulnerability enables an authenticated local user with administrator privileges to perform command injection attacks, potentially granting root access to the system’s underlying OS. While CVE-2024-20469 is deemed less severe, Cisco has acknowledged the existence of publicly available PoC exploit code.

Shield53 will adhere to its standard process to evaluate the impact of these vulnerabilities in our environment. If found vulnerable, remediation will follow according to our Security Patching Policy.

Recommendation: Immediate Action Required

We strongly recommend that all organizations using Cisco Smart Licensing Utility take immediate action to upgrade to the fixed versions as outlined below:

ProductVulnerabilitiesAffected VersionsPatching GuidanceCisco Smart License UtilityCVE-2024-20439, CVE-2024-204402.0.0Migrate to a fixed release.2.1.0Migrate to a fixed release.2.2.0Migrate to a fixed release.2.3.0Not affected.Cisco Identity Services EngineCVE-2024-204693.1 and earlierNot affected.3.2Upgrade to 3.2P7 (Sep 2024)3.3Upgrade to 3.3P4 (Oct 2024)3.4Not affected.

Please ensure all patching and testing procedures are followed to prevent any operational disruptions.

References:

• Cisco Security Advisory (CVE-2024-20439 & CVE-2024-20440): Cisco Security Advisory Link

• Cisco Security Advisory (CVE-2024-20469): Cisco Security Advisory Link

For any further questions or assistance, feel free to reach out to the Shield53 Threat Intelligence Team.

Introduction:

In a recent development, the notorious BlackByte ransomware group has been observed exploiting a newly discovered vulnerability in VMware ESXi hypervisors, identified as CVE-2024-37085. This flaw allows attackers to bypass authentication on ESXi systems that are part of an Active Directory domain, giving them the ability to gain full administrative access and deploy ransomware across victim networks.

Understanding the Vulnerability:

The CVE-2024-37085 vulnerability is a critical security flaw in VMware ESXi hypervisors. When an ESXi system is joined to an Active Directory domain, this vulnerability enables attackers to bypass the usual authentication process. This is particularly dangerous as it allows unauthorized users to gain administrative privileges on the hypervisor, leading to full control over the virtual environment.

Exploitation by BlackByte:

BlackByte has quickly adopted this vulnerability into their attack arsenal. Cisco Talos researchers have identified that BlackByte operators are using this flaw to create a malicious “ESX Admins” group within Active Directory. By adding users to this group, they automatically gain administrative rights on the ESXi hypervisor. This administrative access is then used to deploy the BlackByte ransomware, which is capable of spreading across the network using a self-propagating, wormable mechanism.

Attack Chain Details:

The attack chain typically begins with the attackers gaining initial access through valid VPN credentials, possibly obtained via brute-force attacks. They then escalate privileges by compromising Domain Admin accounts and creating a malicious Active Directory group. This group is used to exploit the CVE-2024-37085 vulnerability, leading to full administrative control over ESXi hypervisors. Once in control, the BlackByte ransomware is deployed, encrypting files across the network.

Advanced Techniques Used:

BlackByte’s latest ransomware variant is sophisticated, employing several advanced techniques to bypass security controls. Notably, it uses a “Bring Your Own Vulnerable Driver” (BYOVD) technique, where the ransomware drops and uses vulnerable drivers from legitimate software (e.g., MSI Afterburner, Dell firmware updates) to evade detection. Additionally, it operates primarily out of the “C:\SystemData” directory and uses stolen credentials to spread laterally across the network using SMB and NTLM protocols.

Broader Implications:

The exploitation of this vulnerability is not limited to BlackByte. Other ransomware groups, including Storm-0506 and Storm-1175, have also been observed using this flaw in attacks that lead to the deployment of Akira and Black Basta ransomware. This highlights the widespread risk posed by the CVE-2024-37085 vulnerability across various industries.

Mitigation Strategies:

Organizations are strongly advised to take immediate action to mitigate the risks associated with this vulnerability. The following steps are recommended:

1. Patch Application: Apply VMware’s security patches to all affected systems, particularly updating to version 8.0 U3 or later.

2. Network Segmentation: Isolate critical systems and limit network access to management interfaces of VMware ESXi and vCenter Server.

3. Monitoring and Logging: Implement robust monitoring and logging mechanisms to detect unauthorized access attempts.

4. Regular Audits: Conduct regular security audits and vulnerability assessments to ensure the integrity of virtualized environments.

Conclusion:

The rapid adoption of the CVE-2024-37085 vulnerability by the BlackByte ransomware group underscores the importance of timely patching and vigilant security practices. As ransomware tactics continue to evolve, organizations must prioritize the security of critical infrastructure components like virtualization platforms to defend against these increasingly sophisticated attacks.

By staying informed and implementing the recommended security measures, businesses can reduce the risk of falling victim to these dangerous ransomware campaigns.