Category: Vulnerability

Yesterday a critical security alert issued by Palo Alto Networks regarding a flaw in its PAN-OS software, commonly used in GlobalProtect gateways. Tracked as CVE-2024-3400, this vulnerability has been assigned a CVSS score of 10.0, indicating its severity.

This vulnerability, classified as a command injection flaw, poses a significant risk as it could potentially allow an unauthorized attacker to execute arbitrary code with root privileges on affected firewalls. The impacted versions of PAN-OS include:

• PAN-OS < 11.1.2-h3
• PAN-OS < 11.0.4-h1
• PAN-OS < 10.2.9-h1

It’s important to note that this issue specifically affects firewalls configured with both GlobalProtect gateway and device telemetry enabled.

While Palo Alto Networks is actively working on fixes, they are anticipated to be released on April 14, 2024. In the interim, if your organization have Threat Prevention subscription from Palo Alto, it is strongly advised to enable Threat ID 95187 to bolster your defenses against potential threats exploiting this vulnerability.

Mitigation Strategies

• Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers should ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. More information here

• Those unable to apply the Threat Prevention mitigation can mitigate by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.

Although detailed information about the attacks leveraging this vulnerability is limited, your organization must remain vigilant. This development aligns with a concerning trend where threat actors, particularly of Chinese origin, have increasingly exploited zero-day flaws in various networking products to infiltrate targets and establish clandestine access points.

• CVE: CVE-2024-21410
• Severity: CRITICAL
• Priority: CRITICAL

Summary

Today, Microsoft issued a renewed security advisory cautioning about a critical vulnerability within Exchange Server, which was exploited as a zero-day before being addressed during this month’s Patch Tuesday.

Internally discovered and identified as CVE-2024-21410, this security loophole enables remote unauthenticated threat actors to potentially escalate privileges through NTLM relay attacks aimed at susceptible versions of Microsoft Exchange Server.

During such attacks, the threat actor compels a network device, which may include servers or domain controllers, to authenticate against an NTLM relay server under their control. This maneuver allows them to mimic the targeted devices and elevate privileges.

Microsoft elaborates, stating, “An attacker could exploit an NTLM client such as Outlook with a vulnerability that leaks NTLM credentials.”

“The compromised credentials can then be relayed to the Exchange server to gain privileges as the compromised client and execute actions on the Exchange server on behalf of the victim.

“An attacker who successfully exploits this vulnerability could relay a user’s leaked Net-NTLMv2 hash to a vulnerable Exchange Server and authenticate as the user.”

Recommend Remediation

To mitigate this threat, Exchange Server 2019 Cumulative Update 14 (CU14), which was released during the February 2024 Patch Tuesday, addresses this vulnerability by activating NTLM credentials Relay Protections (also referred to as Extended Protection for Authentication or EPA).

Microsoft is automatically enabling Windows Extended Protection on Exchange servers after installing this month’s 2024 H1 Cumulative Update (aka CU14).

Extended Protection (EP) will automatically be toggled on by default when installing Exchange Server 2019 CU14 (or later) to strengthen Windows Server auth functionality to mitigate authentication relay and man-in-the-middle (MitM) attacks.

• CVE: CVE-2024-21412 + CVE-2024-21351 + CVE-2024-21410
• Severity: CRITICAL
• Priority: CRITICAL

CVE-2024-21351 represents a loophole in the Windows SmartScreen security feature, enabling malicious actors to bypass it and potentially deliver malware by tricking users into opening compromised files.

Exploiting this vulnerability allows unauthorized injection of code into SmartScreen, potentially leading to data exposure or system unavailability. Windows typically employs Mark-of-the-Web (MotW) to discern files from untrusted origins. However, SmartScreen bypasses within Windows Defender enable attackers to circumvent this scrutiny and execute code discreetly.

Although Microsoft hasn’t disclosed the extent of these attacks, it’s prudent to anticipate a rise in exploits as threat actors incorporate this method into their arsenals.

It’s crucial to promptly test and apply patches for both CVE-2024-21412 and CVE-2024-21351 to mitigate these risks effectively.

Trendmicro has an excellent blog article on this attack

• https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html

CVE-2024-21410, identified as an elevation of privilege flaw within Microsoft Exchange Server, warrants immediate attention for patching. However, addressing this vulnerability fully may pose challenges as it necessitates additional administrative actions.

Exploiting CVE-2024-21410 could potentially lead to the exposure of NTLM credentials belonging to a targeted user. These credentials could then be exploited in NTLM relay or pass-the-hash attacks, enabling the attacker to authenticate as the targeted user. Satnam Narang, senior staff research engineer at Tenable, emphasizes the value of flaws like these to attackers, citing a similar vulnerability (CVE-2023-23397) exploited by a Russian-based threat actor.

Additionally, CVE-2024-21413 presents a remote code execution vulnerability affecting Microsoft Office. This vulnerability could allow attackers to circumvent the Office Protected View and open a file in editing mode, potentially enabling code execution. Of particular concern is the possibility of code execution occurring within the Preview Pane.

Addressing CVE-2024-21413 requires users of both the 32- and 64-bit versions of Office 2016 to install multiple updates to fully mitigate the vulnerability.

Fortinet Firewall SSL VPN

• CVE: CVE-2024-21762
• Severity: CRITICAL
• Priority: CRITICAL

Summary

• Fortinet is warning that a new critical remote code execution vulnerability in FortiOS SSL VPN is potentially being exploited in attacks.
• You will only be impacted if your SSL VPN portal is accessible to the public.
• The flaw (tracked as CVE-2024-21762 / FG-IR-24-015) received a 9.6 severity rating and is an out-of-bounds write vulnerability in FortiOS that allows unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests.

Out-of-bound Write in SSLVPND

• An out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.
• Note: This is potentially being exploited in the wild.

Remediation

• Upgrade to Unaffected Version
• Disable SSL VPN (disable webmode is NOT a valid workaround)