Salt Typhoon: Greenbone Covers All Vulnerabilities

On August 27, more than 20 security agencies published a Cybersecurity Advisory with the title “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System”

 

Publishing authorities included:

• United States National Security Agency (NSA)
• United States Cybersecurity and Infrastructure Security Agency (CISA)
• United States Federal Bureau of Investigation (FBI)
• Germany Federal Intelligence Service (BND) – Bundesnachrichtendienst
• Germany Federal Office for the Protection of the Constitution (BfV) – Bundesamt für Verfassungsschutz
• Germany Federal Office for Information Security (BSI) – Bundesamt für Sicherheit in der Informationstechnik

plus many more.

This is bad news. Good news is that Greenbone customers using the OPENVAS products are able to detect all vulnerabilities in this attack

1. CVE-2024-21887 – Ivanti Connect Secure and Ivanti Policy Secure web-component command injection vulnerability, commonly chained after CVE-2023-46805 (authentication bypass).
2. CVE-2024-3400 – Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to OS command injection. The CVE allows for unauthenticated remote code execution (RCE) on firewalls when GlobalProtect is enabled on specific versions/configurations.
3. CVE-2023-20273 – Cisco Internetworking Operating System (IOS) XE software web management user interface flaw enabling post-authentication command injection/privilege escalation [T1068], commonly chained with CVE-2023-20198 for initial access to achieve code execution as root.
4. CVE-2023-20198 – Cisco IOS XE web user interface authentication bypass vulnerability.
5. CVE-2018-0171 – Cisco IOS and IOS XE smart install remote code execution vulnerability.

We strongly advise our customers to scan their systems and follow the information for patches, if affected.