Springtime for Vulnerabilities

March 2024 was another eventful month for vulnerabilities and cybersecurity in general. It was the second consecutive month of lapsed Common Vulnerability Exposure (CVE) enrichment putting defenders in a precarious position with reduced risk visibility. The Linux kernel continued its elevated pace of vulnerability disclosures and was commissioned as a new CVE Numbering Authority (CNA). In addition, several critical vulnerabilities were added to CISA’s Known Exploited Vulnerabilities (KEV) list including Microsoft Windows, Fortinet FortiClientEMS, all the major browsers, and enterprise Continuous Integration And Delivery software vendor JetBrains.

Here’s a quick review of March 2024’s most impactful cybersecurity events.

The NIST NVD Disruption

NIST’s National Vulnerability Database (NVD) team largely abandoned CVE Enrichment in February 2024 with no warning. NIST NVD slowed to a CVE enrichment rate of just over 5% during March and it became obvious that the abrupt halt was not just a short-term outage. Disruption of CVE enrichment puts cybersecurity operations around the world at a big disadvantage because the NVD is the largest centralized repository of vulnerability severity information. Without severity enrichment, cybersecurity admins are left with very little information for vulnerability prioritization and risk management decision making.

Experts in the cybersecurity community traded public speculation until the VulnCon & Annual CNA Summit, where NIST’s Tanya Brewer announced that the non-regulatory US government agency would relinquish some aspects of the NVD management to an industry consortium. Brewer did not explain the exact cause for outage, but forecasted several additional goals for NIST NVD moving forward:

• Allowing more outside parties to submit enrichment data
• Improving the NVD’s software identification capabilities
• Adding new types of threat intelligence data such as EPSS and the NIST Bugs Framework
• Improving the NVD data’s usability and supporting new use cases
• Automating some aspects of CVE analysis

Plenty Going On “In The Linux Kernel”

A total of 259 CVEs were disclosed in March 2024 with a description that began with: “In the Linux kernel” marking the second most active month ever for Linux vulnerability disclosures. The all time record was set one month prior in February with a total of 279 CVEs issued. March also marked a new milestone for kernel.org, the maintainer of the Linux kernel, as it was inducted as a CVE Numbering Authority (CNA). Kernel.org will now assume the role of assigning and enriching CVEs that impact the Linux kernel. Going forward the kernel.org asserts that CVEs will only be issued for discovered vulnerabilities after a fix is available, and CVEs will only be issued for versions of the Linux kernel that are actively supported.

Multiple High Severity Vulnerabilities In Fortinet Products

Several High severity vulnerabilities in Fortinet FortiOS and FortiClientEMS were disclosed. Of these, CVE-2023-48788 has been added to CISA’s KEV database. The risk imposed by CVE-2023-48788 is further compounded by the existence of a publicly available proof-of-concept (PoC) exploit. While CVE-2023-48788 is notably an SQL Injection [CWE-89] vulnerability, it can be exploited in tandem with the xp_cmdshell function of Microsoft SQL Server for remote code execution (RCE). Even when xp_cmdshell is not enabled by default, researchers have shown that it can be enabled via the SQL Injection weakness.

Greenbone has a network vulnerability test (NVT) that can identify systems affected by CVE-2023-48788, local security checks (LSCs) [1][2] that can identify systems affected by CVE-2023-42790 and CVE-2023-42789, and another LSC to identify systems affected by CVE-2023-36554. A proof-of-concept exploit for CVE-2023-3655 has been posted to GitHub.

• CVE-2023-48788 (CVSS 9.8 Critical): A SQL Injection vulnerability allowing an attacker to execute unauthorized code or commands via specially crafted packets in Fortinet FortiClientEMS version 7.2.0 through 7.2.2.
• CVE-2023-42789 (CVSS 9.8 Critical): An out-of-bounds write in Fortinet FortiOS allows an attacker to execute unauthorized code or commands via specially crafted HTTP requests. Affected products include FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13.
• CVE-2023-42790 (CVSS 8.1 High): A stack-based buffer overflow in Fortinet FortiOS allows an attacker to execute unauthorized code or commands via specially crafted HTTP requests. Affected products include FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13.
• CVE-2023-36554 (CVSS 9.8 Critical): FortiManager is prone to an improper access control vulnerability in backup and restore features that can allow attackers to execute unauthorized code or commands via specially crafted HTTP requests. Affected products are FortiManager version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.10, version 6.4.0 through 6.4.13 and 6.2, all versions.

Zero Days In All Major Browsers

Pwn2Own, an exciting hacking competition took place at CanSecWest security conference on March 20th – 22nd. At this year’s event, 29 distinct zero-days were discovered and over one million dollars in prize money was awarded to security researchers. Independent entrant Manfred Paul earned a total of $202,500 including $100,000 for two zero day sandbox escape vulnerabilities in Mozilla Firefox. Mozilla quickly issued updates to Firefox with version 124.0.1.

Manfred Paul also achieved remote code execution (RCE) in Apple’s Safari by combining Pointer Authentication Code (PAC) [D3-PAN] bypass and integer underflow [CWE-191] zero-days. PACs in Apple’s operating systems are cryptographic signatures for verifying the integrity of pointers to prevent the exploitation of memory corruption bugs. PAC has been bypassed before for RCE in Safari. Manfred defeated Google Chrome and Microsoft Edge via an Improper Validation of Specified Quantity in Input [CWE-1284] vulnerability to complete the browser exploit trifecta.

The fact all major browsers were breached underscores the high risk of visiting untrusted Internet sites and the overall lack of security provided by major browser vendors. Greenbone includes tests to identify vulnerable versions of Firefox and Chrome.

• CVE-2024-29943 (CVSS 10 Critical): An attacker was able to exploit Firefox via an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects versions of Firefox before 124.0.1.
• CVE-2024-29944 (CVSS 10 Critical): Firefox incorrectly handled Message Manager listeners allowing an attacker to inject an event handler into a privileged object to execute arbitrary code.
• CVE-2024-2887 (High Severity): A type confusion [CWE-843] vulnerability in the Chromium browser’s implementation of WebAssembly (Wasm).

New Actively Exploited Microsoft Vulnerabilities

Microsoft’s March 2024 security advisory included a total of 61 vulnerabilities impacting many products. The Windows kernel had the most CVEs disclosed with a total of eight, five of which are rated high severity. Microsoft WDAC OLE DB provider for SQL, Windows ODBC Driver, SQL Server, and Microsoft WDAC ODBC Driver combined to account for ten high severity CVEs. There are no workarounds for any vulnerabilities in the group meaning that updates must be applied to all affected products. Greenbone includes vulnerability tests to detect the newly disclosed vulnerabilities from Microsoft’s March 2024 security advisory.

Microsoft has so far tagged six its new March 2024 vulnerabilities as “Exploitation More Likely”, while two new vulnerabilities affecting Microsoft products were added to the CISA KEV list; CVE-2023-29360 (CVSS 8.4 High) affecting Microsoft Streaming Service and CVE-2024-21338 (CVSS 7.8 High) published in 2023 were assigned actively exploited status in March.

CVE-2024-27198: Critical Severity CVE In JetBrains TeamCity

TeamCity is a popular continuous integration and continuous delivery (CI/CD) server developed by JetBrains, the same company behind other widely-used development tools like IntelliJ IDEA, the leading Kotlin Integrated Development Environment (IDE), and PyCharm, an IDE for Python. TeamCity is designed to help software development teams automate and streamline their build, test, and deployment processes and competes with other CI/CD platforms such as Jenkins, GitLab CI/CD, Travis CI, and Azure DevOps, among others. TeamCity is estimated to hold almost 6% of the total Continuous Integration And Delivery market share and ranks third overall, while according to JetBrains, over 15.9 million developers use their products, including 90 of the Fortune Global Top 100 companies.

Given JetBrains market position, a critical severity vulnerability in one of their products will quickly attract the attention of threat actors. Within three days of CVE-2024-27198 being published it was added to the CISA KEV catalog. Greenbone Enterprise vulnerability feed includes tests to identify affected products including a version check and an active check that sends a crafted HTTP GET request and analyzes the response.

When combined, CVE-2024-27198 (CVSS 9.8 Critical) and CVE-2024-27199 allow an attacker to bypass authentication using an alternative path or channel [CWE-288] to read protected files including those outside of the restricted directory [CWE-23] and perform limited admin actions.

Summary

March 2024 was another fever-pitched month for software vulnerabilities due to the NIST NVD outage and active exploitation of several vulnerabilities in enterprise and consumer software products. On the bright side, several zero-day vulnerabilities impacting all major browsers were identified and patched.

However, the fact that a single researcher was able to so quickly exploit all major browsers is serious wake-up call for all organizations since the browser plays such a fundamental role in modern enterprise operations. Vulnerability management remains a core element in cybersecurity strategy, and regularly scanning IT infrastructure for vulnerabilities ensures that the latest threats can be identified for remediation – closing the gaps that attackers seek to exploits for access to critical systems and data.