Tag Archive for: CISA

Just last month, CVE-2025-22457 (CVSS 9.8) affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways was recognized as a vector for ransomware. Now, two new CVEs have been added to the growing list of high-risk Ivanti vulnerabilities; CVE-2025-4427 and CVE-2025-4428 affecting Ivanti EPMM (Endpoint and Patch Management Mobile) are under active exploitation.

Greenbone includes active check and version detection tests addressing both new CVEs and many other flaws in Ivanti products, allowing users to identify vulnerable instances, proceed with the patch process and verify security compliance once patches have been applied. In this blog post we will review the technical details of both new CVEs and assess the role that Ivanti has played in the global cyber risk calculus.

Two New CVEs in Ivanti EPMM Combine for Unauthorized Access

At the time of disclosure, Ivanti admitted that on-premises EPMM customers had already been breached. However, cloud security firm Wiz claims that self-managed cloud instances have also been effectively exploited by attackers. A full technical description of the attack chain is publicly available, making exploit development easier for attackers and further increasing the risk.

Here is a brief summary of each CVE:

  • CVE-2025-4427 (CVSS 5.3): An authentication bypass in the API component of Ivanti EPMM 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.
  • CVE-2025-4428 (CVSS 7.2): Remote Code Execution (RCE) in the API component of Ivanti EPMM 12.5.0.0 and prior allows authenticated attackers to execute arbitrary code via crafted API requests.

Ivanti has released patches to remediate the flaws. Users should update EPMM to at least version 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1. If immediate patching is not possible, Ivanti recommends restricting API access using either the built-in Portal ACLs (Access Control Lists with the “API Connection” type) or an external WAF (Web Application Firewall). Network-based ACLs are discouraged by the vendor, since they may block some EPMM functionality. While these mitigations reduce risk, they can impact functionality for certain EPMM integrations, such as Microsoft Autopilot and Graph API. Ivanti also offers an RPM file which can be used to patch EPMM via SSH command line access.

The Invanti EPMM Exploit Chain

The exploit chain in Ivanti EPMM begins with CVE-2025-4427. Due to an insecure configuration in the application’s security.xml file, certain endpoints (specifically /rs/api/v2/featureusage) partially process requests if the format parameter is provided. This pre-auth processing allowed unauthenticated requests to access functions that should be protected. This access control flaw caused by CVE-2025-4427 sets the stage for RCE via CVE-2025-4428.

CVE-2025-4428 allows RCE via an Expression Language (EL) injection via HTTP requests. If the format parameter supplied in a request is invalid as per the EPMM’s specification (neither “cve” or “json”), its value is appended to an error message without sanitization and logged via Spring Framework’s message templating engine. By supplying specially crafted values in the format parameter, attackers can execute arbitrary Java code because the logged message is evaluated as an EL formatted string.

Researchers have pointed out these risks associated with message templating engines are well documented and rebuked Ivanti’s claims that the vulnerability was due to a flaw in a third-party library, rather than their own oversight. Also, if the conditions leading to exploitation of CVE-2025-4428 sounds familiar, it is reminiscent of the infamous Log4Shell vulnerability. Like Log4Shell, CVE-2025-4428 results from passing unsanitized user input into an expression engine which will interpret special commands from a formatted string. In the case of Log4Shell, malicious string formatting in JNDI lookups (e.g., ${jndi:ldap://…}), could trigger RCE.

Risk Assessment: Attackers Advance on Ivanti Flaws

Ivanti has been in the hot seat for the past few years. Attackers have often exploited flaws in Ivanti’s products to gain initial access to their victim’s networks. Across all product lines, the vendor has been the subject of 61 Critical severity (CVSS >= 9.0) CVEs since the start of 2023. 30 of these have been added to CISA KEV (Known Exploited Vulnerabilities of the Cybersecurity and Infrastructure Security Agency), although the true tally of actively exploited flaws may be higher. Ivanti CVEs have a high conversion rate for use in ransomware attacks; CISA notes 8 CVEs in this category.

In early 2024, the European Commission, ENISA, CERT-EU and Europol issued a joint statement addressing active exploitation of Ivanti Connect Secure and Policy Secure Gateway products. In the US, CISA directed all federal civilian agencies to disconnect these products and assume they had been breached [1][2]. CISA, the FBI and cybersecurity agencies from the UK, Australia and Canada issued a joint advisory warning of ongoing exploitation. By late 2024, CISA had also alerted to active exploitation of Ivanti Cloud Service Appliances (CSA), warning that both state-sponsored and financially motivated threat actors were successfully targeting unpatched systems.

In 2025, on January 8th, CISA warned that newly disclosed CVE-2025-0282 and CVE-2025-0283 in Ivanti Connect Secure, Policy Secure and ZTA Gateways were also under active exploitation. Unfortunately, attackers continue to advance on new flaws in Ivanti’s products well into 2025 including CVE-2025-22457 [3][4] and now, two new CVEs in EPMM discussed above.

Dennis Kozak replaced Jeff Abbott as Ivanti’s CEO effective January 1, 2025 despite a mid-2024 pledge from Mr. Abbot for improved product security. No public statement was made linking the succession to the Utah company’s security challenges, however it happened with only a few weeks’ notice. Executives have not been called to testify before US congress as many other cybersecurity leaders have following high-risk incidents including Sudhakar Ramakrishna (CEO of SolarWinds), Brad Smith (President of Microsoft) and George Kurtz (CEO of CrowdStrike).

Echoes from EPMM’s Past: CVE-2023-35078 and CVE-2023-35082

In addition to the vortex of vulnerabilities discussed above, CVE-2023-35078 (CVSS 9.8) and CVE-2023-35082 (CVSS 9.8), disclosed in July and August 2023 respectively, also provided unauthenticated RCE for Ivanti EPMM. Public exploitation kicked off almost immediately after their disclosure in 2023.

CVE-2023-35078 was exploited to breach the Norwegian government, compromising data from twelve ministries [3][4]. CISA issued an urgent advisory (AA23-214A) citing confirmed exploitation by Advanced Persistent Threat (APT) actors and advising all federal agencies to take immediate mitigation steps. Even back in 2023, the speed and breadth of the attacks underscored Ivanti’s growing profile as a repeat offender, enabling espionage and financially motivated cybercrime.

Summary

Ivanti EPMM is susceptible to two new vulnerabilities; CVE-2025-4427 and CVE-2025-4428 can be combined for unauthorized remote code execution. Now under active exploitation, they underscore a troubling pattern of high-severity flaws in Ivanti products. Ivanti has released patches to remediate the flaws and users should update EPMM to at least version 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1.

Greenbone’s vulnerability detection capabilities extend to include tests for CVE-2025-4427 and CVE-2025-4428 allowing Ivanti EPMM users to identify all vulnerable instances and verify security compliance once patches have been applied.

CVE-2025-34028 (CVSS 10) is a maximum severity flaw in Commvault Command Center, a popular admin console for managing IT security services such as data protection and backups across enterprise environments. As of April 28th, CVE-2025-34028 has been flagged as actively exploited. CVE-2025-34028 also presents heightened risk due to the existence of publicly available proof-of-concept (PoC) exploit code and the fact that Command Center manages the backups and other security configurations for many prominent organizations.

The flaw allows unauthenticated attackers to perform Remote Code Execution (RCE) and to take complete control of a Command Center environment. Given the sensitivity and criticality of IT tasks managed by Commvault, forfeiting complete control has a high potential for disastrous impacts. For example, if backups are disabled, an organization could lose their ability to recover from a ransomware attack. This makes CVE-2025-34028 an attractive target for ransomware operators and financially motivated attackers.

The vulnerability, discovered by Sonny Macdonald of watchTowr Labs, exploits a server-side request forgery (SSRF) [CWE-918] weakness in Command Center’s deployWebpackage.do endpoint. In a successful attack, an adversary uploads a poisoned ZIP archive to a publicly accessible path. The malicious ZIP file is automatically extracted allowing attackers to trigger execution via HTTP GET request to the extracted payload.

CVE-2025-34028 affects versions 11.38.0 to 11.38.19 on both Linux and Windows platforms. Greenbone is able to detect CVE-2025-34028 with an active check that sends a crafted HTTP POST request and checks if the target connects back to the scanner host indicating that it is vulnerable to exploitation. Users of affected versions are urged to apply patches immediately. Let’s further examine the risk posed by CVE-2025-34028.

What is Commvault Command Center?

Commvault Command Center is a web-based interface written in Java that enables organizations to manage data protection, backup, and recovery operations across enterprise environments. Commvault markets itself as a single platform with modular components such as Commvault Complete Backup & Recovery, Commvault HyperScale X and Commvault Disaster Recovery. Most of Commvault’s products rely on the Command Center as their primary management interface. As such, Command Center is used to configure backup jobs, monitor systems, restore data and administer user roles and access.

As of 2025, Commvault maintains roughly 6.2% of the Backup And Recovery market share category, serving over 10,000 organizations globally, across various industries such as banking, healthcare, government and technology. Most of its customers are large enterprises, with 42% having more than 1,000 employees. With Commvault’s adoption among critical sectors including healthcare, government and Fortune 500 companies, the potential impact of this vulnerability is widespread and significant.

A Technical Description of CVE-2025-34028

The discovery and disclosure of CVE-2025-34028 was accompanied by a full technical description and PoC code. Here is a brief summary of the root cause and attack vector for CVE-2025-34028:

The root cause of CVE-2025-34028 is classified as Server-Side Request Forgery (SSRF) [CWE-918]. SSRF vulnerabilities arise when an application is tricked into accessing a remote resource without properly validating it. By exploiting SSRF flaws, an attacker can potentially bypass access controls [CWE-284] such as firewalls that prevent the attackers from accessing the URLs directly. You can think of it as “bouncing” a request off the target in order to bypass security measures. In the case of CVE-2025-34028, the SSRF flaw allows an Unrestricted Upload of File with Dangerous Type [CWE-434].

Here is how the exploit process for CVE-2025-34028 works:

Mixed among the Command Center application endpoints, the researcher found 58 that do not require any form of authentication. Inspecting these unrestricted APIs, researchers discovered the deployWebpackage.do endpoint included a parameter named commcellName, which was used to define the hostname of a URL and which was not filtered for scope. Another parameter, servicePack, defines the local path where the HTTP response to that URL should be stored.

Using a simple directory traversal technique, i.e. prepending the servicePack parameter with “../../” the researcher was able to achieve arbitrary file upload to a custom destination. The Command Center application used a hardcoded filename dist-cc.zip, indicating that the program was expecting a ZIP archive.

When supplying a ZIP archived Java executable (.jsp file), and specifying an unauthenticated route via the servicePack param, a malicious .jsp payload was uploaded, automatically extracted, where it could be accessed directly via an HTTP GET request. This results in execution of the .jsp file by Command Center’s Apache Tomcat web server and unauthenticated, arbitrary RCE on behalf of the attacker.

Mitigating CVE-2025-34028

CVE-2025-34028 affects Commvault Command Center versions 11.38.0 through 11.38.19 on both Linux and Windows platforms and has been resolved in versions 11.38.20 and 11.38.25, with patches released on April 10, 2025. For those unable to update immediately, Commvault recommends isolating the Command Center installation from external network access as a temporary mitigation.

Commvault’s Innovation releases, which are frequent, feature-rich update tracks, are typically updated automatically by the system on a predefined schedule without requiring user action. This is in contrast to Long Term Support (LTS) versions which require manual updates.

Summary

CVE-2025-34028 is a critical severity unauthenticated RCE flaw in Commvault Command Center that doesn’t require user interaction. The vulnerability has been flagged as actively exploited by CISA as of April 2025. CVE-2025-34028 affects Command Center versions 11.38.0–11.38.19 and enables attackers to take full control of backup systems. Commvault is relied upon by many large companies globally for key backup and restoration capabilities making CVE-2025-34028 a hot target for ransomware threat actors. Greenbone is able to detect affected Command Center instances with an active test that uses an HTTP POST request to verify vulnerability.

Contact Test Now Buy Here Back to Overview

Two new CVEs in Apache Camel have been disclosed warranting immediate attention from users. On March 9, 2025, Apache disclosed CVE-2025-27636 (CVSS 5.6), a Remote Code Execution (RCE) flaw. Two days later, on March 11th, Akamai’s Security Intelligence Group (SIG) reported a bypass technique for the original patch, resulting in CVE-2025-29891 (CVSS 4.2) being published on March 12th.

Green graphic with stylised camel in a desert landscape. To the right is a button with the inscription ‘RCE in Apache Camel’.

Although the two vulnerabilities have only been assigned moderate CVSS severity scores by CISA-ADP (CISA’s Authorized Data Publisher), they could be severe impact vulnerabilities depending on the targeted Camel instance’s configuration. Both CVEs have the same root cause: improper filtering of HTTP headers or HTTP parameters when communicating to an Apache Camel instance. As the article’s title suggests, parameters were filtered using case-sensitive methods, while the arguments themselves were being applied in a non-case-sensitive manner.

Furthermore, publicly available proof-of-concept (PoC) code and a relatively complete technical description adds to the risk. Greenbone can detect both CVE-2025-27636 and CVE-2025-29891 with vulnerability tests that actively check for exploitable HTTP endpoints. Let’s review the details.

What Is Apache Camel?

Apache Camel is a popular open-source Java library for integrating different components of a distributed enterprise system architecture such as APIs or microservices. In a nutshell, Camel is a versatile platform for routing and mediation based on the Enterprise Integration Patterns (EIPs) concept of enterprise system architecture design. Apache Camel is heavily based on EIPs and provides an implementation of these patterns via its domain-specific languages (DSL) that include Java, XML, Groovy, YAML and others.

As of 2021, Apache Camel held approximately 3.03% of the Enterprise Application Integration market. The software is used by over 5,600 companies, roughly half being US-based. Camel’s market share is predominantly in the Information Technology and Services industry (33%), Computer Software industry (12%) and Financial Services industry (6%).

Two New CVEs in Apache Camel May Allow RCE

When any of Camel’s HTTP-based components handle requests, a default filter is supposed to prevent exposure of sensitive data or execution of internal commands. However, due to a flawed case-sensitive filtering rule, only exactly matched headers were filtered. However, downstream in the program logic, these headers were being applied in a non-case-sensitive manner, allowing filter bypass. Changing the case of the first character of the header name, an attacker could bypass the filter to inject arbitrary headers.

The good news is that either the camel-bean or camel-exec component must be enabled in combination with an http-based component such as such as camel-http, camel-http4, camel-rest, camel-servlet or others. Also, exploitation is limited to internal methods within the scope declared in the HTTP request URI. One final saving grace is that this flaw has not been implicated as an unauthenticated vulnerability. Therefore, unless the system designers have implemented any authentication and authorization for a Camel HTTP API, it is not exploitable.

At the high-end of the risk spectrum, if the Camel Exec component is enabled and targeted, an attacker can achieve arbitrary RCE as the user controlling the Camel process. RCE is achieved by sending the CamelExecCommandExecutable header to specify an arbitrary shell command, overriding the commands configured on the back-end. If exploitable Camel HTTP APIs are Internet accessible, the risk is especially high, however, this flaw could also be used for lateral movement within a network by an insider, or by attackers who have gained initial access to an organization’s internal network.

A technical description of the exploit chain and proof-of-concept (PoC) has been provided by Akamai.

What Is the Appropriate CVSS Score?

Although CVE-2025-27636 (CVSS 5.6) and CVE-2025-29891 (CVSS 4.2) have been assigned moderate severity scores, they could have a critical impact if either the camel-bean or camel-exec components are enabled in combination with http-based components. The situation highlights some limitations of the scoring by CVSS (Common Vulnerability Scoring System).

Akamai researchers report that the flaw is trivial to exploit and have published proof-of-concept (PoC) code, increasing the risk. This implies that the CVSS Attack Complexity (AC) metric should be set to Low (L). However, CISA-ADP has assessed attack complexity as high (AC:H) given these facts. Red Hat has accounted for these factors and increased the CVSS for CVE-2025-27636 to 6.3.

Also, the CISA-ADP assessed no impact to confidentiality for CVE-2025-29891, despite the potential for arbitrary RCE. However, if an Apache Camel instance has a vulnerable configuration, a high impact assessment for Confidentiality (C), Integrity (I) and Availability (A), is justified further increasing the criticality to CVSS 9.8.

On the other hand, the CISA-ADP assigned a Privileges Required (PR) value of None (N). However, although Akamai’s PoC does not use an HTTPS connection or authentication, it would be extremely negligent to operate an unencrypted and unauthenticated API. Apache Camel supports Java Secure Socket Extension (JSSE) API for Transport Layer Security (TLS) or using a KeyCloak Single Sign-On (SSO) authorization server. Camel instances with some form of client authentication enabled would be protected against exploitation. For most cases, the PR value should be adjusted to Low (L) or High (H) resulting in a diminished CVSS of 7.3 or 8.8.

Furthermore, the CVEs were assigned a Scope value Unchanged (UC). According to the CVSS v3.1 specification: “The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.” Execution of arbitrary shell commands on the compromised system is typically assigned the value of Changed (C). If the Camel process is owned by the Linux/Unix root or a Windows administrator user, an attacker would have virtually unlimited control of a compromised system. Accounting for the variety of possible CVSS assessments, CVE-2025-27636 and CVE-2025-29891 should be considered critical severity vulnerabilities if an instance meets the configuration requirements and does not apply authentication.

Mitigating the CVEs in Apache Camel

CVE-2025-27636 and CVE-2025-29891 affect Apache Camel version 4.10 before 4.10.2, version 4.8 before 4.8.5 and version 3 before 3.22.4. Users should upgrade to 4.10.2, 4.8.5 or 3.22.4 or implement custom header filtering using removeHeader or removeHeaders in Camel routes. It should be noted that Camel versions 4.10.0, 4.10.1, 4.8.0 to 4.8.4, and 3.10.0 to 3.22.3 are still vulnerable although they were considered security updates that addressed the flaw.

Also, it is strongly recommended that all HTTP endpoints in a distributed architecture employ strong authentication. For Apache Camel, options include: using Java Secure Socket Extension (JSSE) API for TLS with Camel components or using a KeyCloak OAuth 2.0 SSO authorization server. For legacy systems, a minimum of HTTP Basic Authentication should be configured.

Summary

Apache Camel users should immediately upgrade to versions 4.10.2, 4.8.5 or 3.22.4 to mitigate the newly published CVEs affecting Apache Camel. Alternatively, implement custom header filtering using removeHeader or removeHeaders in Camel routes. Strong authentication on all HTTP endpoints is also highly recommended for security best-practices. Apache Camel supports the JSSE API for TLS or KeyCloak SSO solutions. Greenbone is able to detect both CVE-2025-27636 and CVE-2025-29891 with vulnerability tests that actively check for exploitable HTTP endpoints.

Contact Test Now Buy Here Back to Overview

Trimble Cityworks, an enterprise asset management (EAM) and public works management software is actively under attack. The campaign began as an unknown (zero-day) vulnerability, but is now tracked as ​​CVE-2025-0994 with a CVSS of 8.6. The vulnerability is a deserialization flaw [CWE-502] that could allow an authenticated attacker to execute arbitrary code remotely (Remote Code Execution; RCE). Greenbone includes detection for CVE-2025-0994 in the Enterprise Feed.

Active exploitation of CVE-2025-0994 is a real and present danger. Trimble has released a statement acknowledging the attacks against their product. Thanks to the vendor’s transparency, CISA (Cybersecurity and Infrastructure Security Agency) has added CVE-2025-0994 to their catalog of Known Exploited Vulnerabilities (KEV), published an ICS advisory as well as a CSAF 2.0 document. CSAF 2.0 advisories are machine readable advisory documents for decentralized sharing of cybersecurity intelligence.

Although many media reports and some threat platforms indicate that a public proof-of-concept (PoC) exists, the only search result for GitHub is simply a version detection test. This means it is less likely that low-skilled hackers will easily participate in attacks. The misinformation is likely due to poorly designed algorithms combined with lack of human oversight before publishing threat intelligence.

Who Is at Risk due to CVE-2025-0994?

Trimble Cityworks is designed for and used primarily by local governments and critical infrastructure providers including water and wastewater systems, energy, transportation systems, government industrial facilities and communications agencies. Cityworks enhances Geographic Information Systems (GIS) by integrating asset management and public works solutions directly with Esri ArcGIS. The software is meant to help organizations manage infrastructure, schedule maintenance and improve operational efficiency. In addition to CISA, several other government agencies have issued alerts regarding this vulnerability including the US Environment Protection Agency (EPA), the Canadian Centre for Cyber Security and New York State.

Trimble Cityworks has reported serving over 700 customers across North America, Europe, Australia and the Middle East in 2019. While specific numbers for municipal governments in the U.S., Canada and the EU are not publicly disclosed, a Shodan search and Censys map both reveal only about 100 publicly exposed instances of Cityworks. However, the application is considered to have a high adoption rate by local governments and utilities. If publicly exposed, CVE-2025-0994 could offer an attacker initial access [T1190]. For attackers who already have a foothold, the flaw is an opportunity for lateral movement [TA0008] and presents an easy mark for insider attacks.

A Technical Description of CVE-2025-0994

CVE-2025-0994 is a deserialization vulnerability [CWE-502] found in versions of Trimble Cityworks prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10. The vulnerability arises from the improper deserialization of untrusted serialized data, allowing an authenticated attacker to execute arbitrary code remotely on a target’s Microsoft Internet Information Services (IIS) web server.

Serialization is a process whereby the software code or objects are encoded to be transferred between applications and then reconstructed into the original format used by a programming language. When Trimble Cityworks processes serialized objects, it does not properly validate or sanitize untrusted input. This flaw allows an attacker with authenticated access to send specially crafted serialized objects, which can trigger arbitrary code execution on the underlying IIS server. Deserializing data from unauthenticated sources seems like a significant design flaw in itself, but failing to properly sanitize serialized data is especially poor security.

Exploitation CVE-2025-0994 could lead to:

  • Unauthorized access to sensitive data
  • Service disruption of critical infrastructure systems
  • Potential full system compromise of the affected IIS web server

Mitigating CVE-2025-0994 in Trimble Cityworks

Trimble has released patched versions of Cityworks that address the deserialization vulnerability. These patches include Cityworks 15.8.9 and Cityworks 23.10. On-premise users must immediately upgrade to the patched version, while Cityworks Online (CWOL) customers will receive these updates automatically.

Trimble noted that some on-premise deployments are running IIS with overprivileged identity permissions, which increases the attack surface. IIS should not have local or domain-level administrative privileges. Follow Trimble’s guidance in the latest Cityworks release notes to adjust IIS identity configurations properly.

Users of on-premises Trimble Cityworks should:

  • Update Cityworks 15.x versions to 15.8.9 and 23.x versions to 23.10.
  • Audit IIS identity permissions to ensure that they align with the principle of least privilege.
  • Limit attachment directory root configuration to only folders which only contain attachments.
  • Use a firewall to restrict IIS server access to trusted internal systems only.
  • Use a VPN to allow remote access to Cityworks rather than publicly exposing the service.

Summary

CVE-2025-0994 represents a serious security risk to Trimble Cityworks users, which largely comprise government and critical infrastructure environments. With active exploitation already observed, organizations must prioritize immediate patching and implement security hardening measures to mitigate the risk. Greenbone has added detection for CVE-2025-0994 to the Enterprise Feed, allowing customers to gain visibility into their exposure.

Contact Test Now Buy Here Back to Overview

Web browsers are a primary gateway to business and consequently they are also a primary gateway for cyber attacks. Malware targeting browsers could gain direct unauthorized access to a target’s network and data or social engineer victims into providing sensitive information that gives the attacker unauthorized access, such as account credentials. In 2024, major browsers (Chrome, Firefox, and Safari) accounted for 59 Critical severity (CVSS3 ³ 9) and 256 High severity (CVSS3 between 7.0 and 8.9) vulnerabilities. 10 CVEs (Common Vulnerabilities and Exposures) in the trifecta were added to the KEV (Known Exploited Vulnerabilities) catalog of CISA (Cybersecurity & Infrastructure Security Agency). Browser security should therefore be top-of-mind for security teams.

In light of this, we are proud to announce the addition of CIS Google Chrome Benchmark v3.0.0 Level 1 auditing to our list of compliance capabilities. This latest feature allows our Enterprise feed subscribers to verify their Google Chrome configurations against the industry-leading CIS compliance framework of the CIS (Center for Internet Security). The new Google Chrome benchmark tests will sit among our other CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1] [2].

CIS Google Chrome Benchmark for Windows

The CIS Google Chrome Benchmark v3.0.0 Level 1 is now available in the Greenbone Enterprise Feed. It establishes a hardened configuration for the Chrome browser. For Windows, implementing the controls involves setting Windows registry keys to define Chrome’s security configuration. Continuous attestation is important because if modified at the user level Chrome becomes more vulnerable to data-leakage, social engineering attacks or other attack vectors.

Our Enterprise vulnerability feed uses compliance policies to run tests on target endpoints, verifying each requirement in the CIS benchmark through one or more dedicated vulnerability tests. These tests are grouped into scan configurations which can be used to create scan tasks that access groups of target systems to verify their security posture. When aligning with internal risk requirements or mandatory government policies, Greenbone has you covered.

The Importance of Browser Security

Much of the critical information flowing through the average organization is transmitted through the browser. The rise of a remote workforce and cloud-based web-applications means that web browsers are a primary interface for business activities. Not surprisingly, in the past few years, Internet browsers have been a hotbed for exploitation. National cybersecurity agencies such Germany’s BSI [3] [4], CISA [5] [6], and the Canadian Centre for Cyber Security [7] have all released advisories for addressing the risks posed by Internet browsers.

Browsers can be exploited via technical vulnerabilities and misconfigurations that could lead to remote code execution, theft of sensitive data and account takeover, but are also a conduit for social engineering attacks. Browser security must be addressed by implementing a hardened security profile and continuously attesting it and by regularly applying updates to combat any recently discovered vulnerabilities. Greenbone is able to detect known vulnerabilities for published CVEs in all major browsers and now with our latest CIS Google Chrome Benchmark certification, we can attest industry standard browser compliance.

How Does the CIS Google Chrome Benchmark Improve Browser Security?

Every CIS Benchmark is developed through a consensus review process that involves a global community of subject matter experts from diverse fields such as consulting, software development, auditing, compliance, security research, operations, government, and legal. This collaborative process is meant to ensure that the benchmarks are practical and data-driven and reflect real-world expertise. As such, CIS Benchmarks serve as a vital part of a robust cybersecurity program.

In general, CIS Benchmarks focus on secure technical configuration settings and should be used alongside essential cyber hygiene practices, such as monitoring and promptly patching vulnerabilities in operating systems, applications and libraries.

The CIS Google Chrome Benchmark defines security controls such as:

  • No domains can bypass scanning for dangerous resources such as phishing content and malware.
  • Strict verification of SSL/TLS certificates issued by websites.
  • Reducing Chrome’s overall attack surface by ensuring the latest updates are automatically applied periodically.
  • Chrome is configured to detect DNS interception which could potentially allow DNS hijacking.
  • Chrome and extensions cannot interact with other third party software.
  • Websites and browser extensions cannot abuse connections with media, the local file system or external devices such as Bluetooth, USB or media casting devices.
  • Only extensions from the Google Chrome Web Store can be installed.
  • All processes forked from the main Chrome process are stopped once the Chrome application has been closed.
  • SafeSites content filtering blocks links to adult content from search results.
  • Prevent importing insecure data such as auto-fill form data, default homepage or other configuration settings.
  • Ensuring that critical warnings cannot be suppressed.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone continues to enhance its CIS Benchmark scan configurations. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Also, Greenbone has added a new compliance view to the Greenbone Security Assistant (GSA) web-interface, streamlining the process for organizations seeking to remove security gaps from their infrastructure to prevent security breaches.

Summary

CIS Controls are critical for safeguarding systems and data by providing clear, actionable guidance on secure configurations. The CIS Google Chrome Benchmark is especially vital at the enterprise level, where browsers impact many forms of sensitive data. It’s exciting to announce that Greenbone is expanding the industry leading vulnerability detection capabilities with a new compliance scan: the CIS Google Chrome Benchmark v3.0.0 Level 1. With this certification, Greenbone continues to strengthen its position as a trusted ally in proactive cybersecurity. This latest feature reflects our dedication to advancing IT security and protecting against evolving cyber threats.

Contact Test Now Buy Here Back to Overview

The cybersecurity risk environment has been red hot through the first half of 2024. Critical vulnerabilities in even the most critical technologies are perpetually open to cyber attacks, and defenders face the continuous struggle to identify and remediate these relentlessly emerging security gaps. Large organizations are being targeted by sophisticated “big game hunting” campaigns by ransomware gangs seeking to hit the ransomware jackpot. The largest ransomware payout ever was reported in August – 75 million Dollar to the Dark Angels gang. Small and medium sized enterprises are targeted on a daily basis by automated “mass exploitation” attacks, also often seeking to deliver ransomware [1][2][3].

A quick look at CISA’s Top Routinely Exploited Vulnerabilities shows us that even though cyber criminals can turn new CVE (Common Vulnerabilities and Exposures) information into exploit code in a matter of days or even hours, older vulnerabilities from years past are still on their radar.

In this month’s Threat Tracking blog post, we will point out some of the top cybersecurity risks to enterprise cybersecurity, highlighting vulnerabilities recently reported as actively exploited and other critical vulnerabilities in enterprise IT products.

The BSI Improves LibreOffice’s Mitigation of Human Error

OpenSource Security on behalf of the German Federal Office for Information Security (BSI) recently identified a secure-by-design flaw in LibreOffice. Tracked as CVE-2024-6472 (CVSS 7.8 High), it was found that users could enable unsigned macros embedded in LibreOffice documents, overriding the “high security mode” setting. While exploitation requires human interaction, the weakness addresses a false sense of security, that unsigned macros could not be executed when “high security mode” enabled.

KeyTrap: DoS Attack Against DNSSEC

In February 2024, academics at the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt disclosed “the worst attack on DNS ever discovered”. According to German researchers, a single packet can cause a “Denial of Service” (DoS) by exhausting a DNSSEC-validating DNS resolver. Dubbed “KeyTrap”, attackers can exploit the weakness to prevent clients using a compromised DNS server from accessing the internet or local network resources. The culprit is a design flaw in the current DNSSEC specification [RFC-9364] that dates back more than 20 years [RFC-3833].

Published in February 2024 and tracked as CVE-2023-50387 (CVSS 7.5 High), exploitation of the vulnerability is considered trivial and proof-of-concept code is available on GitHub. The availability of exploit code means that low skilled criminals can easily launch attacks. Greenbone can identify systems with vulnerable DNS applications impacted by CVE-2023-50387 with local security checks (LSC) for all operating systems.

CVE-2024-23897 in Jenkins Used to Breach Indian Bank

CVE-2024-23897 (CVSS 9.8 Critical) in Jenkins (versions 2.441 and LTS 2.426.2 and earlier) is being actively exploited and used in ransomware campaigns including one against the National Payments Corporation of India (NPCI). Jenkins is an open-source automation server used primarily for continuous integration (CI) and continuous delivery (CD) in software development operations (DevOps).

The Command Line Interface (CLI) in affected versions of Jenkins contains a path traversal vulnerability [CWE-35] caused by a feature that replaces the @-character followed by a file path with the file’s actual contents. This allows attackers to read the contents of sensitive files including those that provide unauthorized access and subsequent code execution. CVE-2024-23897 and its use in ransomware attacks follows a joint CISA and FBI alert for software vendors to address path traversal vulnerabilities [CWE-35] in their products. Greenbone includes an active check [1] and two version detection tests [2][3] for identifying vulnerable versions of Jenkins on Windows and Linux.

2 New Actively Exploited CVEs in String of Apache OFBiz Flaws

Apache OFBiz (Open For Business) is a popular open-source enterprise resource planning (ERP) and e-commerce software suite developed by the Apache Software Foundation. In August 2024, CISA alerted the cybersecurity community to active exploitation of Apache OFBiz via CVE-2024-38856 (CVSS 9.8 Critical) affecting versions before 18.12.13. CVE-2024-38856 is a path traversal vulnerability [CWE-35] that affects OFBiz’s “override view” functionality allowing unauthenticated attackers Remote Code Execution (RCE) on the affected system.

CVE-2024-38856 is a bypass of a previously patched vulnerability, CVE-2024-36104, just published in June 2024, indicating that the initial fix did not fully remediate the problem. This also builds upon another 2024 vulnerability in OFBiz, CVE-2024-32113 (CVSS 9.8 Critical), which was also being actively exploited to distribute Mirai botnet. Finally, in early September 2024, two new critical severity CVEs, CVE-2024-45507 and CVE-2024-45195 (CVSS 9.8 Critical) were added to the list of threats impacting current versions of OFBiz.

Due to the notice of active exploitation and Proof-of-Concept (PoC) exploits being readily available for CVE-2024-38856 [1][2] and CVE-2024-32113 [1][2] affected users need to patch urgently. Greenbone can detect all aforementioned CVEs in Apache OFBiz with both active and version checks.

CVE-2022-0185 in the Linux Kernel Actively Exploited

CVE-2022-0185 (CVSS 8.4 High), an heap-based buffer overflow vulnerability in the Linux kernel, was added to CISA KEV in August 2024. Publicly available PoC-exploit-code and detailed technical descriptions of the vulnerability have contributed to the increase in cyber attacks exploiting CVE-2022-0185.

In CVE-2022-0185 in Linux’s “legacy_parse_param()” function within the Filesystem Context functionality the length of supplied parameters is not being properly verified. This flaw allows an unprivileged local user to escalate their privileges to the root user.

Greenbone could detect CVE-2022-0185 since it was disclosed in early 2022 via vulnerability test modules covering a wide set of Linux distributions including Red Hat, Ubuntu, SuSE, Amazon Linux, Rocky Linux, Fedora, Oracle Linux and Enterprise products such as IBM Spectrum Protect Plus.

New VoIP and PBX Vulnerabilities

A handful of CVEs were published in August 2024 impacting enterprise voice communication systems. The vulnerabilities were disclosed in Cisco’s small business VOIP systems and Asterisk, a popular open-source PBX branch system. Let’s dig into the specifics:

Cisco Small Business IP Phones Offer RCE and DoS

Three high severity vulnerabilities were disclosed that impact the web-management console of Cisco Small Business SPA300 Series and SPA500 Series IP Phones. While underscoring the importance of not exposing management consoles to the internet, these vulnerabilities also represent a vector for an insider or dormant attacker who has already gained access to an organization’s network to pivot their attacks to higher value assets and disrupt business operations.

Greenbone includes detection for all newly disclosed CVEs in Cisco Small Business IP Phone. Here is a brief technical description of each:

  • CVE-2024-20454 and CVE-2024-20450 (CVSS 9.8 Critical): An unauthenticated, remote attacker could execute arbitrary commands on the underlying operating system with root privileges because incoming HTTP packets are not properly checked for size, which could result in a buffer overflow.
  • CVE-2024-20451 (CVSS 7.5 High): An unauthenticated, remote attacker could cause an affected device to reload unexpectedly causing a Denial of Service because HTTP packets are not properly checked for size.

CVE-2024-42365 in Asterisk PBX Telephony Toolkit

Asterisk is an open-source private branch exchange (PBX) and telephony toolkit. PBX is a system used to manage internal and external call routing and can use traditional phone lines (analog or digital) or VoIP (IP PBX). CVE-2024-42365, published in August 2024, impacts versions of asterisk before 18.24.2, 20.9.2 and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2. An exploit module has also been published for the Metasploit attack framework adding to the risk, however, active exploitation in the wild has not yet been observed.

Greenbone can detect CVE-2024-42365 via network scans. Here is a brief technical description of the vulnerability:

  • CVE-2024-42365 (CVSS 8.8 High): An AMI user with “write=originate” may change all configuration files in the “/etc/asterisk/” directory. This occurs because they are able to curl remote files and write them to disk but are also able to append to existing files using the FILE function inside the SET application. This issue may result in privilege escalation, Remote Code Execution or blind server-side request forgery with arbitrary protocols.

Browsers: Perpetual Cybersecurity Threats

CVE-2024-7971 and CVE-2024-7965, two new CVSS 8.8 High severity vulnerabilities in the Chrome browser, are being actively exploited for RCE. Either CVE can be triggered when victims are tricked into simply visiting a malicious web page. Google acknowledges that exploit code is publicly available, giving even low skilled cyber criminals the ability to launch attacks. Google Chrome has seen a steady stream of new vulnerabilities and active exploitation in recent years. A quick inspection of Mozilla Firefox shows a similar continuous stream of critical and high severity CVEs; seven Critical and six High severity vulnerabilities were disclosed in Firefox during August 2024, although active exploitation of these has not been reported.

The continuous onslaught of vulnerabilities in major browsers underscores the need for diligence to ensure that updates are applied as soon as they become available. Due to Chrome’s high market share of over 65% (over 70% considering Chromium-based Microsoft Edge) its vulnerabilities receive increased attention from cyber criminals. Considering the high number of severe vulnerabilities impacting Chromium’s V8 engine (more than 40 so far in 2024), Google Workspace admins might consider disabling V8 for all users in their organization to increase security. Other options for hardening browser security in high-risk scenarios include using remote browser isolation, network segmentation and booting from secure baseline images to ensure endpoints are not compromised.

Greenbone includes active authenticated vulnerability tests to identify vulnerable versions of browsers for Linux, Windows and macOS.

Summary

New critical and remotely exploitable vulnerabilities are being disclosed at record shattering rates amidst a red hot cyber risk environment. Asking IT security teams to manually track newly exposed vulnerabilities in addition to applying patches imposes an impossible burden and risks leaving critical vulnerabilities undetected and exposed. Vulnerability management is considered a fundamental cybersecurity activity; defenders of large, medium and small organizations need to employ tools such as Greenbone to automatically seek and report vulnerabilities across an organization’s IT infrastructure. 

Conducting automated network vulnerability scans and authenticated scans of each system’s host attack surface can dramatically reduce the workload on defenders, automatically providing them with a list of remediation tasks that is sortable according to threat severity.

Contact Test Now Buy Here Back to Overview

From a bird’s eye view, the cumulative cost of cyber-crime is estimated to reach 9.2 Trillion USD globally in 2024. According to the 2023 IBM X-Force Cost of a Data Breach Report, a single breach imposes an average of 4.45M USD of financial damage on a victim and while US firms incur more than double the global average, German organizations fared on par with the global average.

The most staggering costs are incurred by post-breach remediation activities such as incident response, digital forensics, system recovery, and mandatory disclosure reporting, while regulatory fines can also significantly add to cyber breach costs. Change Healthcare has forecasted an expected loss of 1.6B USD this year due to a breach that occurred in March 2024 and as discussed below, regulatory fines may be pending.

These potential damages highlight the importance of proactive security measures for preventing successful cyber attacks but also mitigating the financial impact should one occur​. The Ponemon Institute found that missing security patches accounted for 57% of cyber attacks. Getting breached less often is an obvious benefit of implementing preventative cybersecurity measures, but according to IBM, organizations with proactive risk-based vulnerability management (RBVM), also experience lower than average expenses post-breach (3.98M USD) compared to organizations without such measures (4.45M USD), those suffering from a skills shortage (5.36M USD), or those deemed non-compliant with cybersecurity regulations (5.05M USD).

Cost Of The Change Healthcare Post Ransomware Attack

In March, 2024 Change Healthcare suffered a ransomware attack that has so far burdened the company with roughly 872M USD in damages, and delayed 6B USD in health insurance payments. Change Healthcare forecasts an annual expected loss of 1.6B USD due to the incident. Established in 2007, Change Healthcare is a leading healthcare technology company selling revenue cycle management, payment accuracy, and clinical data exchange services globally​. A 2022 acquisition saw the company valued at 8B USD​.

HIPAA Compliance Investigation Into Change Healthcare

On top of that steep damage, the US HHS Office for Civil Rights, the entity responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), has opened an investigation into the attack seeking to determine whether Change Healthcare violated its compliance requirements. The HIPAA Security Rules require covered entities to implement “recognized security practices” to protect ePHI against reasonably anticipated security threats.

Continuous vulnerability management activities are a fundamental component of all modern cybersecurity frameworks. If it can be called a bright side, the most severe penalties for HIPPA non-compliance are capped at a mere 2M USD; short change in comparison to the overall cost of response and recovery for this particular incident.

The Greenbone Vulnerability Management platform is capable of implementing customized compliance tests to meet any framework including CIS, DISA STIG, HIPAA, and more, and Greenbone is certified for both its information security management systems ISMS (ISO 27001), quality management (ISO 9000), and most recently, environmental management (ISO-14001).

Contact Test Now Buy Here Back to Overview

April 2024 has compounded another record breaking month for CVE disclosure on top of the last. In this month’s threat tracking report we will investigate several new actively exploited vulnerabilities and quickly review the cyber breach of US R&D giant MITRE. The report will also uncover how end-of-life (EOL) products can have a detrimental impact on an organization’s cybersecurity posture and how to manage the associated risks.

MITRE Exploited Via Ivanti Secure Connect Vulnerabilities

The MITRE Corporation is a not-for-profit organization established in 1958, that operates multiple federally funded research and development centers (FFRDCs) to support the US national defense, cybersecurity, healthcare, aviation, and more. MITRE also maintains several core cybersecurity frameworks such as MITRE ATT&CK, D3FEND, and vulnerability resources including the Common Vulnerabilities and Exposures (CVE) database, the Common Weakness and Enumeration (CWE), and the Common Attack Path Enumeration (CAPEC).

A recent cyber breach of MITRE shows that even the most cyber savvy organizations are not immune to targeted attacks from Advanced Persistent Threats (APTs). Initial access to one of MITRE’s research networks was gained via two Ivanti Connect Secure VPN service vulnerabilities; CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1). We previously published a full description of these vulnerabilities which can both be detected by Greenbone’s vulnerability tests. After initial access, attackers were able to pivot to adjacent VMware infrastructure [TA0109] using stolen session tokens [T1563] to bypass multi-factor authentication and access admin accounts.

If it can happen to MITRE it can happen to any organization, but patching known actively exploited vulnerabilities is a critical cybersecurity activity that all organizations need to place strong emphasis on.

Operation MidnightEclipse: Exploited PaloAlto Zero Day

On April 10 2024, exploitation of a yet-undiscovered zero-day vulnerability in the GlobalProtect feature of PaloAlto PAN-OS was detected and reported by researchers at cybersecurity firm Volexity. The vulnerability, now tracked as CVE-2024-3400 (CVSS 10), allows unauthenticated remote code execution (RCE) with root privileges, and has been added to the CISA KEV (Known Exploited Vulnerabilities) catalog. The Greenbone enterprise vulnerability feed includes tests to detect CVE-2024-3400 allowing organizations to identify affected assets and plan remediation.

PaloAlto’s Unit42 is tracking subsequent attacks under the name Operation MidnightEclipse and along with Shadowserver Foundation, and GreyNoise, have observed simple probes and full exploitation followed by data exfiltration and installation of remote command and control (C2) tools. Also, several proof of concept (PoC) exploits have been publicly disclosed [1][2] by third parties extending the threat by enabling attacks from low-skilled cyber criminals.

CVE-2024-3400 affects PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal. Hotfix patches PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 are currently available to remediate affected devices without requiring a restart. A comprehensive guide for remediation is available in the Palo Alto Knowledge Base.

D-Link End-Of-Life Products Exploited Via Hardcoded Credentials

Two critical vulnerabilities have been discovered in NAS devices manufactured by D-Link, labeled as CVE-2024-3272 (CVSS 9.8) and CVE-2024-3273 (CVSS 9.8). The impacted devices include DNS-320L, DNS-325, DNS-327L, and DNS-340L, all of which have reached their end of support product lifecycle. According to D-Link patches will not be provided. Both CVEs are being actively exploited, and a proof of concept (PoC) exploit for CVE-2024-3273 is available online. Globally this affects an estimated 92,000 devices.

Vulnerable devices all contain a default administration account that does not require a password. Attackers can execute commands remotely by sending a specially crafted HTTP GET request to the /cgi-bin/nas_sharing.cgi URI on the NAS web-interface. Combined, the two vulnerabilities pose a severe risk, as they allow root remote code execution (RCE) without authentication on the target device [T1584]. This gives attackers access to potentially sensitive data [TA0010] stored on the compromised NAS device itself, but also a foothold on the victim’s network to attempt lateral penetration [TA0008] to other systems on the network, or launch attacks globally as part of a botnet [T1584.005].

Securing End-Of-Life (EOL) Digital Products

End-of-life (EOL) digital products demand special security considerations due to discontinued vendor support. Here are some defensive tactics for protecting EOL digital products:

  1. Risk Assessment: Conduct regular risk assessments to identify the potential impact of legacy devices on your organization, especially considering that newly disclosed vulnerabilities may not have vendor provided remediation issued.
  2. Vulnerability and Patch Management: Although EOL products may be officially unsupported by their vendors, in some emergency cases, patches are still issued. Vulnerability scanning and patch management help identify new vulnerabilities and allow defenders to seek guidance from the vendor on remediation options.
  3. Isolation and Segmentation: If possible, isolate EOL products from the rest of the network to limit their exposure to potential threats. Segmenting these devices can help contain security breaches and prevent them from affecting other systems.
  4. Harden Configuration and Policies: In some cases, additional policies or security measures such as removing Internet access altogether are appropriate to further mitigate risk.
  5. Update to Supported Products: Update IT infrastructure to replace EOL products with supported alternatives. Transitioning to newer technologies can enhance security posture and reduce the reliance on outdated systems.
  6. Monitoring and Detection: Implement additional monitoring and detection mechanisms to detect any suspicious activity exploitation attempts or attempts at unauthorized access to EOL products. Continuous monitoring can help identify malicious activity promptly and allow appropriate responses.

CVE-2024-4040 CrushFTP VFS Sandbox Escape Vulnerability

CISA has issued an order for all federal US government agencies to patch systems using CrushFTP service due to active exploitation by politically motivated hackers. Tracked as CVE-2024-4040 (CVSS 9.8), the vulnerability allows an unauthenticated attacker to access sensitive data outside of the CrushFTP’s Virtual File System (VFS) and achieve full system compromise. The vulnerability stems from a failure to correctly authorize commands issued via the CrushFTP API [CWE-1336].

CrushFTP is a proprietary file transfer software designed for secure file transfer and file sharing. It supports a wide range of protocols, including FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, and more. The vulnerability lies in CrushFTP’s Java web-interface API for administering and monitoring the CrushFTP server.

CrushFTP said there is no way to identify a compromised instance from inspecting the application logs. It turned out that CVE-2024-4040 is trivial to exploit and publically available exploits are available, greatly increasing the risk. Greenbone’s Enterprise feed includes a vulnerability test to identify the HTTP header sent by vulnerable versions of CrushFTP.

There are an estimated 6,000 publicly exposed instances of CrushFTP in the US alone and over 7,000 public instances globally. CVE-2024-4040 impacts all versions of the application before 10.7.1 and 11.1.0 on all platforms, and customers should upgrade to a patched version with urgency.

Summary

April 2024 was a record breaking month for CVE disclosure and new cybersecurity challenges, including several high-profile incidents. Ivanti’s Secure Connect VPN was used to gain unauthorized access to MITRE’s development infrastructure leading to internal network attacks.

Various politically motivated threat actors were observed exploiting a zero-day vulnerability in Palo Alto’s PAN-OS now tracked as CVE-2024-3400, and two new critical vulnerabilities in EOL D-Link NAS devices highlight the need for extra security when legacy products must remain in active service. Also, a critical vulnerability in the CrushFTP server was found and quickly added to CISA KEV forcing US government agencies to patch with urgency.

Contact Test Now Buy Here Back to Overview

March 2024 was another eventful month for vulnerabilities and cybersecurity in general. It was the second consecutive month of lapsed Common Vulnerability Exposure (CVE) enrichment putting defenders in a precarious position with reduced risk visibility. The Linux kernel continued its elevated pace of vulnerability disclosures and was commissioned as a new CVE Numbering Authority (CNA). In addition, several critical vulnerabilities were added to CISA’s Known Exploited Vulnerabilities (KEV) list including Microsoft Windows, Fortinet FortiClientEMS, all the major browsers, and enterprise Continuous Integration And Delivery software vendor JetBrains.

Here’s a quick review of March 2024’s most impactful cybersecurity events.

The NIST NVD Disruption

NIST’s National Vulnerability Database (NVD) team largely abandoned CVE Enrichment in February 2024 with no warning. NIST NVD slowed to a CVE enrichment rate of just over 5% during March and it became obvious that the abrupt halt was not just a short-term outage. Disruption of CVE enrichment puts cybersecurity operations around the world at a big disadvantage because the NVD is the largest centralized repository of vulnerability severity information. Without severity enrichment, cybersecurity admins are left with very little information for vulnerability prioritization and risk management decision making.

Experts in the cybersecurity community traded public speculation until the VulnCon & Annual CNA Summit, where NIST’s Tanya Brewer announced that the non-regulatory US government agency would relinquish some aspects of the NVD management to an industry consortium. Brewer did not explain the exact cause for outage, but forecasted several additional goals for NIST NVD moving forward:

  • Allowing more outside parties to submit enrichment data
  • Improving the NVD’s software identification capabilities
  • Adding new types of threat intelligence data such as EPSS and the NIST Bugs Framework
  • Improving the NVD data’s usability and supporting new use cases
  • Automating some aspects of CVE analysis

Plenty Going On “In The Linux Kernel”

A total of 259 CVEs were disclosed in March 2024 with a description that began with: “In the Linux kernel” marking the second most active month ever for Linux vulnerability disclosures. The all time record was set one month prior in February with a total of 279 CVEs issued. March also marked a new milestone for kernel.org, the maintainer of the Linux kernel, as it was inducted as a CVE Numbering Authority (CNA). Kernel.org will now assume the role of assigning and enriching CVEs that impact the Linux kernel. Going forward the kernel.org asserts that CVEs will only be issued for discovered vulnerabilities after a fix is available, and CVEs will only be issued for versions of the Linux kernel that are actively supported.

Multiple High Severity Vulnerabilities In Fortinet Products

Several High severity vulnerabilities in Fortinet FortiOS and FortiClientEMS were disclosed. Of these, CVE-2023-48788 has been added to CISA’s KEV database. The risk imposed by CVE-2023-48788 is further compounded by the existence of a publicly available proof-of-concept (PoC) exploit. While CVE-2023-48788 is notably an SQL Injection [CWE-89] vulnerability, it can be exploited in tandem with the xp_cmdshell function of Microsoft SQL Server for remote code execution (RCE). Even when xp_cmdshell is not enabled by default, researchers have shown that it can be enabled via the SQL Injection weakness.

Greenbone has a network vulnerability test (NVT) that can identify systems affected by CVE-2023-48788, local security checks (LSCs) [1][2] that can identify systems affected by CVE-2023-42790 and CVE-2023-42789, and another LSC to identify systems affected by CVE-2023-36554. A proof-of-concept exploit for CVE-2023-3655 has been posted to GitHub.

  • CVE-2023-48788 (CVSS 9.8 Critical): A SQL Injection vulnerability allowing an attacker to execute unauthorized code or commands via specially crafted packets in Fortinet FortiClientEMS version 7.2.0 through 7.2.2.
  • CVE-2023-42789 (CVSS 9.8 Critical): An out-of-bounds write in Fortinet FortiOS allows an attacker to execute unauthorized code or commands via specially crafted HTTP requests. Affected products include FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13.
  • CVE-2023-42790 (CVSS 8.1 High): A stack-based buffer overflow in Fortinet FortiOS allows an attacker to execute unauthorized code or commands via specially crafted HTTP requests. Affected products include FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13.
  • CVE-2023-36554 (CVSS 9.8 Critical): FortiManager is prone to an improper access control vulnerability in backup and restore features that can allow attackers to execute unauthorized code or commands via specially crafted HTTP requests. Affected products are FortiManager version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.10, version 6.4.0 through 6.4.13 and 6.2, all versions.

Zero Days In All Major Browsers

Pwn2Own, an exciting hacking competition took place at CanSecWest security conference on March 20th – 22nd. At this year’s event, 29 distinct zero-days were discovered and over one million dollars in prize money was awarded to security researchers. Independent entrant Manfred Paul earned a total of $202,500 including $100,000 for two zero day sandbox escape vulnerabilities in Mozilla Firefox. Mozilla quickly issued updates to Firefox with version 124.0.1.

Manfred Paul also achieved remote code execution (RCE) in Apple’s Safari by combining Pointer Authentication Code (PAC) [D3-PAN] bypass and integer underflow [CWE-191] zero-days. PACs in Apple’s operating systems are cryptographic signatures for verifying the integrity of pointers to prevent the exploitation of memory corruption bugs. PAC has been bypassed before for RCE in Safari. Manfred defeated Google Chrome and Microsoft Edge via an Improper Validation of Specified Quantity in Input [CWE-1284] vulnerability to complete the browser exploit trifecta.

The fact all major browsers were breached underscores the high risk of visiting untrusted Internet sites and the overall lack of security provided by major browser vendors. Greenbone includes tests to identify vulnerable versions of Firefox and Chrome.

  • CVE-2024-29943 (CVSS 10 Critical): An attacker was able to exploit Firefox via an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects versions of Firefox before 124.0.1.
  • CVE-2024-29944 (CVSS 10 Critical): Firefox incorrectly handled Message Manager listeners allowing an attacker to inject an event handler into a privileged object to execute arbitrary code.
  • CVE-2024-2887 (High Severity): A type confusion [CWE-843] vulnerability in the Chromium browser’s implementation of WebAssembly (Wasm).

New Actively Exploited Microsoft Vulnerabilities

Microsoft’s March 2024 security advisory included a total of 61 vulnerabilities impacting many products. The Windows kernel had the most CVEs disclosed with a total of eight, five of which are rated high severity. Microsoft WDAC OLE DB provider for SQL, Windows ODBC Driver, SQL Server, and Microsoft WDAC ODBC Driver combined to account for ten high severity CVEs. There are no workarounds for any vulnerabilities in the group meaning that updates must be applied to all affected products. Greenbone includes vulnerability tests to detect the newly disclosed vulnerabilities from Microsoft’s March 2024 security advisory.

Microsoft has so far tagged six its new March 2024 vulnerabilities as “Exploitation More Likely”, while two new vulnerabilities affecting Microsoft products were added to the CISA KEV list; CVE-2023-29360 (CVSS 8.4 High) affecting Microsoft Streaming Service and CVE-2024-21338 (CVSS 7.8 High) published in 2023 were assigned actively exploited status in March.

CVE-2024-27198: Critical Severity CVE In JetBrains TeamCity

TeamCity is a popular continuous integration and continuous delivery (CI/CD) server developed by JetBrains, the same company behind other widely-used development tools like IntelliJ IDEA, the leading Kotlin Integrated Development Environment (IDE), and PyCharm, an IDE for Python. TeamCity is designed to help software development teams automate and streamline their build, test, and deployment processes and competes with other CI/CD platforms such as Jenkins, GitLab CI/CD, Travis CI, and Azure DevOps, among others. TeamCity is estimated to hold almost 6% of the total Continuous Integration And Delivery market share and ranks third overall, while according to JetBrains, over 15.9 million developers use their products, including 90 of the Fortune Global Top 100 companies.

Given JetBrains market position, a critical severity vulnerability in one of their products will quickly attract the attention of threat actors. Within three days of CVE-2024-27198 being published it was added to the CISA KEV catalog. Greenbone Enterprise vulnerability feed includes tests to identify affected products including a version check and an active check that sends a crafted HTTP GET request and analyzes the response.

When combined, CVE-2024-27198 (CVSS 9.8 Critical) and CVE-2024-27199 allow an attacker to bypass authentication using an alternative path or channel [CWE-288] to read protected files including those outside of the restricted directory [CWE-23] and perform limited admin actions.

Summary

March 2024 was another fever-pitched month for software vulnerabilities due to the NIST NVD outage and active exploitation of several vulnerabilities in enterprise and consumer software products. On the bright side, several zero-day vulnerabilities impacting all major browsers were identified and patched.

However, the fact that a single researcher was able to so quickly exploit all major browsers is serious wake-up call for all organizations since the browser plays such a fundamental role in modern enterprise operations. Vulnerability management remains a core element in cybersecurity strategy, and regularly scanning IT infrastructure for vulnerabilities ensures that the latest threats can be identified for remediation – closing the gaps that attackers seek to exploits for access to critical systems and data.

Contact Test Now Buy Here Back to Overview