There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
Note that it says "results in the ability," not "may result in the ability" to execute remote code.
Affected Products
=================
HPE Aruba Networking
- Mobility Conductor (formerly Mobility Master)
- Mobility Controllers
- WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Affected Software Versions:
- ArubaOS 10.5.x.x: 10.5.1.0 and below
- ArubaOS 10.4.x.x: 10.4.1.0 and below
- ArubaOS 8.11.x.x: 8.11.2.1 and below
- ArubaOS 8.10.x.x: 8.10.0.10 and below
The following ArubaOS and SD-WAN software versions that are End
of Maintenance are affected by these vulnerabilities and are not
patched by this advisory:
- ArubaOS 10.3.x.x: all
- ArubaOS 8.9.x.x: all
- ArubaOS 8.8.x.x: all
- ArubaOS 8.7.x.x: all
- ArubaOS 8.6.x.x: all
- ArubaOS 6.5.4.x: all
- SD-WAN 8.7.0.0-2.3.0.x: all
- SD-WAN 8.6.0.4-2.2.x.x: all
Our research reveals that nearly 20% of these public repositories (almost three million repositories!) actually hosted malicious content. The content ranged from simple spam that promotes pirated content, to extremely malicious entities such as malware and phishing sites, uploaded by automatically generated accounts.
The vulnerability, cataloged under CVE-2024-2961 and rated 8.8 on the CVSS scale, resides in the ISO-2022-CN-EXT plugin of the glibc’s iconv library. This critical flaw occurs during the charset conversion process from UCS4, where specific escape characters are required to signify changes in the charset to the library. However, due to insufficient boundary checks on internal buffers, an out-of-bounds write can occur, allowing up to three bytes to be written outside the intended memory area.
This vulnerability poses a significant risk as it compromises the Integrity, Confidentiality, and Availability (ICA) triad by potentially allowing attackers to craft malicious character sequences that trigger the out-of-bounds write, leading to remote code execution. The exploitation of this flaw could result in application crashes, arbitrary memory corruption, data overwrites, and even system takeovers.
Delinea have published IoCs for a security incident in Delinea Secret Server Cloud aka Thycotic. It’s behind a paywall. It’s a vulnerability in their SOAP implementation. No CVE has been assigned, presumably because cloud service. #threatintel
Oh boy. Apparently things are not good at Delinea around Thycotic. I just checked and the cloud version appears to be patched for this - after security incident.
Change Healthcare didn’t use MFA on Citrix Netscaler. It was a bog standard ransomware incident.
One learning for the industry btw - I saw loads of threat intel channels circulating incorrect info about the incident. That’s fine, but some (eg the health info sharing authorities) reshared this wrong info.
The CEO of UnitedHealth is due to give testimony in Washington on their Change Healthcare ransomware incident tomorrow, where he will say “Our company alone repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year”
That sound impressive, but if you own a Windows PC at home, you’re doing the same thing - it’s called the built in firewall.
Not having MFA on Citrix Netscaler is also called negligence.