New Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways
"Threat actors are continuing to leverage vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways to capture credentials and/or drop webshells that enable further compromise of enterprise networks. "
Microsoft MSRC had a random security advisory for CVE-2024-21388 (6.5 medium) Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. Not publicly disclosed, not exploited, exploitation is less likely.
🔗 https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21388
In CISA's ICS advisory, they revealed that several Hitron Systems Security Camera DVR denial of service vulnerabilities were being actively exploited. These are Zero days reported by Akamai.
CVE-2024-22768 (7.4 high) improper input validation to Denial of Service
CVE-2024-22769 (7.4 high) improper input validation to Denial of Service
CVE-2024-22770 (7.4 high) improper input validation to Denial of Service
CVE-2024-22771 (7.4 high) improper input validation to Denial of Service
CVE-2024-22772 (7.4 high) improper input validation to Denial of Service
CVE-2024-23842 (7.4 high) improper input validation to Denial of Service
Ivanti Avalanche directory traversal vulnerability CVE-2023-41474 (unknown CVSSv3 score) was publicly disclosed on 08 January 2024 with a proof of concept: https://github.com/JBalanza/CVE-2023-41474
Hackers can remotely steal your Windows login 🔑 NTLM passwords through a #vulnerability in Outlook's calendar feature triggered via specially crafted invites.
Horizon3 discusses factors that could significantly increase the criticality of Jenkins RCE CVE-2024-23897 (9.8 critical): "There are two dangerous Jenkins configuration options that allow unauthenticated attackers to effectively act like authenticated attackers. The “Allow users to sign up” option allows anyone with access to the Jenkins instance to self-register an account. And the “Allow anonymous read access” option gives everyone the Overall/Read permission." The impact matrix alone was worth taking a look at.
🔗 https://www.horizon3.ai/cve-2024-23897-assessing-the-impact-of-the-jenkins-arbitrary-file-leak-vulnerability/
Just your periodic update from Ivanti regarding their CVE-2023-46805 (8.2 high) and CVE-2024-21887 (9.1 critical) zero-days (both disclosed 10 January 2024 as exploited in the wild, has Proofs of Concept, mass exploitation):
"Update 26 January: The targeted release of patches for supported versions is delayed, this delay impacts all subsequent planned patch releases. We are now targeting next week to release a patch for Ivanti Connect Secure (versions 9.1R17x, 9.1R18x, 22.4R2x and 22.5R1.1), Ivanti Policy Secure (versions 9.1R17x, 9.1R18x and 22.5R1x) and ZTA version 22.6R1x.
Patches for supported versions will still be released on a staggered schedule. Instructions on how to upgrade to a supported version will also be provided. The timing of patch release is subject to change as we prioritize the security and quality of each release. Please ensure you are following this article to receive updates as they become available."
🔗 https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
Jenkins RCE CVE-2024-23897 (9.8 critical, proofs of concept publicly available) allegedly being exploited in the wild, reported 3 days ago by a graduate student researcher* of Sky Computing Lab, UC Berkeley.
Linux shim has a heap buffer overflow #vulnerability CVE-2023-40547 that allows arbitrary code execution and full system compromise when attacker is able to control the HTTP response.
A popular file transfer software from Fortra called GoAnywhere Managed File Transfer (MFT) has been found to have a serious security flaw. This flaw, known as a path traversal weakness, could give anyone free administrator rights over the system. The flaw was discovered in December 2023 by cybersecurity researchers Mohammed Eldeeb and Islam Elrfai from Spark Engineering Consultants and disclosed to GoAnywhere’s developer, Fortra. The flaw has a severity score of 9.8 out of 10, making it extremely critical. Users are urged to patch the software immediately to prevent potential misuse and avoid further issues.
Citrix Hypervisor Security Bulletin for CVE-2023-46838. "An issue has been discovered that affects Citrix Hypervisor 8.2 CU1 LTSR and may allow malicious privileged code in a guest VM to cause the host to crash or become unresponsive." We have released a hotfix (NOTE: NOT A PROPER PATCH) to address this issue.
🔗 https://support.citrix.com/article/CTX587605/citrix-hypervisor-security-bulletin-for-cve202346838
Hot off the press: Apple zero day: CVE-2024-23222 affects Webkit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.
Johannes Ullrich @jullrich of SANS ISC warns of scanning and exploitation attempts of the Atlassian Confluence RCE vulnerability CVE-2023-22527 (10.0 critical, disclosed 16 January 2024 by Atlassian).
🔗 https://isc.sans.edu/diary/rss/30576
Ron Bowes @iagox86 of @greynoise blogs about the Confusing History of F5 BIG-IP RCE Vulnerabilities, stemming from a unidentified shell-injection attack against the filePath parameter in the F5 BIG-IP login page. This turned out to be CVE-2021-23015, but the path to figuring that out is an interesting read.
🔗 https://www.labs.greynoise.io/grimoire/2024-01-14-f5-rce-explained/