October 2024 Threat Advisory – Top 5

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of October 2024.

Ivanti Patches Multiple Vulnerabilities in Cloud Service Applications (CSA) Exploited in the Wild

SecurityHQ has observed that Ivanti has released multiple vulnerabilities classified as critical, high, and medium severity, affecting Ivanti CSA (Cloud Services Application). Successful exploitation of these vulnerabilities could allow an authenticated attacker to perform Remote Code Execution, Privilege Escalation, and SQL injection. Affected versions include Cloud Services Application (CSA) before 4.6 versions.

Notable CVEs:

• [Critical]- CVE-2024-8963 – Successful exploitation could allow a remote unauthenticated attacker to access restricted functionality.
• [High]- CVE-2024-9380 – An OS command injection vulnerability in the admin web console of Ivanti CSA allows a remote authenticated attacker with admin privileges to obtain remote code execution.
• [High]- CVE-2024-9381 – Path traversal vulnerability which allows an attacker with admin privileges to manipulate file paths in a way that can bypass access controls or restrictions.
• [Medium]- CVE-2024-9379 – SQL injection in the admin web console of Ivanti CSA allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

If CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance.

Recommendation

Update the Ivanti Cloud Services Appliance (CSA) to 5.0.

Palo Alto has Released a Security Update to Fix Critical & High Severity Vulnerabilities

Palo Alto has released security updates to fix multiple critical and high-severity vulnerabilities in the Expedition tool. These vulnerabilities allow attackers to read expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the system. The exposed information includes usernames, cleartext passwords, device configurations, and API keys for PAN-OS firewalls.

Affected products include the PaloAlto Networks expedition tool.

Notable CVEs:

• [Critical] – CVE-2024-9463 – An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

• [Critical] – CVE-2024-9464 – An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

• [Critical] – CVE-2024-9465 – An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

• [High] – CVE-2024-9466 – A cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.

• [High] – CVE-2024-9467 – A reflected XSS vulnerability in Palo Alto Networks Expedition enables execution of malicious JavaScript in the context of an authenticated Expedition user’s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Expedition browser session theft.

SecurityHQ has identified proof-of-concept exploits published on 10th October 2024 for the CVE-2024-9464 which have a CVSS score of 9.3, indicating critical severity. However, no active exploitation or association with threat actors or malware variants has been observed.

Recommendation

Update to Expedition version 1.2.96 or later. After upgrading to the fixed version of Expedition, all Expedition usernames, passwords, and API keys should be rotated. Additionally, all firewall usernames, passwords, and API keys processed by Expedition should be rotated. The cleartext file affected by CVE-2024-9466 will be automatically removed during the upgrade.

Cisco Releases Security Updates to Patch Critical and High-Severity Vulnerabilities

SecurityHQ has observed that Cisco has released security updates to address Critical and high-severity vulnerabilities across several of its products. Successful exploitation of these vulnerabilities could result in remote code execution, privilege escalation, arbitrary code execution, and exposure of sensitive information.

Affected Products include Cisco NDFC, Cisco RV340 Dual WAN Gigabit VPN Routers, Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Routers, Cisco RV345 Dual WAN Gigabit VPN Routers, and Cisco RV345P Dual WAN Gigabit PoE VPN Routers.

Notable CVEs:

• [Critical] – CVE-2024-20432: A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) allows low-privileged, authenticated attackers to perform command injection via the REST API or web UI. This is due to improper authorization and command validation, enabling arbitrary command execution with network admin privileges

• [High] – CVE-2024-20449 – A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) allows authenticated, low-privileged remote attackers to successfully execute arbitrary code due to improper path validation. Attackers can exploit this by using path traversal techniques to upload malicious code via Secure Copy Protocol (SCP), enabling code execution in a specific container with root privileges.

• [High] – CVE-2024-20393: A vulnerability in Cisco Small Business RV340, RV340W, RV345, and RV345P routers’ web management interface could allow an authenticated, remote attacker to elevate privileges. This vulnerability exists due to sensitive information disclosure. A successful exploit could allow an attacker to elevate privileges from guest to admin.

• [High] – CVE-2024-20470: A vulnerability in Cisco Small Business RV340, RV340W, RV345, and RV345P routers’ web management interface allows an authenticated, remote attacker with admin credentials to execute arbitrary code. This occurs due to insufficient input validation. A successful exploit could enable arbitrary code execution as the root user on the underlying system.

SecurityHQ was not able to observe any evidence of this vulnerability being exploited in the wild nor any association with malware variant or Threat Actors.

Recommendation

Update all the affected products to the latest available patch version.

Oracle Released a Critical Patch Update for October 2024

Oracle has released its quarterly Critical Patch Update, addressing a total of 334 new security patches across multiple Oracle product families. These updates aim to mitigate vulnerabilities that could allow attackers to remotely execute code, escalate privileges, denial of service, information disclosure, cross-site scripting, or gain unauthorized access to systems.

Out of all security patches, 29 vulnerabilities were identified for Oracle Access Manager, 27 vulnerabilities for Oracle E-Business Suite, followed by Oracle Database Server and Oracle Fusion Middleware with 23 and 24 vulnerabilities, respectively.

Affected Products include Oracle Fusion Middleware, Oracle Communications, Oracle MySQL, Oracle Financial Services, Oracle Database Server, Oracle E-Business Suite, Oracle Java SE, Oracle PeopleSoft, Oracle Enterprise Manager, Oracle GoldenGate, Oracle Health Sciences, Oracle JD Edwards, Oracle Utilities Applications, Oracle Retail Applications, Oracle Virtualization, Oracle Secure Backup, Oracle Construction and Engineering, Oracle Hospitality, Oracle Policy Automation, Oracle NoSQL Database, and Oracle Systems.

Recommendation

Update all the affected products to their latest patch available.

Microsoft Released its October 2024 Patch Tuesday for 118 flaws with 43 Remote Code Execution Vulnerabilities

Microsoft has released its Patch Tuesday for October 2024 with security updates for 118 flaws with 43 Remote Code Execution Vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Privilege Escalation, Security Feature Bypass, Information Disclosure, Denial of Service, and Spoofing.

Notable CVEs:

• [Critical] – CVE-2024-43468 – Microsoft Configuration Manager Remote Code Execution Vulnerability
• [Critical] – CVE-2024-43488 – Visual Studio Code extension for Arduino Remote Code Execution Vulnerability
• [Critical] – CVE-2024-43582 – Remote Desktop Protocol Server Remote Code Execution Vulnerability

For the full list of important and moderate CVEs, take a look here.

Affected Products include Windows, Windows Server, Windows Kernel, Microsoft Office, Microsoft Outlook, Microsoft Dynamics, Microsoft SharePoint, SQL Server, Windows Kerberos, Azure, and PowerBI.

Recommendation

Update all the affected products to the latest available patch version.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.