Exposures, Exposed! Weekly Round-up March 2 – March 9

Hear ye, O seekers of wisdom, and enter the realm of 'Exposures, Exposed!'. Behold, for here is your trusted guide to the ever-shifting realm of digital peril. Our devoted seers delve deep into the webs of cyberspace, unraveling its mysteries to unveil the most pertinent exposure incidents that transpire each passing week.

Here's what we’ve got for you this week:

Security Updates Address 38 Android Vulnerabilities

In a bid to enhance digital security, Google released security updates for Android, addressing 38 vulnerabilities. Two critical-severity flaws were identified in the System component, impacting Android 12, 12L, 13, and 14. Tracked as CVE-2024-0039 and CVE-2024-23717, these flaws could result in remote code execution and elevation of privilege.

The March 2024 security update, delivered in two parts, also tackled 11 'high'-severity vulnerabilities in the Framework and System components. The second part, included in the 2024-03-05 security patch, addressed 25 vulnerabilities in AMLogic, Arm, MediaTek, and Qualcomm components.

Devices with the 2024-03-05 security patch level are now protected against all 38 security defects. Google also patched over 50 vulnerabilities in Pixel devices, including 16 critical-severity flaws.

No active exploits were reported, but users are advised to update devices promptly.

The Takeaway: Ensure device security by promptly updating to the latest patches available.

JetBrains Urges Swift Action: Patch Critical TeamCity Vulnerabilities Now

Software developer JetBrains has issued a warning to users of its widely used TeamCity CI/CD tool, emphasizing the urgent need to patch two newly discovered vulnerabilities to avoid potential compromise.

Unearthed by Rapid7 last month, the vulnerabilities, identified as CVE-2024-27198 and CVE-2024-27199, now come with released exploit details, heightening the urgency for users to apply the necessary patches.

CVE-2024-27198 is an authentication bypass vulnerability in TeamCity's web component, with a CVSS base score of 9.8, posing a severe risk of complete compromise by remote unauthenticated attackers. The second, CVE-2024-27199, also an authentication bypass flaw, carries a CVSS base score of 7.3, allowing limited information disclosure and system modification.

JetBrains has promptly responded, releasing version 2023.11.4 and a security patch plugin for users unable to upgrade. Rapid7 warns that exploiting these vulnerabilities could grant attackers full control over TeamCity servers, enabling potential supply chain attacks.

The Takeaway: Act swiftly by patching TeamCity to thwart potential compromise.

Apple Unveils Fixes for iOS Zero-Day Vulnerabilities

In a recent disclosure, Apple revealed two zero-day vulnerabilities, CVE-2024-23225 and CVE-2024-23296, that pose potential exploitation risks to iOS devices. These flaws, bypassing kernel memory protections, mark Apple's second and third zero-days addressed this year.

Part of the iOS 17.4 and iPadOS 17.4 security update, the patches aim to mitigate the impact of these vulnerabilities. CVE-2024-23225, identified as a "memory corruption issue" that affects the kernel, permits attackers with arbitrary kernel read and write capabilities to bypass memory protections. Similarly, CVE-2024-23296, specific to RTKit in Apple chips, poses a similar threat.

Impacted devices include iPhone XS and later, various iPad Pro models, iPad Air, iPad, and iPad mini generations.

Despite the lack of specific researcher credits, Apple noted the vulnerabilities "may have been exploited." The update, focusing on "improved validation," urges all iOS users to promptly update their devices.

The Takeaway: Act swiftly to update iOS devices and safeguard against potential exploits.

CISA Issues Warnings on Microsoft and Cisco Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued alerts cautioning about vulnerabilities in Microsoft Streaming and Cisco's NX-OS data center network operating system. CISA's operational directive mandates federal civilian executive branch agencies to address the Microsoft Streaming vulnerability (CVE-2023-29360) to mitigate active threats. While the directive is agency-specific, CISA strongly advises all organizations to prioritize timely remediation of cataloged vulnerabilities.

Microsoft initially flagged the vulnerability in June 2023, emphasizing its potential to grant system privileges, affecting select Windows Server, Windows 10, and Windows 11 products.

For Cisco, CISA's alert focuses on NX-OS software vulnerabilities (CVE-2024-20321 and CVE-2024-20267), posing risks of denial-of-service attacks. Cisco recommends software updates to address these vulnerabilities, impacting certain Cisco Nexus series switches and platform switches.

The Takeaway: Organizations, especially federal agencies, must promptly address Microsoft and Cisco vulnerabilities to fortify network security.

CISA Alerts on Zeek Plugin Vulnerabilities Impacting Industrial Systems

This week, CISA also disclosed vulnerabilities in the Zeek network security monitoring tool's Ethercat plugin, which pose potential threats to industrial control system (ICS) environments. CISA's Industrial Control System advisory highlights two critical- and one high-severity vulnerabilities, tracked as CVE-2023-7244, CVE-2023-7243, and CVE-2023-7242.

The Ethercat plugin, which is crucial for ICS protocol parsing, is part of Zeek, a widely deployed network security monitoring framework. Exploitation involves specially crafted packets sent over the network that potentially lead to Zeek crashes or, in complex scenarios, allow attackers to execute arbitrary code with elevated privileges.

The Takeaway: Security teams managing Zeek installations, especially in ICS environments, must promptly update the Ethercat plugin to mitigate potential vulnerabilities.

Cisco Patches Critical Vulnerabilities in Secure Client

Cisco has released patches for two critical vulnerabilities in Secure Client, its enterprise VPN application. Both flaws could allow attackers to execute code on vulnerable systems.

The first issue, impacting Linux, macOS, and Windows versions, could be exploited remotely in CRLF injection attacks. An attacker could trick a user into clicking a malicious link, potentially stealing sensitive information or establishing unauthorized VPN sessions.?

The second vulnerability affects only Secure Client for Linux and requires administrator privileges for exploitation. An attacker could potentially gain full control of an affected device.?

Cisco has released patches for both vulnerabilities. Users are urged to update their Secure Client installations as soon as possible.

The Takeaway: Update your Cisco Secure Client installation to the latest version to address critical vulnerabilities.

VMware Issues Patches for Critical Vulnerabilities in Core Products

VMware released urgent security patches to address critical flaws in its ESXi, Workstation, Fusion, and Cloud Foundation products.

These vulnerabilities could grant attackers unauthorized code execution on virtual machines and potentially the underlying host system. Two vulnerabilities received a maximum severity score, prompting VMware to issue fixes even for unsupported products.

The flaws involve memory corruption issues in the XHCI USB controller that could allow attackers to bypass security measures. While the impact is contained within the virtual machine on ESXi, it could lead to code execution on the physical machine for Workstation and Fusion users.

VMware also addressed an out-of-bounds write vulnerability in ESXi and an information disclosure vulnerability in the UHCI USB controller.?

The Takeaway: Update your VMware ESXi, Workstation, Fusion, and Cloud Foundation installations immediately to mitigate these critical vulnerabilities.

That’s all for this week – have any exposures to add to our list? Let us know!