Exposures, Exposed! Weekly Round-up March 24 – March 30

Feeling adrift in the sea of cyber threats? Navigate the ever-shifting currents with confidence! "Exposures Exposed!" is your weekly compass, guiding you through the complex landscape of vulnerabilities.

Our expert team meticulously charts the most relevant exposure incidents, ensuring you have the knowledge to stay safe online.? Don't get caught in a digital storm. Grab your copy of "Exposures Exposed!" today!

Here's what we’ve got for you this week:

Patch Now: Actively Exploited Flaw Found in SharePoint Server

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified a critical vulnerability (CVE-2023-24955) in Microsoft SharePoint Server that is being actively exploited.?

This remote code execution flaw allows attackers with legitimate site owner privileges to execute malicious code on the server. Microsoft addressed the issue in its May 2023 Patch Tuesday updates.

This comes on the heels of CISA adding another SharePoint Server vulnerability (CVE-2023-29357) to its Known Exploited Vulnerabilities (KEV) catalog in February 2024.? Researchers successfully chained these two vulnerabilities at a hacking contest last year.

While details about the current attacks are unknown, federal agencies are mandated to patch their systems by April 16, 2024.

The Takeaway: All SharePoint Server users should apply the May 2023 security updates immediately to address this actively exploited vulnerability.

Patched AWS Flaw Exposed Cloud Domain Misconfiguration

Researchers identified a now-patched vulnerability in AWS Managed Workflows for Apache Airflow (MWAA) that could have led to account hijacking and remote code execution.

The "FlowFixation" flaw exploited a combination of session fixation and a domain misconfiguration that impacted other cloud providers like Azure. This misconfiguration could have enabled same-site attacks, potentially granting attackers unauthorized access and code execution.

While AWS and Azure patched the issue, Google Cloud deemed it not critical. Researchers warn this misconfiguration elevates the risk of same-site attacks in cloud environments.

The Takeaway: Cloud providers and users should be aware of potential domain misconfiguration risks and implement best practices to mitigate same-site attack vulnerabilities.

Google Chrome Update Patches Several Vulnerabilities, Including Zero-Days

Google released a security update for Chrome on Tuesday, addressing seven vulnerabilities, four of which were identified by external researchers.

The most serious external flaw involved a memory management issue (CVE-2024-2883) within ANGLE, a graphics engine used by Chrome and other browsers. The researcher who discovered this vulnerability received a $10,000 bug bounty reward from Google.

Three other high-severity vulnerabilities (CVE-2024-2885) were also reported by external researchers. Additionally, the update addressed two zero-day vulnerabilities (CVE-2024-2886, CVE-2024-2887) that were exploited and reported at a recent hacking competition (Pwn2Own Vancouver 2024).?

The Takeaway: While Google hasn't confirmed any real-world exploitation of these zero-day vulnerabilities, users are strongly encouraged to update their Chrome browsers to version 123.0.6312.86/.87 (Windows/macOS) or 123.0.6312.86 (Linux) as soon as possible.

Firefox Patches Zero-Day Exploited at Hacking Contest

Mozilla released updates to address two critical vulnerabilities in Firefox that were exploited at a recent hacking competition (Pwn2Own Vancouver 2024).?

Security researcher Manfred Paul discovered these zero-day vulnerabilities (CVE-2024-29943 & CVE-2024-29944) and chained them together to bypass security measures and execute code on a system. The first flaw allowed out-of-bounds access to JavaScript objects, while the second enabled attackers to inject malicious code that could escape the browser's sandbox.??

Both vulnerabilities received a "critical severity" rating from Mozilla, who released patches within a day of their discovery and exploitation. Firefox 124.0.1 addresses both issues, while Firefox ESR 115.9.1 fixes CVE-2024-29944. Thankfully, CVE-2024-29944 only affects desktop versions of Firefox.

The Takeaway: Update your Firefox browser to version 124.0.1 (or later) to address critical zero-day vulnerabilities.

Unauthenticated Attacks Patched in Cisco IOS and IOS XE Software

Cisco released security updates on Wednesday to address multiple vulnerabilities in its IOS and IOS XE software that could be exploited for denial-of-service (DoS) attacks without any authentication required.?

The most critical flaws (CVSS score 8.6) affect various features including Locator ID Separation Protocol (LISP), IPv4 Software-Defined Access (SD-Access), and Internet Key Exchange (IKEv1). These issues arise from improper handling of specific network packets, leading to potential crashes on vulnerable devices.

Four additional high-severity vulnerabilities were identified in multicast DNS, OSPF, and IS-IS protocols, all exploitable by remote attackers through crafted packets.?

Another patch addresses a secure boot bypass vulnerability in access point (AP) software, potentially allowing attackers with physical access to install unauthorized firmware.

Cisco also announced updates for seven medium-severity vulnerabilities leading to various security risks. While Cisco isn't aware of active exploitation, attackers are known to target unpatched Cisco products.?

The Takeaway: Patch your Cisco IOS and IOS XE software as soon as possible to address critical DoS vulnerabilities and other security risks.

Dangerous XZ Utils Backdoor is Discovered?

On Friday, March 29th, a researcher from Microsoft disclosed that he had found malicious code embedded in XZ Utils versions 5.6.0 and 5.6.1. This vulnerability is being tracked as CVE-2024-3094 and at present has a 10 out of 10 CVSS severity warning. There is currently no evidence that the code had been exploited in the wild as of yet but this is a rapidly developing situation and more time and information is needed to be better aware of the potential for impact.?

This vulnerability can allow for remote backdoor access and may be on instances of Fedora Linux 40 and Fedora Rawhide, as some users have already received system updates that would have had the malicious code. It may also be present on Debian unstable, Alpine Edge, Arch Linux, and openSUSE. Thankfully, there’s a good chance that the infected version may not be on many users' deployments as of yet. According to developer Andreas Fruend who discovered the vulnerability, “Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by Linux distributions, and where they have, mostly in pre-release versions.”

The Takeaway: As the CVSS score implies, CVE-2024-3094 can have very serious implications if left unaddressed, potentially enabling unauthorized access which could affect the integrity and security of the system. Moreover, this attack can bypass typical security measures, leading to the compromising of the system and data breaches. In the rare instance of users who have already updated to the impacted versions, they should revert to previous, unaffected? versions as soon as possible.

Popular WordPress Theme Patches XSS Vulnerability Quietly

Astra, a widely used free WordPress theme used by over one million web sites, recently addressed a security issue without detailed information , leaving users unsure about the update's urgency. The changelog simply states "Enhanced Security," offering no specifics about the vulnerability or its severity. This makes it difficult for theme users to decide between immediate updating or testing compatibility with other plugins first.

Security researchers at Patchstack identified the issue as a potential stored Cross-Site Scripting (XSS) vulnerability. Stored XSS vulnerabilities allow attackers to inject malicious scripts that execute whenever a visitor views the affected page.

The Takeaway: Update your Astra theme to version 4.6.9 or later to address a stored XSS vulnerability, but consider testing the update first to avoid compatibility issues.

That’s all for this week – have any exposures to add to our list? Let us know!

Want to make sure your Active Directory isn’t a welcome mat for attackers? Then grab your copy of the new XM Cyber Active Directory Security Best Practices Checklist – and make sure you’re keeping your organization’s AD safe from threats.