Exposures, Exposed! Weekly Round-up November 4 – November 10

Welcome to XM Cyber’s “Exposures, Exposed!” post-election special! This week, we’re campaigning against the latest cyber breaches, vulnerabilities, and alarming exposures. Our researchers hit the campaign trail, uncovering the most terrifying digital threats that threaten to undermine our security. Join us for a gripping look at this week’s most critical issues in the cyber world, as we cast our vote for stronger defense against lurking threats.?

Google’s AI Framework Detects Vulnerability in SQLite Database

Google Project Zero and DeepMind researchers have identified a stack buffer underflow vulnerability in SQLite, marking a milestone as the first real-world vulnerability detected using an AI-driven large language model (LLM). In a blog post, the Big Sleep team—a collaboration between Project Zero and DeepMind—described how they detected this flaw in October, shortly before its scheduled release, allowing SQLite’s developers to fix it immediately. This proactive identification prevented any user impact.

The discovery builds on Project Zero’s Naptime framework, which applies LLM-based tools to assist in vulnerability research. While fuzz testing remains the primary method for detecting such vulnerabilities, the Big Sleep project aims to improve defensive capabilities by reducing undetected issues like the one in SQLite.

The Takeaway: Consider integrating AI-based tools to enhance security testing alongside traditional fuzzing techniques. Learn more here.

Android Update Patches Critical Zero-Day Flaws

Google has released the November 2024 Android security update, addressing 40 security vulnerabilities, including two actively exploited zero-day flaws, CVE-2024-43093 and CVE-2024-43047. These vulnerabilities affect core Android components and Qualcomm chipsets, posing significant risks if left unpatched.

CVE-2024-43093 is a privilege escalation flaw that allows unauthorized access to sensitive directories within the Android Framework. It impacts Android versions 12 through 15, with confirmed instances of targeted exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply the fix by November 28, 2024.

Additionally, CVE-2024-43047, a Use-After-Free vulnerability in Qualcomm’s DSP service, risks memory corruption, which could lead to unauthorized access on affected devices. This update follows Qualcomm’s initial patch from October.

The Takeaway: Update Android devices with the November security patch to reduce exposure to critical vulnerabilities. Learn more here.

Microsoft SharePoint Vulnerability Exploited for Corporate Network Access

A remote code execution vulnerability in Microsoft SharePoint, identified as CVE-2024-38094, is being actively exploited by attackers to access corporate networks. Although Microsoft addressed this flaw in its July 2024 Patch Tuesday update, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added it to its catalog of known exploited vulnerabilities.

Attackers use this vulnerability to gain unauthorized access to SharePoint servers, deploying a web shell to escalate their control. From there, they compromise additional accounts, disable antivirus services, and install tools such as Impacket and Huorong Antivirus to evade detection. Advanced techniques, including disabling Windows Defender and altering logs, allow attackers to conceal their presence on targeted systems.

The Takeaway: Organizations are urged to ensure that Microsoft 365 environments are fully updated to minimize exposure to such vulnerabilities. Apply all recent security patches to secure SharePoint against remote code execution risks. Learn more here.

Researcher Reveals Severe Vulnerabilities in IBM Verify Access

A security researcher has identified over 36 vulnerabilities in IBM Security Verify Access (ISVA) that could enable attackers to compromise authentication infrastructure. These vulnerabilities include seven remote code execution flaws, privilege escalation bugs, and authentication bypasses, with some allowing full system control through man-in-the-middle (MiTM) attacks or internal network access.

A key risk involves attackers exploiting an authentication bypass flaw to gain unauthorized control over ISVA’s runtime Docker instance, where they could manipulate user access, add malicious multi-factor authenticators, and lock legitimate admins out of the system. The researcher highlights that IBM has yet to release patches for some issues, suggesting instead that clients implement network restrictions and best practices.

He further revealed outdated OpenSSL packages and hardcoded keys in IBM’s Docker images, posing additional security threats. IBM has addressed most vulnerabilities in versions 10.0.7 and 10.0.8, though Barre noted difficulties with IBM’s response time and support.

The Takeaway: Regularly update ISVA and implement network segmentation to reduce exposure to security risks. Learn more here.

Six Vulnerabilities Exposed in Ollama AI Framework Security

Cybersecurity researchers have uncovered six vulnerabilities in the open-source Ollama artificial intelligence framework that could enable attackers to launch denial-of-service (DoS) attacks, steal models, or perform model poisoning. Researchers claim that these flaws could be exploited with a single HTTP request, threatening systems running the framework on Windows, Linux, and macOS.

The vulnerabilities, some of which are patched in recent updates, include CVE-2024-39719 (file detection vulnerability), CVE-2024-39720 (out-of-bounds read), and CVE-2024-39721 (resource exhaustion). Two unpatched vulnerabilities may allow model theft and poisoning via specific endpoints, prompting Ollama’s maintainers to advise users to restrict internet access to these endpoints using proxies or firewalls.

The Takeaway: Update Ollama to the latest version and secure internet-facing endpoints. Learn more here.

Major Security Flaws Found in AI Platforms

Significant security vulnerabilities have been identified in popular machine learning platforms, raising concerns across the tech industry. JFrog’s security team found issues in Weights and Biases' Weave toolkit, tracked as CVE-2024-7340, which could allow unauthorized file access and privilege escalation. Additionally, ZenML Cloud faced an access control flaw enabling unintended admin privileges.

Other platforms, including Deep Lake, Vanna AI, and Mage AI, were affected by vulnerabilities allowing remote code execution. According to researchers, these flaws could enable attackers to gain control over essential servers, including ML model registries, databases, and pipelines. The post-exploitation risks include potential backdooring of models, which could be redistributed to clients and impact operations.

The Takeaway: Companies using these AI platforms should assess their systems for vulnerabilities and apply patches as soon as available. Learn more here.

That’s all for this week – have any exposures to add to our list? Let us know!

Read our latest eBook - "The First 90 Days as CISO" here: