Exposures, Exposed! Weekly Round-up October 7 – October 13

Welcome to "Exposures, Exposed!" – your guide to safeguarding your digital world. As the leaves turn and the crisp air signals change, our dedicated experts are here to help you navigate the hidden vulnerabilities that lie beneath the surface. Join us as we uncover the lurking threats that, like the unexpected twists of autumn, require your attention and readiness.

Here’s what we’ve got for you this week:

Critical Vulnerabilities Found in Palo Alto Expedition Tool

Multiple critical vulnerabilities have been identified in Palo Alto Networks’ Expedition tool, including OS command injection, SQL injection, and cross-site scripting (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467). These issues carry CVSS scores as high as 9.9 and expose systems to unauthorized access, credential theft, and administrative takeover. Attackers can exploit these vulnerabilities with minimal effort and no user interaction. Expedition is a migration tool used to convert configurations from vendors like Cisco and Checkpoint to Palo Alto systems. Versions of Expedition below 1.2.96 are affected.?

The Takeaway: Palo Alto Networks recommends upgrading to Expedition version 1.2.96 or later, limiting network access to the tool, rotating credentials, and reviewing logs for signs of unauthorized activity. Learn more here .

Ivanti Warns of Active Exploitation in CSA Vulnerabilities

Ivanti has disclosed that three new security vulnerabilities affecting its Cloud Service Appliance (CSA) are being actively exploited in combination with a previously patched flaw. The vulnerabilities—CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381—could allow authenticated attackers with administrative privileges to bypass restrictions, execute arbitrary SQL commands, or obtain remote code execution. These flaws are being exploited alongside CVE-2024-8963, a critical path traversal vulnerability.

The vulnerabilities affect Ivanti CSA versions before 5.0.2. Ivanti urges users to update to version 5.0.2 and review their systems for signs of compromise. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-9379 and CVE-2024-9380 to its Known Exploited Vulnerabilities (KEV) catalog.

The Takeaway: Users should update Ivanti CSA to version 5.0.2 and monitor for any signs of exploitation. Learn more here .

CISA Adds Zimbra Vulnerability to Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Zimbra Collaboration vulnerability CVE-2024-45519 to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, which has a CVSS score of 10, allows unauthenticated attackers to execute remote code on vulnerable Zimbra instances. Researchers from Proofpoint have observed threat actors attempting to exploit this flaw since September 28, 2024, following the release of a proof-of-concept by Project Discovery.

The flaw affects Zimbra mail server versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1. CISA has mandated that federal agencies patch their systems by October 24, 2024, to mitigate potential attacks. Private organizations are also encouraged to review their systems for vulnerability.

The Takeaway: Organizations should update to the latest Zimbra versions and monitor for signs of exploitation. Learn more here .

Researchers Uncover Five Vulnerabilities in MMS Protocol

Claroty’s Team82 has reported five vulnerabilities affecting the Manufacturing Messaging Specification (MMS) protocol used in industrial systems. These flaws, identified in MZ Automation’s libIEC61850 library and Triangle Microworks’ TMW IEC 61850 library, could enable attackers to crash devices or execute remote code. The vulnerabilities, reported to the vendors, were found during research into MMS protocol implementations in the power sector.

To assist in identifying vulnerable systems, Claroty has made available its "MMS Stack Detector" tool, which was crucial during their investigation. The MMS protocol, developed in the 1990s, facilitates communication between intelligent electronic devices (IEDs) and SCADA systems, commonly used in industries like energy and automotive.

CISA has issued advisories for the affected products, urging updates to mitigate the risk of exploitation.

The Takeaway: Organizations using affected MMS implementations should update to patched versions and monitor for vulnerabilities. Learn more here .

Microsoft Patches 118 Vulnerabilities, Including Two Zero-Days

Microsoft has rolled out security updates addressing 118 vulnerabilities in its October 2024 Patch Tuesday release. The update includes two actively exploited zero-days: CVE-2024-43572, affecting Microsoft Management Console, and CVE-2024-43573, targeting the Windows MSHTML platform. Of the vulnerabilities, three are rated Critical, while the rest are classified as Important or Moderate.

Microsoft Configuration Manager, Visual Studio Code, and Remote Desktop Protocol Server are among the products with Critical vulnerabilities that could allow remote code execution. These flaws highlight the need for urgent updates to prevent unauthorized access and potential system crashes.

The Takeaway: Administrators should update all affected systems promptly to prevent exploitation of these vulnerabilities. Learn more he re.

Fourteen Critical Vulnerabilities Found in DrayTek Vigor Routers

Censys researchers have uncovered 14 vulnerabilities in DrayTek Vigor routers, with British Telecom, Vietnam, The Netherlands, and Taiwan among the most affected. These vulnerabilities, disclosed on October 2, 2024, pose a significant risk to both businesses and home users, allowing attackers to gain control of network devices and launch further attacks.?

Key issues include CVE-2024-41592, a critical buffer overflow vulnerability with a CVSS score of 10.0, and CVE-2024-41585, an OC command injection flaw, both affecting Vigor router models 3910 and 3912. DrayTek has released patches, urging users to update their router firmware immediately to prevent network compromise.

The Takeaway: Users should update their router firmware and follow best practices like disabling remote access and enabling two-factor authentication. Learn more here .

Mozilla Patches Zero-Day Vulnerability in Firefox Browser

Mozilla has released an update for Firefox to address a security vulnerability exploited as a zero-day. Tracked as CVE-2024-9680, the high-severity issue is a use-after-free flaw in the browser’s Animation timeline feature, which could allow an attacker to achieve remote code execution.?

The flaw occurs when memory is incorrectly reused after being freed, potentially allowing an attacker to input malicious code. Mozilla confirmed reports of this vulnerability being exploited in the wild but has not shared further details. Security firm ESET is credited with discovering the flaw.

Mozilla has released patches in Firefox 131.0.2 and extended support releases Firefox ESR 128.3.1 and 115.16.1. These updates follow a previous patch for 13 bugs released earlier this month.

The Takeaway: Users should update to the latest Firefox versions immediately to protect against this vulnerability. Learn more here .

That’s all for this week – have any exposures to add to our list? Let us know!

Read our blog - 3 Ways to Bridge the Cybersecurity Skills Gap: