FOCUS FRIDAY: MANAGING THIRD-PARTY RISKS FROM DAHUA IP CAMERA, SONICWALL FIREWALL, AND WPML, FILECATALYST WORKFLOW VULNERABILITIES WITH BLACK KITE’S F

Written By: Ferdi Gül Contributor: Ferhat Dikbiyik

Welcome to this week’s Focus Friday, where we dive into the latest high-profile cybersecurity incidents impacting third-party risk management (TPRM). In today’s blog, we explore critical vulnerabilities in Dahua IP Cameras, SonicWall Firewalls, WPML plugin for WordPress, and Fortra’s FileCatalyst Workflow. These vulnerabilities present significant risks to organizations relying on these technologies, necessitating immediate attention from TPRM professionals. Utilizing Black Kite’s FocusTags?, we provide targeted insights on managing these threats effectively and ensuring a robust defense posture against evolving cyber risks.

What is the Dahua IP Camera Authentication Bypass Vulnerability?

CVE-2021-33045 and CVE-2021-33044 are critical authentication bypass vulnerabilities affecting Dahua IP Cameras. These vulnerabilities allow attackers to bypass device authentication during the login process by crafting malicious data packets. This type of vulnerability is classified as an authentication bypass, which is highly severe due to its potential to grant unauthorized access to secure systems. The CVSS score for both vulnerabilities is 9.8, indicating a critical level of severity, while the Exploit Prediction Scoring System (EPSS) scores are 95.23% and 93.32%, respectively, highlighting a high probability of exploitation.

The vulnerabilities were first detailed in a disclosure on October 2021 via the full disclosure mailing list, where researchers outlined how attackers could exploit these vulnerabilities to gain unauthorized access to Dahua IP Camera systems. Proof-of-concept (PoC) code was also made available on GitHub, demonstrating the feasibility of the exploit. The vulnerabilities were published in CISA’s Known Exploited Vulnerabilities (KEV) catalog on August 21, 2024. The existence of PoC code and active exploitation in the wild make these vulnerabilities particularly concerning. According to Packet Storm Security, these flaws could allow attackers to intercept live footage, manipulate security settings, or disrupt surveillance operations—critical threats, especially in environments that rely on the confidentiality and integrity of surveillance footage.

Why Should TPRM Professionals Care About These Vulnerabilities?

From a TPRM perspective, these vulnerabilities present a significant risk because Dahua IP Cameras are widely deployed across various industries, including those handling sensitive or critical information. If a vendor’s infrastructure is compromised due to these vulnerabilities, it could lead to unauthorized access to surveillance footage, exposure of sensitive areas to malicious actors, or even manipulation of security systems. These risks could result in severe consequences, including data breaches, reputational damage, and financial losses for both the vendor and its clients. TPRM professionals need to prioritize these vulnerabilities when assessing their vendor’s cybersecurity posture, especially if their vendors operate in sectors requiring stringent security measures.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

To effectively assess the risk associated with these vulnerabilities, TPRM professionals should consider asking vendors the following questions:

1. Have you applied the latest firmware updates provided by Dahua to mitigate the risks associated with CVE-2021-33045 and CVE-2021-33044?
2. Have you configured network access controls to ensure that Dahua IP Cameras are only accessible to authorized personnel and devices?
3. What steps have you taken to enhance the authentication mechanisms for Dahua IP Cameras, particularly in implementing multi-factor authentication (MFA) to prevent unauthorized access??
4. How do you monitor and respond to any suspicious activity or unauthorized access attempts involving your Dahua IP Camera systems?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should consider the following remediation actions to mitigate the risks associated with these vulnerabilities:

• Update Firmware: Immediately apply the latest firmware updates provided by Dahua to address CVE-2021-33045 and CVE-2021-33044.
• Limit Network Access: Ensure that Dahua IP Cameras are only accessible to authorized personnel and devices.
• Implement Strong Authentication: Enable strong, multi-factor authentication (MFA) to add an extra layer of security.
• Review Security Settings: Conduct a thorough review of the security configurations on all Dahua IP Cameras to ensure they are optimized for maximum security.
• Continuous Monitoring: Monitor network traffic continuously for any signs of suspicious activity or unauthorized access attempts targeting the camera systems.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite’s FocusTag? for Dahua IP Cameras was published with a VERY HIGH confidence level, providing detailed information on vendors potentially exposed to these vulnerabilities. TPRM professionals can use this FocusTag to quickly identify which of their vendors are at risk and obtain actionable intelligence, such as IP addresses and subdomains associated with the vulnerabilities. By leveraging these insights, organizations can reduce the scope of their risk assessments and focus on the most critical exposures. Additionally, if the tag has been updated with new information, Black Kite customers will be promptly notified, ensuring they have the most current data to inform their TPRM strategies.

CVE-2024-40766: SonicWall Firewalls

What is the SonicWall Improper Access Control Vulnerability?

CVE-2024-40766 is a critical improper access control vulnerability identified in SonicWall SonicOS management access. This flaw affects SonicWall Firewall devices running various versions of SonicOS, including Gen 5, Gen 6, and Gen 7 devices. The vulnerability, which has a CVSS score of 9.3, allows remote attackers to gain unauthorized access to system resources by exploiting insufficient access control restrictions on the devices. Under certain conditions, this could lead to a complete crash of the firewall, significantly compromising the network’s security.

The EPSS score for this vulnerability is relatively low at 0.04%, indicating a lower likelihood of exploitation compared to other high-severity vulnerabilities. The issue was first publicly disclosed on August 26, 2024, according to SonicWall’s Product Security Incident Response Team (PSIRT). Although there is no PoC available and the vulnerability is not currently listed in CISA’s KEV catalog, past advisories from CISA have noted active exploitation of similar vulnerabilities in SonicWall appliances since 2022. Given this history, organizations are advised to treat this vulnerability with caution, even though there is no evidence of active exploitation of CVE-2024-40766 at this time.

Why Should TPRM Professionals Care About This Vulnerability?

Third-party risk management (TPRM) professionals should be particularly concerned about CVE-2024-40766 due to the widespread use of SonicWall firewalls in many organizations. These devices are integral to securing network perimeters and managing internet traffic. A successful exploit of this vulnerability could allow attackers to access sensitive data, modify firewall settings, or disrupt network operations, potentially causing significant downtime and security breaches. The impact of such an exploit could be devastating, particularly for organizations that rely heavily on SonicWall firewalls for critical infrastructure protection. TPRM professionals need to ensure that their vendors using SonicWall devices are aware of this vulnerability and have taken appropriate measures to mitigate the associated risks.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

To evaluate the potential risk exposure associated with CVE-2024-40766, TPRM professionals should ask vendors the following questions:

1. Have you deployed the SonicWall firmware updates specifically recommended for addressing CVE-2024-40766 (e.g., version 5.9.2.14-13o for Gen 5, 6.5.4.15.116n for Gen 6, and the latest stable release for Gen 7)?
2. Have you implemented and verified IP-based access control lists (ACLs) to restrict management access to SonicWall firewalls?
3. What specific multi-factor authentication (MFA) protocols have been integrated into the SonicWall management interface to comply with the security recommendations for CVE-2024-40766?
4. Are you leveraging advanced logging and monitoring tools to continuously analyze SonicWall firewall logs and network traffic for indicators of compromise related to CVE-2024-40766?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following steps to mitigate the risks associated with CVE-2024-40766:

• Firmware Update: Immediately upgrade to the latest firmware versions provided by SonicWall for all affected devices, including updates to 5.9.2.14-13o for Gen 5, 6.5.4.15.116n for Gen 6, and higher versions for Gen 7 devices.
• Restrict Management Access: Limit management access to SonicWall firewalls to trusted IP addresses only or disable WAN management access from the internet.
• Implement MFA: Ensure that multi-factor authentication (MFA) is enabled for all users accessing the SonicWall management interface.
• Continuous Monitoring: Continuously monitor network traffic and firewall logs for any signs of unusual activity or unauthorized access attempts.
• Security Review: Conduct a thorough review of the security settings on all affected SonicWall devices to ensure compliance with industry best practices.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite provides a FocusTag? for the SonicWall SonicOS vulnerability with a VERY HIGH confidence level, allowing TPRM professionals to quickly identify which of their vendors are potentially exposed to CVE-2024-40766. This FocusTag, published in August 2024, contains detailed information about affected vendors, including the specific SonicWall devices at risk and their associated IP addresses and subdomains. By using this FocusTag, TPRM professionals can narrow their focus to the most vulnerable vendors and ensure that they receive timely and relevant updates regarding mitigation strategies. This targeted approach allows organizations to streamline their third-party risk management processes and prioritize remediation efforts where they are most needed.

CVE-2024-6386: WPML Plugin

What is the WPML Remote Code Execution Vulnerability?

CVE-2024-6386 is a critical remote code execution (RCE) vulnerability found in the WPML (WordPress Multilingual Plugin), a popular plugin used by over one million WordPress sites to manage multilingual content. This vulnerability, which has a CVSS score of 9.9, is caused by improper input sanitization in the plugin’s use of Twig templates for rendering shortcode content. The EPSS score is 0.06%, reflecting a relatively low likelihood of exploitation, but the critical nature of the flaw demands immediate attention.

The vulnerability, disclosed on August 28, 2024, allows an attacker with contributor-level permissions or higher to inject malicious payloads into the plugin’s shortcode templates, which are then executed server-side. This improper handling of inputs facilitates a server-side template injection (SSTI) attack, leading to arbitrary code execution on the server. The vulnerability has not yet been added to CISA’s KEV catalog, but a PoC has been released, demonstrating its potential for severe exploitation. The researcher “stealthcopter” highlighted the significant risks associated with this vulnerability, including the ability to deploy web shells or escalate privileges within the WordPress environment.

Why Should TPRM Professionals Care About This Vulnerability?

TPRM professionals should be highly concerned about CVE-2024-6386 due to its potential impact on WordPress sites using the WPML plugin. WordPress is a widely adopted content management system, and any vulnerability that allows for remote code execution poses a substantial risk. An attacker exploiting this vulnerability could gain unauthorized control over a website, execute malicious code, manipulate content, steal sensitive data, or even deface the site. In environments where WordPress sites are used for critical business functions, such a compromise could lead to significant data breaches, reputational damage, and operational disruptions. It is crucial for TPRM professionals to ensure that their vendors using WordPress and the WPML plugin are aware of this vulnerability and have implemented appropriate measures to mitigate the risk.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

To effectively assess the risk associated with CVE-2024-6386, TPRM professionals should consider asking vendors the following questions:

1. Have you updated the WPML plugin to the latest version that addresses CVE-2024-6386?
2. How have you reviewed and adjusted the access control settings for WordPress users with contributor-level permissions or higher?
3. Have you configured a Web Application Firewall (WAF) to detect and block malicious input attempts targeting the WPML plugin’s shortcode templates?
4. Are you monitoring access logs and server activities for indicators of compromise related to CVE-2024-6386?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following remediation steps to mitigate the risks associated with CVE-2024-6386:

• Update Plugin: Immediately update the WPML plugin to the latest version that fixes the vulnerability.
• Restrict Access: Limit contributor-level and higher permissions to trusted users only, minimizing the potential for exploitation.
• Implement a WAF: Deploy a WAF to block malicious input attempts and protect against SSTI and other injection attacks.
• Regular Audits: Conduct regular audits of WordPress installations and plugins to identify and mitigate security vulnerabilities.
• Monitor Logs: Regularly check access logs and server activities for signs of exploitation attempts related to this vulnerability.
• Backup and Recovery: Ensure that regular backups are in place to facilitate a quick recovery in the event of a security breach.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite has published a FocusTag? for the WPML vulnerability with a VERY HIGH confidence level. This tag provides detailed information on vendors potentially exposed to CVE-2024-6386, including specifics about the affected WordPress sites and plugin versions. TPRM professionals can use this FocusTag to identify which of their vendors are at risk and obtain actionable intelligence, such as the precise assets (IP addresses and subdomains) associated with the vulnerability. This targeted intelligence allows organizations to prioritize their risk management efforts effectively, focusing on the vendors most likely to be impacted by this vulnerability.

CVE-2024-6633, CVE-2024-6632: FileCatalyst Workflow

What are the FileCatalyst Workflow Insecure Configuration and SQL Injection Vulnerabilities?

CVE-2024-6633 is a critical vulnerability due to insecure default configurations in FileCatalyst Workflow, specifically involving the HSQL database (HSQLDB) used during installation. This database setup employs default credentials that are publicly available in vendor documentation. If these credentials are not changed or if the database is not reconfigured for production use, an attacker can gain unauthorized access to the database. The vulnerability is compounded by the fact that HSQLDB is remotely accessible by default on TCP port 4406, allowing potential attackers to connect using the default password. This can result in unauthorized actions such as adding administrative users, compromising the confidentiality, integrity, and availability of the software. The CVSS score for this vulnerability is 9.8, indicating its critical severity, while the EPSS score is low at 0.04%, reflecting a lower probability of exploitation based on current data.

CVE-2024-6632, on the other hand, is a high-severity SQL injection vulnerability affecting the MySQL database used during FileCatalyst Workflow’s setup process. This flaw is due to improper handling of user input during form submission, where user-supplied data is directly incorporated into a database query without adequate input validation. An attacker with authenticated access during setup could exploit this vulnerability to manipulate database queries, leading to unauthorized modifications or even access to other databases hosted on the same server. The CVSS score of 7.2 indicates high severity, but similar to CVE-2024-6633, the EPSS score remains low at 0.04%.

Although there is no publicly available PoC for these vulnerabilities and they have not yet been published in CISA’s Known Exploited Vulnerabilities (KEV) catalog, their potential for exploitation remains a concern. Organizations relying on FileCatalyst Workflow are strongly urged to apply the latest security patches and updates to mitigate these risks.

Why Should TPRM Professionals Care About These Vulnerabilities?

For TPRM professionals, these vulnerabilities represent significant risks, particularly for organizations that use FileCatalyst Workflow in environments where secure data handling and system integrity are paramount. The exploitation of CVE-2024-6633 could lead to unauthorized access and control over the database, potentially exposing sensitive data and allowing attackers to perform malicious operations within the affected network. CVE-2024-6632 presents a high risk of database manipulation, which could compromise data integrity or lead to unauthorized data exposure. Given the potential for data breaches and operational disruptions, TPRM professionals need to ensure that their vendors using FileCatalyst Workflow are aware of these vulnerabilities and have implemented robust security measures.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

To properly assess the risk associated with these vulnerabilities, TPRM professionals should ask the following specific questions:

1. Have you upgraded to FileCatalyst Workflow version 5.1.7 or later to mitigate CVE-2024-6633 and CVE-2024-6632?
2. Have you reconfigured the FileCatalyst Workflow database settings to replace the default HSQLDB with a more secure, production-ready database??
3. What firewall rules or network segmentation strategies have you implemented to block external access to TCP port 4406?
4. Have you enhanced input validation within FileCatalyst Workflow to prevent SQL injection attacks as outlined in CVE-2024-6632?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using FileCatalyst Workflow should implement the following remediation steps to mitigate the risks associated with CVE-2024-6633 and CVE-2024-6632:

• Upgrade Software: Immediately update to FileCatalyst Workflow version 5.1.7 or later, which addresses both vulnerabilities.
• Reconfigure Database Settings: Ensure that FileCatalyst Workflow is configured to use a secure, alternative database rather than the default HSQLDB, following the vendor’s security guidelines.
• Restrict Remote Access: Use firewalls to block external access to TCP port 4406, particularly from untrusted networks, and limit access to the database server.
• Enhance Input Validation: Implement robust input validation checks to prevent SQL injection attacks, ensuring all user inputs are sanitized before processing.
• Employee Training: Educate staff on recognizing potential exploitation attempts and the importance of adhering to security protocols.
• Monitor and Audit: Regularly monitor and audit database access logs for any indications of unauthorized access or suspicious activities, and employ continuous monitoring systems to detect potential threats promptly.

How Can TPRM Professionals Leverage Black Kite for These Vulnerabilities?

Black Kite provides a FocusTag? specifically for the FileCatalyst Workflow vulnerabilities with a VERY HIGH confidence level. This tag helps TPRM professionals quickly identify vendors potentially exposed to CVE-2024-6633 and CVE-2024-6632. The FocusTag, updated in August 2024, includes critical information about affected vendors, along with asset data such as IP addresses and subdomains at risk. By utilizing this FocusTag, TPRM professionals can prioritize their risk assessments and remediation efforts, focusing on the vendors most susceptible to these vulnerabilities.

Black Kite’s FocusTags? enable efficient resource allocation and enhance third-party risk management by concentrating on high-impact areas. These tags are regularly updated to keep TPRM professionals informed of emerging threats, allowing for prompt risk mitigation.

Enhancing TPRM With Black Kite’s FocusTags?

In a rapidly changing cybersecurity landscape, staying ahead of potential threats is essential for effective Third-Party Risk Management (TPRM). Black Kite’s FocusTags? offer invaluable tools for organizations to manage these challenges efficiently. With the emergence of critical vulnerabilities such as those found in Dahua IP Cameras, SonicWall Firewalls, and the Fortra’s FileCatalyst Workflow, the need for real-time, actionable intelligence has never been greater. Here’s how Black Kite’s FocusTags? enhance TPRM strategies:

• Immediate Risk Identification: Instantly highlight vendors exposed to new vulnerabilities, enabling TPRM professionals to respond swiftly to potential threats.
• Prioritized Risk Management: Help prioritize risks by assessing both the criticality of vendors and the severity of identified vulnerabilities, ensuring focused and efficient allocation of resources.
• Targeted Vendor Communication: Support in conducting detailed discussions with vendors about their specific risk exposures, fostering more informed decision-making and enhanced collaboration.
• Comprehensive Cybersecurity Insights: Provide a holistic view of the threat landscape, aiding in the development of more robust and proactive cybersecurity defenses.

By leveraging Black Kite’s FocusTags?, organizations can transform complex threat data into strategic actions, effectively managing risks and safeguarding their digital ecosystems in a world where cyber threats continue to evolve.

FocusTags? in the Last 30 Days:

• FileCatalyst Workflow: CVE-2024-6633, CVE-2024-6632, Insecure Default Configuration and SQL Injection Vulnerability in Fortra FileCatalyst Workflow.
• WPML: CVE-2024-6386, Critical Remote Code Execution Vulnerability via Twig Server-Side Template Injection in WPML Plugin
• SonicWall Firewalls: CVE-2024-40766, Critical Improper Access Control Vulnerability in SonicWall Firewalls
• Dahua IP Camera: CVE-2021-33045, CVE-2021-33044, Critical Authentication Bypass Vulnerabilities in Dahua IP Camera Systems
• Microsoft Privilege Escalation Vulnerability: CVE-2024-38193, CVE-2024-38106, CVE-2024-38107, Critical Privilege Escalation Vulnerabilities in Microsoft Windows
• SolarWinds WHD: CVE-2024-28986, Critical Remote Code Execution Vulnerability in SolarWinds Web Help Desk
• Zimbra LFI: CVE-2024-33535, Local File Inclusion Vulnerability in Zimbra Collaboration Suite
• Exchange Server RCE: CVE-2021-31196, CVE-2021-34473, Remote Code Execution Vulnerabilities in Microsoft Exchange Server
• Zabbix: CVE-2024-22116, Critical Remote Code Execution Vulnerability in Zabbix Monitoring Solution
• Jenkins ClassLoaderProxy: CVE-2024-43044, Arbitrary File Read and Remote Code Execution Vulnerability in Jenkins ClassLoaderProxy
• Dahua NVR4: CVE-2024-39944, CVE-2024-39948, and CVE-2024-39949, Remote Code Execution, Authentication Bypass, and Improper Access Control Vulnerabilities in Dahua NVR4 devices
• VMware ESXi: CVE-2024-37085, Authentication Bypass Vulnerability in VMware ESXi, VMware Cloud Foundation
• Gogs: CVE-2024-39930, CVE-2024-39931, CVE-2024-39932, and CVE-2024-39933, Argument Injection Vulnerability in Gogs
• Internet Explorer: CVE-2012-4792, Use-After-Free Vulnerability in Internet Explorer
• Docker AuthZ: CVE-2024-41110, AuthZ Bypass and Privilege Escalation Vulnerability in Docker

References

https://nvd.nist.gov/vuln/detail/CVE-2024-6633

https://nvd.nist.gov/vuln/detail/CVE-2024-6632

https://www.fortra.com/security/advisories/product-security/fi-2024-011

https://www.helpnetsecurity.com/2024/08/28/cve-2024-6633

https://nvd.nist.gov/vuln/detail/CVE-2024-6386

https://sec.stealthcopter.com/wpml-rce-via-twig-ssti

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sitepress-multilingual-cms/wpml-multilingual-cms-4612-authenticatedcontributor-remote-code-execution-via-twig-server-side-template-injection

https://thehackernews.com/2024/08/critical-wpml-plugin-flaw-exposes.html

https://nvd.nist.gov/vuln/detail/CVE-2024-40766

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

https://www.helpnetsecurity.com/2024/08/26/cve-2024-40766

https://nvd.nist.gov/vuln/detail/CVE-2021-33044#range-12398810

https://nvd.nist.gov/vuln/detail/cve-2021-33045

Dahua Authentication Bypass Details – GitHub

Dahua Vulnerabilities Disclosure – Full Disclosure

Dahua Authentication Bypass – Packet Storm Security