What Happened Over the Week? | CVEs Special

Hello, hello cyber-securiters. This is a special edition for CVEs. You need lots of updates this week, and a LinkedIn post is not enough for these CVEs.

Here is a catch-up for you. Let's start.

CVE-2024-6376: Critical Vulnerability in MongoDB Compass

A critical vulnerability has been discovered in MongoDB Compass, a graphical user interface (GUI) widely used to query, aggregate and analyze MongoDB data.

Versions of MongoDB Compass prior to 1.42.2 are affected by this vulnerability, putting a large number of users at risk. The National Vulnerability Database (NVD) has assigned this vulnerability a CVSS score of 9.8, indicating that it is critical.

Systems running vulnerable versions of MongoDB Compass are susceptible to breaches that can lead to data loss, corruption, and unauthorized access. MongoDB immediately addressed the CVE-2024-6376 vulnerability by releasing Compass 1.42.2.?

CVE-2024-39884: Apache HTTP Server Critical Source Code Disclosure Flaw

Recently, the Apache Software Foundation released Apache HTTP Server version 2.4.61, addressing a severe source code disclosure vulnerability (CVE-2024-39884). Rated as “Important” by the Apache team, this flaw could expose sensitive server-side information to malicious actors.

While source code disclosure might seem like a technical concern, the implications can be far-reaching.

CVE-2024-23692: Hackers Target HFS for System Takeovers and Crypto Mining

Hackers have been detected exploiting a critical vulnerability in older versions of Rejetto's HTTP File Server (HFS) to deploy malware and cryptocurrency mining software. Attackers are exploiting the CVE-2024-23692 vulnerability, which allows arbitrary commands to be executed without authentication.

Several attacks, including one by the LemonDuck threat group, have been found to involve the installation of the XMRig Monero mining tool. Other payloads include XenoRAT for remote control, Gh0stRAT for data exfiltration, PlugX for persistent access, and GoThief for data theft via Amazon AWS.

Learn more about XenoRAT: https://brandefense.io/blog/xeno-rat-analysis/

CVE-2024-21007: Oracle WebLogic Server Vulnerability

CVE-2024-21007 has been identified as a critical vulnerability in Oracle WebLogic Server, a product of Oracle Fusion Middleware, published in April 2024. The severity of this vulnerability is high, with a CVSS 3.1 base score of 7.5, indicating significant confidentiality impacts.

Successful exploitation can lead to unauthorized access to critical data or complete access to all data on the Oracle WebLogic Server.

CVE-2023-2071 & CVE-2023-29464: Microsoft Reveals Critical Flaws in Rockwell Automation's PanelView Plus

Microsoft has revealed two security flaws in Rockwell Automation's PanelView Plus, which can be exploited remotely by unauthenticated attackers to execute arbitrary code or trigger a denial-of-service (DoS) condition.

1. CVE-2023-2071 (CVSS score: 9.8): An improper input validation vulnerability allowing remote code execution via crafted malicious packets. Affects FactoryTalk View Machine Edition (versions 13.0, 12.0, and prior).
2. CVE-2023-29464 (CVSS score: 8.2): An improper input validation vulnerability enabling data read from memory and DoS by sending oversized packets. Affects FactoryTalk Linx (versions 6.30, 6.20, and prior).

Rockwell Automation released advisories on September 12, 2023, and October 12, 2023, respectively, with CISA issuing alerts on September 21 and October 17.

CVE-2024-38513: Fiber Web Framework Critical Vulnerability

A high severity vulnerability (CVE-2024-38513) has been discovered in Fiber, a widely used web framework for the Go programming language. This vulnerability is due to improper validation of user-supplied session identifiers, allowing attackers to bypass security mechanisms and insert their own session identifiers.

The CVSS score of 9.8 highlights the critical nature of this problem and the urgent need for improvement.

CVE-2024-5716 & CVE-2024-5717: Logsign Unified SecOps Platform: Urgent Update Fixes Critical RCE Vulnerabilities

Identified as CVE-2024-5716 and CVE-2024-5717, these vulnerabilities allow for remote, unauthenticated code execution via HTTP requests, potentially enabling attackers to gain unauthorized access and take control of the system.

CVE-2024-5716 (Authentication Bypass):

• This vulnerability stems from the absence of a rate limit on the reset_code request. Given the presence of a default user named "administrator," an attacker can send multiple requests to reset the administrator's password until the correct reset_code is brute-forced. The attacker can then reset the administrator’s password and log in as the administrator.?

CVE-2024-5717 (Post-Authentication Command Injection):

• This vulnerability allows remote attackers to execute arbitrary code on affected installations of the Logsign Unified SecOps Platform. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. An attacker could exploit this vulnerability to execute code with root privileges.

SnailLoad (CVE-2024-39920): New Side-Channel Attack Exposes Your Web Activity

Security researchers have identified a new cybersecurity threat called “SnailLoad” (CVE-2024-39920), which exploits a vulnerability in the Transmission Control Protocol (TCP).

This side-channel attack can allow attackers to remotely monitor a user's web activity, including visited websites and streamed videos, by leveraging a timing side channel within TCP.

CVE-2024-32498: Critical OpenStack Vulnerability

The OpenStack Foundation has issued an urgent security advisory regarding a critical vulnerability (CVE-2024-32498, CVSS 8.8) affecting key components of its cloud infrastructure platform.

This flaw could allow malicious actors unauthorized access to sensitive data within Cinder (block storage), Glance (image management), and Nova (compute) services.

CVE-2024-0769: China-linked Velvet Ant Exploits Zero-Day Vulnerability in Cisco NX-OS Software to Deploy Malware

A China-linked cyber espionage group known as Velvet Ant has been discovered exploiting a zero-day vulnerability in Cisco NX-OS software to deploy malware. The vulnerability, identified as CVE-2024-20399 with a CVSS rating of 6.0, allows authenticated local attackers to execute arbitrary commands as root on affected devices.

Cisco attributes this issue to insufficient validation of CLI command arguments, which Velvet Ant exploits to install custom malware that allows remote access and control of compromised Cisco Nexus devices.

Linux Flaw: Exploiting CVE-2024-1085 PoC Reveals Privilege Escalation Risk

A security researcher has published a proof-of-concept (PoC) exploit code focusing on the critical CVE-2024-1085 security vulnerability in the Linux kernel. This vulnerability resides in the nftables component within the Netfilter subsystem and could allow an authenticated local attacker to escalate privileges on affected systems.

With a CVSS score of 7.8, the vulnerability is highlighted as having a high severity level. While local authentication is required for exploitation, a successful exploit could grant significant control over the system to the attacker.

CVE-2024-21586: Juniper Networks High CVSS Score Vulnerability

The CVE-2024-21586 vulnerability impacts Junos OS versions running on SRX Series firewalls. The vulnerability stems from an improper check for unusual or exceptional conditions in the PFE, a crucial component responsible for processing network traffic.

Juniper Networks strongly urges all affected users to upgrade to the latest patched versions of Junos OS immediately.

CVE-2024-36985 & CVE-2024-36984: Splunk Critical Vulnerabilities in Enterprise and Cloud Platforms

Splunk announced the release of patches for 16 vulnerabilities in its Splunk Enterprise and Cloud Platform, including six high-severity bugs.

Remote Code Execution (RCE) Vulnerabilities:

• CVE-2024-36985: This vulnerability can be exploited by a low-privileged user through a lookup referencing the ‘splunk_archiver’ application. It affects Splunk Enterprise versions 9.2.x, 9.1.x, and 9.0.x. The issue is addressed in versions 9.2.2, 9.1.5, and 9.0.10. Mitigation is also possible by disabling the ‘splunk_archiver’ application.
• CVE-2024-36984: Impacting Splunk Enterprise for Windows, this RCE bug allows an authenticated attacker to execute a crafted query to serialize untrusted data and execute arbitrary code.

CVE-2024-36387 - CVE-2024-39573: Critical Vulnerabilities in Apache HTTP Server

The Apache Software Foundation has issued an urgent security advisory, disclosing multiple vulnerabilities in its widely used Apache HTTP Server. These flaws range from denial-of-service (DoS) attacks to remote code execution and unauthorized access, potentially exposing millions of websites to cyberattacks.

The vulnerabilities are tracked as CVE-2024-36387 through CVE-2024-39573.

• CVE-2024-38472 (Important): Server-Side Request Forgery (SSRF) vulnerability on Windows systems, potentially leaking sensitive NTLM hashes.
• CVE-2024-38474 (Important): Code execution and source disclosure via encoded question marks in backreferences.
• CVE-2024-38475 (Important): Unauthorized access to filesystem locations through improper escaping in mod_rewrite.
• CVE-2024-38476 (Important): Information disclosure, SSRF, or local script execution via malicious backend application output.

CVE-2024-1724: Snap Sandbox Escape Vulnerability Threatens Linux Systems

In a recent security disclosure, security researcher McPhail has identified a critical vulnerability in Snap, a popular package manager for Ubuntu and other Linux distributions.

The vulnerability, tracked as CVE-2024-1724, could allow malicious actors to bypass the Snap sandbox environment and execute arbitrary code on a user’s system.

CVE-2024-20399: Cisco NX-OS Zero-Day Exploit Used to Deploy Custom Malware

Cisco has patched a zero-day vulnerability (tracked as CVE-2024-20399) in NX-OS that was exploited in April attacks to install previously unknown malware as root on vulnerable switches.

The security flaw allows attackers to execute commands without triggering system syslog messages, enabling them to conceal signs of compromise on hacked NX-OS devices. Cisco advises customers to regularly monitor and change the credentials of network-admin and vdc-admin administrative users.

CVE-2024-5261: Critical Vulnerability in LibreOfficeKit

The Document Foundation, the organization behind the popular open-source office suite LibreOffice, has issued an urgent security advisory regarding a critical vulnerability (CVE-2024-5261) in its LibreOfficeKit component.

This flaw could allow attackers to intercept or manipulate data transmitted between LibreOffice and remote servers, potentially exposing sensitive information.