Menu
This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.
Category: Numeric & Calculation Errors
A vulnerability in Microsoft’s Hyper-V hypervisor allows for the unauthorised elevation of privileges from low-security to high-security context. Microsoft provided little additional information on the flaw in its release notes at the time of writing (2024-07-10).
The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviours such as memory allocation, copying, concatenation, etc.
Customers are advised to upgrade to the latest version of Microsoft Windows via one of the following methods:
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: User Interface (UI) Security Issues
A vulnerability exists in the MSHTML (Trident) rendering engine, which is pivotal for rendering web content in Internet Explorer and other applications via embedded web browser controls. The primary flaw stems from inadequate sanitisation within the MSHTML library of URL links to malicious content originates from a trusted source.
By using special mhtml: and !x-usc: URI schemes within the URL configuration directive of a URL file, attackers are both (a) able to obfuscate the true origin of a URL and (b) make the vulnerability easier to exploit by causing it to be opened in the less secure (legacy) “Internet Explorer” browser, which is less protective against such spoofing vulnerabilities, rather than the user’s default browser. Even though IE has been proclaimed “retired and out-of-support,” technically speaking, IE is still part of the Windows OS.
Similar techniques have previously been used in exploits of vulnerability CVE-2021-40444.
Customers are advised to upgrade to the latest version of Microsoft Windows via one of the following methods:
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Template Injection
The server is vulnerable to an unauthenticated server side template injection (SSTI) vulnerability. The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. The template engine has its own custom expression language. Since an attacker can influence input into a template before it is processed, then the attacker can invoke arbitrary expressions, i.e. perform injection attacks.
The server accepts raw user input via the search parameter and then passes it unsanitised as part of the concatenated string for an {.exec|”+cmd+”.} statement. Although by default content provided is sanitised, it fails to account for encoded percent symbols. This allows an attacker to embed any symbol in the content being processed via a sequence such as %25x%25symbol-name%25.
As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported. The vendor advises that “Version 2.3-2.4 is dangerous and should not be used anymore. A security vulnerability was found allowing an attacker to control your computer. There is currently no known official fix for version 2”.
It is recommended all users to update to HFS 3, or migrate to an alternative platform.
Category: Cryptographic Failure
BlastRADIUS is the result of a fundamental design flaw and is said to impact all standards-compliant RADIUS clients and servers. Anyone using MAC address authentication, or RADIUS for administrator logins to switches is vulnerable.
The RADIUS protocol is commonly used over the insecure UDP transport protocol. Additionally, the security of RADIUS is reliant on a hash that’s derived using the MD5 algorithm, which has been deemed cryptographically broken as of December 2008 owing to the risk of collision attacks. The RADIUS protocol also allows certain Access-Request messages to have no integrity or authentication checks.
In combination, this means that the Access-Request packets can be subjected to what’s called a “chosen prefix” request forgery attack against MD5 Response Authenticator signature that makes it possible to modify the response packet such that it passes all of the integrity checks for the original response.
System administrators of networks using RADIUS should check with vendors for a patch against this vulnerability (patches implementing mitigations have been implemented by all RADIUS implementations that we are aware of), and follow best practices for RADIUS configuration.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
*Although not yet highlighted by CISA this week, this critical exploit in RADIUS protocol also attracted significant attention after being widely exploited by attackers.
The two Microsoft vulnerabilities at the top of this article were featured in this month’s ‘Patch Tuesday‘. To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, add the next Patch Tuesday to your calendar now – 13th August 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
