Menu
This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.
Category: Command Injection
When using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use “Best-Fit” behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options. The root cause is an inconsistency in the way that PHP and BestFit interact when converting Unicode characters into ASCII. Best Fit fails to escape characters such as a soft hyphen (with Unicode value 0xAD) and instead converts it to an unescaped regular hyphen (0x2D), a character that’s instrumental in many code syntaxes.
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
NOTE: This vulnerability is a patch bypass for CVE-2012-1823.
Customers are advised to upgrade to PHP versions 8.3.8, 8.2.20, 8.1.29, or later to address the vulnerability. This vulnerability has already been fixed in the latest version officially, and users affected are advised to upgrade their version as soon as possible for protection. Official download link: https://www.php.net/downloads.php. Upgrade to:
NOTE: The 8.0, 7.x, and 5.x version branches are also vulnerable, but since they’re no longer supported, admins will have to follow mitigation advice since patches aren’t available.
NOTE: Customers should strongly consider switching from the outdated PHP CGI to a more secure solution such as FastCGI or PHP-FPM to minimize the risks of vulnerability exploitation.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Configuration Errors
Progress Telerik Report Server, when running on Microsoft IIS, contains an authentication bypass vulnerability due to a configuration issue. The endpoint Telerik.ReportServer.Web.dll!Telerik.ReportServer.Web.Controllers.Startup Controller.Register – which is responsible for setting up the server for the first time – remains accessible (unauthenticated) to unauthorised users even after the admin has finished the setup process. This method is available unauthenticated and will use received parameters to create a user, and assign the “System Administrator” role to the user: this allows a remote unauthorised remote attacker to create an administrative user account and login.
Updating to Report Server 2024 Q2 (10.1.24.514) or later is the only way to remediate this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version. Update instructions can be found at https://docs.telerik.com/report-server/implementer-guide/setup/upgrade.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Privilege Escalation
Desktop Operating Systems:
Server operating systems:
Windows Error Reporting Service Elevation of Privilege Vulnerability. The Windows file werkernel.sys uses an unsafe (NULL) security descriptor when creating registry keys. As a result, it is possible to create a HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe registry key where the ‘Debugger’ value is set to the pathname to a (malicious) executable file. This allows an exploit to start a shell with administrative privileges.
Customers are advised to install the March 2024 cumulative and servicing stack update (KB5035845). For full details and available download channels, see https://support.microsoft.com/en-gb/topic/march-12-2024-kb5035845-os-builds-19044-4170-and-19045-4170-24e9864f-0756-457e-bce9-3f681020d591.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Privilege Escalation
There is an elevation of privilege vulnerability in devices running the Android OS. Google did not share further details of the zero-day as of the time of writing (2024-06-13). However, it is being reported by third parties that the vulnerability relates to further unaddressed issues remaining from the earlier vulnerability CVE-2024-29748, which allows attackers to interrupt reboot sequence for wipes via the device admin API.
Despite early indications from the vendor that this vulnerability was specific to Google Pixel devices, later reports indicate that many other Android OS devices will also be vulnerable.
Google has released patches for supported Pixel devices, such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold as part of the June 2024 update. For Google devices, security patch levels of 2024-06-05 or later address all issues.
Customers are advised to upgrade to the latest version of the impacted product. To apply the security update manually, Pixel users must go to Settings > Security & privacy > System & updates > Security update, tap Install, and restart the device to complete the update process. For further update instructions, see https://support.google.com/pixelphone/answer/4457705.
It is also recommended to enable automatic updates, if available, to receive further security fixes promptly. Additionally, users should exercise caution when opening emails, messages, or links from untrusted sources, as these could be vectors for delivering malicious payloads that exploit vulnerabilities like CVE-2024-32896.
If you suspect your device may have been compromised, consider performing a factory reset and restoring from a secure backup. Users can also consult Google’s support resources or seek professional assistance for further guidance.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
