Known Actively Exploited Vulnerabilities Round-up (07.06.24-13.06.24)

This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.

This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.

 

CVE-2024-4577

Category: Command Injection

 

Versions Affected:

  • PHP 8.x prior to release 8.1.29
  • PHP 8.2.x branch prior to release 8.2.20
  • PHP 8.3.x branch prior to release 8.3.8

 

 

Vulnerability Summary:

When using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use “Best-Fit” behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options. The root cause is an inconsistency in the way that PHP and BestFit interact when converting Unicode characters into ASCII. Best Fit fails to escape characters such as a soft hyphen (with Unicode value 0xAD) and instead converts it to an unescaped regular hyphen (0x2D), a character that’s instrumental in many code syntaxes.

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

NOTE: This vulnerability is a patch bypass for CVE-2012-1823.

 

Official Fix & Remediation Guidance:

Customers are advised to upgrade to PHP versions 8.3.8, 8.2.20, 8.1.29, or later to address the vulnerability. This vulnerability has already been fixed in the latest version officially, and users affected are advised to upgrade their version as soon as possible for protection. Official download link: https://www.php.net/downloads.php. Upgrade to:

  • PHP 8.1.x branch to release 8.1.29
  • PHP 8.2.x branch to release 8.2.20
  • PHP 8.3.x branch to release 8.3.8

 

NOTE: The 8.0, 7.x, and 5.x version branches are also vulnerable, but since they’re no longer supported, admins will have to follow mitigation advice since patches aren’t available.

NOTE: Customers should strongly consider switching from the outdated PHP CGI to a more secure solution such as FastCGI or PHP-FPM to minimize the risks of vulnerability exploitation.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

 

 

CVE-2024-4358

Category: Configuration Errors

 

Versions Affected:

  • Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier.

 

 

Vulnerability Summary:

Progress Telerik Report Server, when running on Microsoft IIS, contains an authentication bypass vulnerability due to a configuration issue. The endpoint Telerik.ReportServer.Web.dll!Telerik.ReportServer.Web.Controllers.Startup Controller.Register – which is responsible for setting up the server for the first time – remains accessible (unauthenticated) to unauthorised users even after the admin has finished the setup process. This method is available unauthenticated and will use received parameters to create a user, and assign the “System Administrator” role to the user: this allows a remote unauthorised remote attacker to create an administrative user account and login.

 

Official Fix & Remediation Guidance:

Updating to Report Server 2024 Q2 (10.1.24.514) or later is the only way to remediate this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version. Update instructions can be found at https://docs.telerik.com/report-server/implementer-guide/setup/upgrade.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

 

 

CVE-2024-26169

Category: Privilege Escalation

 

Versions Affected:

Desktop Operating Systems:

  • Microsoft Windows 10 Version 1809 for ARM64-based Systems prior to release 10.0.17763.5576
  • Microsoft Windows 10 Version 1809 for x64-based Systems prior to release 10.0.17763.5576
  • Microsoft Windows 10 Version 1809 for 32-bit Systems prior to release 10.0.17763.5576
  • Microsoft Windows 10 Version 1607 for x64-based Systems prior to release 10.0.14393.6796
  • Microsoft Windows 10 Version 1607 for 32-bit Systems prior to release 10.0.14393.6796
  • Microsoft Windows 10 for x64-based Systems prior to release 10.0.10240.20526
  • Microsoft Windows 10 for 32-bit Systems prior to release 10.0.10240.20526
  • Microsoft Windows 10 Version 22H2 for 32-bit Systems prior to release 10.0.19045.4170
  • Microsoft Windows 10 Version 22H2 for ARM64-based Systems prior to release 10.0.19045.4170
  • Microsoft Windows 10 Version 22H2 for x64-based Systems prior to release 10.0.19045.4170
  • Microsoft Windows 10 Version 21H2 for ARM64-based Systems prior to release 10.0.19044.4170
  • Microsoft Windows 10 Version 21H2 for 32-bit Systems prior to release 10.0.19044.4170
  • Microsoft Windows 10 Version 21H2 for x64-based Systems prior to release 10.0.19044.4170
  • Microsoft Windows 11 Version 22H2 for x64-based Systems prior to release 10.0.22621.3296
  • Microsoft Windows 11 Version 22H2 for ARM64-based Systems prior to release 10.0.22621.3296
  • Microsoft Windows 11 version 21H2 for ARM64-based Systems prior to release 10.0.22000.2836
  • Microsoft Windows 11 version 21H2 for x64-based Systems prior to release 10.0.22000.2836
  • Microsoft Windows 11 Version 23H2 for x64-based Systems prior to release 10.0.22631.3296
  • Microsoft Windows 11 Version 23H2 for ARM64-based Systems prior to release 10.0.22631.3296

 

Server operating systems:

  • Microsoft Windows Server 2012 R2 (Server Core installation) prior to release 6.3.9600.21871
  • Microsoft Windows Server 2012 R2 prior to release 6.3.9600.21871
  • Microsoft Windows Server 2016 prior to release 10.0.14393.6796
  • Microsoft Windows Server 2016 (Server Core installation) prior to release 10.0.14393.6796
  • Microsoft Windows Server 2019 (Server Core installation) prior to release 10.0.17763.5576
  • Microsoft Windows Server 2019 prior to release 10.0.17763.5576
  • Microsoft Windows Server 2022, 23H2 Edition (Server Core installation) prior to release 10.0.25398.763
  • Microsoft Windows Server 2022 (Server Core installation) prior to release 10.0.20348.2340
  • Microsoft Windows Server 2022 prior to release 10.0.20348.2340

 

 

Vulnerability Summary:

Windows Error Reporting Service Elevation of Privilege Vulnerability. The Windows file werkernel.sys uses an unsafe (NULL) security descriptor when creating registry keys. As a result, it is possible to create a HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe registry key where the ‘Debugger’ value is set to the pathname to a (malicious) executable file. This allows an exploit to start a shell with administrative privileges.

 

Official Fix & Remediation Guidance:

Customers are advised to install the March 2024 cumulative and servicing stack update (KB5035845). For full details and available download channels, see https://support.microsoft.com/en-gb/topic/march-12-2024-kb5035845-os-builds-19044-4170-and-19045-4170-24e9864f-0756-457e-bce9-3f681020d591.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

 

 

CVE-2024-32896

Category: Privilege Escalation

 

Versions Affected:

  • Google Pixel Firmware < v2024-06-05
  • Other devices running Google Android OS.

 

 

Vulnerability Summary:

There is an elevation of privilege vulnerability in devices running the Android OS. Google did not share further details of the zero-day as of the time of writing (2024-06-13). However, it is being reported by third parties that the vulnerability relates to further unaddressed issues remaining from the earlier vulnerability CVE-2024-29748, which allows attackers to interrupt reboot sequence for wipes via the device admin API.

Despite early indications from the vendor that this vulnerability was specific to Google Pixel devices, later reports indicate that many other Android OS devices will also be vulnerable.

 

Official Fix & Remediation Guidance:

Google has released patches for supported Pixel devices, such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold as part of the June 2024 update. For Google devices, security patch levels of 2024-06-05 or later address all issues.

Customers are advised to upgrade to the latest version of the impacted product. To apply the security update manually, Pixel users must go to Settings > Security & privacy > System & updates > Security update, tap Install, and restart the device to complete the update process. For further update instructions, see https://support.google.com/pixelphone/answer/4457705.

It is also recommended to enable automatic updates, if available, to receive further security fixes promptly. Additionally, users should exercise caution when opening emails, messages, or links from untrusted sources, as these could be vectors for delivering malicious payloads that exploit vulnerabilities like CVE-2024-32896.

If you suspect your device may have been compromised, consider performing a factory reset and restoring from a secure backup. Users can also consult Google’s support resources or seek professional assistance for further guidance.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

 

 

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About Appcheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch