AppCheck presents our weekly round up of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 6th September 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: known exploitations are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe. As such, they present perhaps the greatest ongoing cybersecurity risk to businesses, and a very real threat. The vulnerabilities are often being exploited by attackers in order to achieve direct financial gain via techniques such as malware and ransomware installation. We summarise each known ongoing exploitation below, but full details – including their impact, versions affected, and any official fix and remediation guidance – for each of the listed vulnerabilities are all available, for free, via the AppCheck Detections Service at https://detections.appcheck-ng.com/ – simply click on the title of any of the exploitations below to see more information from this service.
This week: With September’s ‘Patch Tuesday’ landing this week, its been a frenetic week for many teams, scheduling and deploying patches for many systems. Matters certainly weren’t helped by the announcement from Microsoft that a critical flaw in their Windows 10 Operating system (CVE-2024-43491, one of four critical alerts from the vendor this month) had inadvertently led to the rollback and uninstallation of critical security patches from previously-patched systems – a flaw that was almost immediately seized on by attackers for exploitation. In a similar pattern, attackers were observed to be exploiting a critical authentication flaw in Progress Whatsups Gold (CVE-2024-6670) to infiltrate corporate networks, within just hours of the publication of exploit code.
Elsewhere, threat groups were captured exploiting vulnerabilities both new (CVE-2024-40766, CVE-2024-38014) and old (CVE-2016-3714, CVE-2017-1000253) in software and systems including SonicWall, ImageMagick, and both the Linux and Windows operating systems.
The speed of reaction by attackers to weaponize published vulnerabilities into active attacks appears to be a growing reality and a threat to organisations that only serves to highlight the importance of rapid-reaction security response efforts devoted to vulnerability detection and patching.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities) and publishes alerts of known exploitations on an often daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders—and to help every organisation better manage vulnerabilities and keep pace with threat activity.
A vulnerability exists within the SonicWall SonicOS used on the firm’s web application firewalls. CISA has warned, previously, about active exploitations in SonicWall appliances since 2022, including a a targeted attack by a suspected China-nexus threat actor. Upon successful exploitation of CVE-2024-40766, attackers can compromise the security of the product by gaining privileges, reading sensitive information and executing commands. The vendors reports that this could lead to the firewall crashing under specific conditions.
A flaw was found within the Linux Kernel that – when successfully exploited – allows an unprivileged local user to escalate their privileges on the system. Whilst this vulnerability has been known about since at least April 2017, it wasn’t initially recognised as a potential security threat. However, CISA now warns that is under active exploitation as of the 9th September 2024. It also has been reported to be have been used in ransomware campaigns, with exploit code readily available to would-be attackers on GitHub.
The free and open-source cross-platform software suite, ImageMagick, is now under active exploitation due to a vulnerability known about since at least April 2016. Successful exploits allow attackers to remotely execute arbitrary (malicious) code. This exploit is now informally known as the ‘ImageTragick’ exploit. With an EPSS score of 96.65%, there is an extremely high probability of attempted exploitation within the next 30 days of this critical vulnerability.
This vulnerability is part of a class of MoTW, SmartScreen and SAC mechanism bypasses that have collectively been exploited by threat actors since as early as 2018. This particular CVE (and it’s associated patch) was generated by Microsoft in September 2024. CISA have previously published warnings of active exploitation of other similar MoTW bypass vulnerabilities in Windows, including one exploited by the Russian ‘RomCom’ ransomware distribution group. Successful exploit of this vulnerability could lead to total system compromise, following an attacker achieving remote code execution.
A critical privilege escalation vulnerability has been found to be under active exploitation according to a report by CISA. This vulnerability relates to the Windows installer, and allows a successful attacker to escalate their privileges via local access and gain SYSTEM (superuser) privileges, allowing them to execute arbitrary commands. With many product versions affected and the potential critical impact of successful exploitation , we recommend prioritising the remediation of any impacted environments.
Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for several critical vulnerabilities affecting Windows 10. Currently known to be under exploitation, attackers are exploiting multiple critical, previously-mitigated vulnerabilities on Windows 10 systems – even on systems thought to be patched and secure. With an equally critical probability and impact from exploitation, priority should be immediately given to remediating any impacted environments.
Microsoft Publisher, a desktop publishing application, contains a critical security vulnerability allowing the bypass of Office security protection mechanisms. An authenticated attacker can exploit this vulnerability by convincing a victim to download and open a specially crafted file, which would allow a local attack on the victim’s computer. Through this, an attacker is able to execute arbitrary macro code on the machine. CISA have previously published warnings of active exploitations related to macro security vulnerabilities in Microsoft Office Products by threat actors.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in first report of emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Progress feature twice this week, first with an active exploitation causing chaos within their network availability and performance monitoring solution ‘WhatsUpGold’. Exploits for this vulnerability were observed in the wild only hours after the proof of concept was posted. An attacker can gain full administrative access to the host through the manipulation of injected SQL commands, and then achieve remote code execution.
Note: This is not the first time that Progress has been in the spotlight for the active exploit of critical vulnerabilities in their products recently. In early August 2024, threat monitoring organization Shadowserver Foundation reported that its honeypots had recorded attempts to exploit CVE-2024-4885, another critical remote code execution (RCE) flaw also in WhatsUp Gold. Prior to that, CISA had also warned of active exploitation of vulnerabilities in other Progress products including CVE-2023-34362, CVE-2023-35708, and CVE-2024-4358.
Another vulnerability in Linux kernel this week, not yet reported by CISA though, exists within the ‘NetFilter’ module. When successfully exploited, a local attacker can leak sensitive information, escalate privileges and/or execute arbitrary (malicious) code. Proof-of-concept (PoC) exploit code has been released into the wild by Google’s security research team, and is readily available to attackers and threat groups. Considering the near-universal deployment of the Linux kernel across IT estates, this is definitely a target-rich exploit, and exploitation should be considered very likely.
Pagefind, an open-source project supported by NZ-based tech company CloudCannon, is reported to be undergoing active exploitation of a ‘DOM Clobbering’ vulnerability, which allows attackers to remotely inject arbitrary client-side code and escalate their privileges. This exploitation was reported by ‘inthewild.io’, which is a site dedicated to collating and confirming third-party reports of vulnerability exploitation. Due to the accuracy of previous reports from this source, exploitation should be considered highly likely.
For Progress’ second appearance in our round-up this week, a vulnerability exists within LoadMaster, an application delivery controller acquired by Progress Software. This vulnerability, when exploited, allows for remote code execution (RCE) to be achieved via an OS command injection, furthering the ability of an unauthenticated remote attacker to effectively compromise the security of an entire system. Progress products have recently seen a string of high profile active exploitations, including a remote code execution vulnerability in WhatsUp (CVE-2024-4885) and multiple vulnerabilities in Telerik (CVE-2024-4358 and CVE-2024-6096). The Exploit Prediction Scoring System (EPSS) puts this vulnerability in the top 10th percentile of ‘likely to be exploited within the next 30 days’.
HAProxy is a free and open-source software, used by organisations as a load balancer and Proxy and known for it’s for traffic distribution and high availability. This vulnerability can cause HAProxy to enter an endless loop in a specific function, which a remote attacker can exploit to trigger a Denial of Service (DoS) attack, rendering any HAProxy-screened services unavailable to legitimate customers. Even a temporary crash during high-traffic periods could result in significant financial and operational losses.
IT software company – Ivanti – faces down a deserialisation vulnerability within its Endpoint Manager (EPM). Successful exploit could allow an unauthenticated, remote attacker to inject (and hence execute) arbitrary (malicious) code on the target system. This allows an attacker to fully compromise and effectively take over a target system. There has been extensive in-the-wild exploitation of several previous zero-days in Ivanti appliances, including by China-nexus cyber espionage groups to breach networks of interest.
A stack-based buffer overflow vulnerability present within the Linksys WRT54G series of Wi-Fi capable residential gateways has been reported to be under active exploitation, with exploit code available on GitHub. Network Edge devices such as the Linksys continue to play a significant role in the operational infrastructures of numerous threat actors, including recent heightened activity from the ‘Quad7’ and ‘Mirai’ botnet operators. These devices are often targeted due to their accessibility, vulnerabilities, and their use in providing exit nodes that facilitate anonymous and distributed attacks.
Source code management platform, GitLab, have issued a critical security advisory and an out-of-band patch in response to a privilege elevation vulnerability in both the GitLab Community (CE) and Enterprise (EE) editions of the product. Successful exploit could lead to full system compromise via the unauthorized execution of pipelines with elevated privileges. Due to the ability to be leveraged for onward ‘pivot’ attacks within enterprise networks, the vulnerability is likely to be highly attractive to organised threat actors.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, tune in next Friday for next week’s ‘KEV’ (known exploitation) roundup – and don’t forget to add the next ‘Patch Tuesday’ to your calendar now too – 8th October 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)