This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities. For all our entries below, you can find the full overview and guidance at https://detections.appcheck-ng.com/vulnerabilities/list.
Category: Path Traversal
Apache OFBiz contains a command injection vulnerability. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
In this instance, the separator “;” (semi-colon) can be used to append or concatenate a path to a restricted URL (one that they should not be able to access) onto the end of a lower-privilege URL (one that they can access). The access control system evaluates the request on the leading part of the URL (the part they can access), but then executes the command that is passed in the latter half of the URL.
For example, in the below URL path:
/webtools/control/forgotPassword;/ProgramExport
the “forgotPassword” function does not require any authentication and is public so the user has their request approved, but the “ProgramExport” function that is appended is intended to be restricted since it allows arbitrary code execution.
This is fixed in release 18.12.13 with commits b3b87d98dd and ff316b6e22. Users are recommended to upgrade to version 18.12.13 or later, which fixes the issue. The release files can be downloaded following the instructions in the OFBiz download page at http://ofbiz.apache.org/download.html.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Deserialization Of Untrusted Data
This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
A vulnerability exists in “Microsoft COM for Windows” when it fails to properly handle serialized objects. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. The vulnerability exists in the CMarshalInterceptor::UnmarshalInterface() method in comsvcs.dll.
It is often convenient to serialize objects for communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Data that is untrusted can not be trusted to be well-formed. When developers place no restrictions on “gadget chains,” or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell.
The vulnerability is exploitable via both email and web-based attack scenarios:
A security update is available, which addresses the vulnerability by correcting how “Microsoft COM for Windows” handles serialized objects. Microsoft is now checking a flag read from the Thread-local storage. The flag is set in a different method not related to marshalling. If the flag isn’t set, the function CMarshalInterceptor::UnmarshalInterface() will exit early without reading anything from the IStream.
You can help protect your system by installing the update from Microsoft. Customers are advised to upgrade to the latest version of Microsoft Windows via one of the following methods:
After you install this update, you may have to restart your system. Install the update, and refer to the advisory for any further configuration that may be required.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Arbitrary Code Execution
Apache OFBiz contains a critical vulnerability in its authorization system. A user who is not logged in and who lacks the required permissions is nevertheless able to access and execute critical Apache Groovy scripts. The root cause is a missing permission check for the ProgramExport and EntitySQLProcessor scripts. This flaw allows an unauthenticated remote user to access critical functionalities that should require the user to be logged, exposing critical functionality directly to unauthenticated threat actors.
This is fixed in release 18.12.15 with commit 31d8d7. Users are recommended to upgrade to version 18.12.15 or later, which fixes the issue. The release files can be downloaded following the instructions in the OFBiz download page at http://ofbiz.apache.org/download.html.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Cross-Site Scripting (‘XSS’)
A Cross-Site Scripting vulnerability exists in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 due to improper sanitisation of the Content-Type HTTP header. This vulnerability is one of two closely-linked vulnerabilities (CVE-2024-42009 and CVE-2024-42008).
Roundcube has published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities. Roundcube strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions. Customers are advised to upgrade to the latest version of the impacted product.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Cross-Site Scripting (‘XSS’)
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7. The message_body() function fails to properly sanitise parameters received via the script program/actions/mail/show.php. This vulnerability is one of two closely-linked vulnerabilities (CVE-2024-42009 and CVE-2024-42008).
Roundcube has published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities. Roundcube strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions. Customers are advised to upgrade to the latest version of the impacted product.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Memory Access Violation
NOTE: This vulnerability affects a common open-source component (the Linux kernel) that is often incorporated into many different products such as different Linux operating system distributions from vendors including Red Hat, Fedora, Debian, Ubuntu and SuSE Linux.
The Linux kernel contains a critical vulnerability. In the net module, the __dst_negative_advice() function does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to a ‘UAF’ or ‘use-after-free’ condition. sk->sk_dst_cache is not properly cleared before dst_release(old_dst) is called.
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.
We recommend upgrading to kernel version 6.10.0 or newer.
NOTE: This vulnerability affects a common open-source component (the Linux kernel) that is incorporated into many different products such as different Linux operating system distributions from vendors including Red Hat, Fedora, Debian, Ubuntu and SuSE Linux: please check with specific vendors for information on patching status for your specific system.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Arbitrary Code Execution
RaspAP contains a critical security vulnerability: the www-data user has write access to the critical $webroot_dir/installers/restapi.service file, which typically resolves to the path /lib/systemd/system/restapi.service. This configuration file defines several properties of the Rest API (web UI) service. Critically, the configuration file contains two directives ExecStart and ExecStop, which respectively define paths to commands be run on the start and stop of the RestAPI service. Since the service start/stop are performed by the root user, they allow unrestricted system operations to be performed.
Because the www-data user has (improper) write access to the configuration file, they are able to modify the commands that are executed on service start/stop by, for example, performing a chmod operation on the /bin/bash shell binary in order to set the SUID flag on the file. A file with SUID bit set always executes as the user who owns the file (in this case the superuser root, regardless of the user passing the command. Hence, on service restart, the low-privilege www-data user gains the ability to execute arbitrary (malicious) bash shell commands.
The vulnerability has been addressed in version 3.1.5. Customers are advised to upgrade to the latest version of the impacted product as soon as possible.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Arbitrary Code Execution
WhatsUpGold from Progress contains a critical security vulnerability. The flaw resides in the implementation of the WhatsUp.ExportUtilities.Export.GetFileWithoutZip() method, which fails to perform adequate validation of user-supplied paths prior to its use in file operations. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. When this occurs, remote attackers may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
The unsanitised path is exposed via the NmApi.exe process, which listens on network ports 9642 and 9643 via paths such as /NmAPI/RecurringReport.
To best protect your environment(s), please immediately upgrade your system(s) to WhatsApp Gold version 23.1.3, released May 24 2024, or later. This version includes the critical security fixes necessary to address this vulnerability. WhatsUp Gold 23.1.3 supports direct upgrades from WhatsUp Gold 20.0.2 and newer. See the WhatsUp Gold Upgrade guide for further information and guidance.
With flaws in Progress Software known to be being abused by threat actors for malicious purposes, it’s essential that admins apply the latest security updates as soon as possible.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
The two CVEs below (CVE-2024-38202 & CVE-2024-21302) are linked vulnerabilities now collectively known as ‘DownDate’. Successful exploitation allows an attacker to roll back a machine to a vulnerable state, reinstating all past vulnerabilities, but leaves the machine unable to detect that its out of date.
Category: Broken Access Control
A critical elevation of privilege vulnerability exists in Windows Update Stack, enabling the circumvention of some features of Virtualization Based Security (VBS). The vulnerability allows attacker with basic user privileges to perform highly privileged operations designed to be restricted to SYSTEM privileges only, and directly affecting machine patch state.
Microsoft is developing a security update that will mitigate this vulnerability, but it is not yet available. The CVE will be updated with new information and links to the security updates once available. Microsoft highly encourage customers subscribe to Security Update Guide notifications to be alerted of updates. See Microsoft Technical Security Notifications and Security Update Guide Notification System News: Create your profile now Microsoft Security Response Center.
Category: Permission Management
A critical elevation of privilege vulnerability exists in Windows Update Stack, enabling the circumvention of some features of Virtualization Based Security (VBS). The vulnerability allows attacker with basic user privileges to perform highly privileged operations designed to be restricted to SYSTEM privileges only, and directly affecting machine patch state.
Microsoft is developing a security update that will mitigate this vulnerability, but it is not yet available. The CVE will be updated with new information and links to the security updates once available. Microsoft highly encourage customers subscribe to Security Update Guide notifications to be alerted of updates. See Microsoft Technical Security Notifications and Security Update Guide Notification System News: Create your profile now Microsoft Security Response Center.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, add the next ‘Patch Tuesday’ to your calendar now – 13th August 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)