Menu
AppCheck presents our weekly round up of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 16th August 2024. Organizations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritization framework: known exploitations are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe. As such, they present perhaps the greatest ongoing cybersecurity risk to businesses, and a very real threat. The vulnerabilities are often being exploited by attackers in order to achieve direct financial gain via techniques such as malware and ransomware installation. We summarise each known ongoing exploitation below, but full details – including their impact, versions affected, and any official fix and remediation guidance – for each of the listed vulnerabilities are all available, for free, via the AppCheck Detections Service at https://detections.appcheck-ng.com/ – simply click on the title of any of the exploitations below to see more information from this service.
This week: Its been a somewhat frantic time for many security teams this week, with a significant uptick in the number of critical vulnerabilities being revealed – including so-called ‘0-day’s (vulnerabilities recently coming to light but for which no patch or fix is yet available), as well as numerous high-profile exploitations being reported ‘in the wild’. Much of this has been down to a perfect storm in timing, with the last week or so seeing a conjunction of both the monthly ‘Patch Tuesday’ disclosure from several key vendors such as Microsoft, along with the publication of several key vulnerabilities at the recent ‘Black Hat’ and ‘DEFCON’ security and hacker conferences.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities) and publishes alerts of known exploitations on an often daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity.
Its been something of a brutal week for Microsoft, with a number of critical vulnerabilities in their Windows operating system line found to be being exploited actively by threat actors. The first of these is a critical ‘0-day’ vulnerability that grants remote attackers access to sensitive NTLM authentication hashes. As demonstrated repeatedly in the past, NTLM hashes can, if captured, be cracked, allowing threat actors to gain access to login names and plaintext passwords that can be used to gain access to further systems. NTLM hashes can also be used in NTLM Relay Attacks, as previously seen with the “ShadowCoerce“, “DFSCoerce“, “PetitPotam“, and “RemotePotato0” attacks, to gain access to other resources on a network.
A second critical flaw in Windows reported this week relates to a ‘use after free’ memory access violation vulnerability in the Power Dependency Coordinator component. Microsoft has not shared who disclosed the flaw and which threat actors are exploiting it as of the time of writing, but it is known that attackers are exploiting the flaw to gain full SYSTEM (superuser) privileges, effectively taking full ownership of any compromised system.
A third vulnerability being seen exploited relates to a flaw in the Microsoft Windows Kernel that causes it to store sensitive memory contents in improperly locked memory, i.e. not protected by the VirtualLock protection mechanism – this means that sensitive memory contents are written to swap files on disk by the virtual memory manager, making the contents of sensitive memory accessible for a time to unauthorised actors. Attackers are managing to create exploit chains that give them access to cryptographic keys, PII, memory addresses, and other confidential information. Its not the first time that such attacks have been seen against MS Windows – previous exploitations have targeted similar (now patched) vulnerabilities including CVE-2023-21768.
A ‘Use After Free’ Memory Access Violation vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys) is also causing headaches for Microsoft, with attackers again seen to be actively exploiting this flaw to gain NT AUTHORITY \ SYSTEM (superuser) privileges – equivalent to ‘root’ access on a Unix system. Similar vulnerabilities with WinSock have previously been exploited at scale, such as CVE-2023-21768.
Windows contains a critical security vulnerability that allows the ‘Mark of the Web’ (MotW) Security Feature to be bypassed. This vulnerability allows attackers to create files that bypass Windows Mark of the Web security alerts, potentially leading to the download and installation of malicious code (malware) without any warning to the user. Microsoft did not share how it is exploited in attacks, however the MotW security feature has been subject to numerous bypasses over the years, including most recently in CVE-2024-21351 and CVE-2023-36584. It makes an attractive target for threat actors who conduct phishing campaigns.
Microsoft reports that attackers are managing to remotely trigger a ‘type confusion’ error in the Windows scripting engine via a web-based attack, via users being tricked into clicking a link in Microsoft Edge while in legacy ‘Internet Explorer’ mode. Both the South Korean National Cyber Security Center (NCSC) and the AhnLab SEcurity intelligence Center (ASEC) disclosed the flaw as being exploited at scale in attacks during and prior to August 2024.
The final Microsoft vulnerability reported to be undergoing active exploit this week relates not to the Windows operating system but to the Microsoft Project and Microsoft Office productivity apps and the use of malicious embedded VBA macros. Macros have a long and chequered history of exploit, and are a relatively low-tech opportunity for attackers, that requires little expertise to exploit. Despite protection mechanisms built into Office, this vulnerability is reported as being exploited at scale.
In our first non-Microsoft highlight this week, Ivanti’s vTM (formerly known as PulseSecure VTM) also contains a critical security vulnerability that is being exploited. The authentication algorithm used to restrict access to the web admin UI contains a critical flaw that effectively allows authentication to be bypassed entirely meaning that remote unauthenticated attackers are able to bypass authentication mechanism designed to prevent unrestricted access to the admin panel and gain complete administrative control over the affected appliances.
A critical Java Deserialization vulnerability exists in SolarWinds’ Web Help Desk solution is the latest of several recent headaches for the helpdesk solution provider. Exploitation of the vulnerability is allowing attackers to gain the ability to remotely execute arbitrary malicious code on target devices. The issue is sufficiently critical that Solarwinds have rushed out an urgent hotfix outside of normal security patch cycling, and which requires manual patching. SolarWinds is a popular platform and their ‘Serv-U’ solution has already been actively exploited earlier this year under CVE-2024-28995.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in first report of emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
A critical vulnerability (Cisco BugID CSCvg76186) exists in the “Smart Install” feature of Cisco IOS Software and Cisco IOS XE Software used in Cisco networking devices including Cisco Catalyst LAN switches. The software fails to perform proper validation of packet data received across untrusted network segments. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. This could cause a buffer overflow on the affected device. The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer’s intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. Additionally, the Smart Install Protocol is itself vulnerable to additional, undisclosed vulnerabilities.
A critical vulnerability exists in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem). The flaw also impacts SSM On-Prem installations earlier than Release 7.0, known as Cisco Smart Software Manager Satellite (SSM Satellite). This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device.
SAP BusinessObjects Business Intelligence Platform contains a missing authentication check. If Single Sign On (SSO) is enabled on Enterprise authentication, an unauthorized user is able to improperly obtain a valid logon token via an unprotected REST API endpoint.
A critical security vulnerability has been discovered in the integration of blacklistd in OpenSSH in FreeBSD. A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)’s privileged code, which is not sandboxed and runs with full root (superuser) privileges. As a result, functions are called that are not async-signal-safe in the privileged sshd(8) context, leading to an exploitable race condition. CVE-2024-7589 has been described as an another instance of a widely exploited vulnerability referred to as “regreSSHion” (CVE-2024-6387), which came to light early last month and was itself a regression of an already patched 18-year-old flaw tracked as CVE-2006-5051, with the problem reinstated in October 2020 as part of OpenSSH version 8.5p1.
Cybersecurity researchers have discovered a new trojan package on the Python Package Index (PyPI) repository that masquerades as a library from the Solana blockchain platform. The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator. The legitimate Solana Python API project is known as ‘solana-py’ on GitHub, but simply ‘solana’ on the Python software registry, PyPI. This naming discrepancy has been leveraged by a threat actor who published a malicious ‘solana-py’ project on PyPI. If a developer is misled to using the typosquatted ‘solana-py’ project, either directly, or via a legitimate library that mistakenly references it as a dependency, then they would inadvertently introduce the trojan library into their application. Other, legitimate, packages, such as solders were found to be mistakenly referencing this trojan library as a dependency and and broadened the attack surface.
Multiple popular web browsers including Chrome, Safari and Firefox browsers all contain a security vulnerability in how they handle network requests from external, public websites. The vulnerability stems from how those popular browsers accept queries to the 0.0.0.0 network address. A website can (via JavaScript) trigger a request to the 0.0.0.0 IPv4 address and a specific port, and a vulnerable browser will forward that request to a service running on that port on the local host (on the local network). Allowing the IP address 0.0.0.0 address access to access services listening on the localhost on macOS and Linux may result in a server (such as a webserver) inadvertently offering remote access to sensitive resources only intended for local access. This has been dubbed a ‘0.0.0.0 Day’ attack.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, tune in next Friday for next week’s ‘KEV’ (known exploitation) roundup – and don’t forget to add the next ‘Patch Tuesday’ to your calendar now too – 10th September 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
