AppCheck presents our weekly round up of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 23rd August 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: known exploitations are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe. As such, they present perhaps the greatest ongoing cybersecurity risk to businesses, and a very real threat. The vulnerabilities are often being exploited by attackers in order to achieve direct financial gain via techniques such as malware and ransomware installation. We summarise each known ongoing exploitation below, but full details – including their impact, versions affected, and any official fix and remediation guidance – for each of the listed vulnerabilities are all available, for free, via the AppCheck Detections Service at https://detections.appcheck-ng.com/ – simply click on the title of any of the exploitations below to see more information from this service.
This week: An incredibly diverse range of exploits dominate the roundup this week, presenting threats to a variety of targets – from some of the most widely used web application platforms and operating systems, down to dedicated server hardware and IoT device firmware. Notably, whilst not yet reported by CISA, a critical vulnerability in SolarWinds puts governmental institutions at risk of attack just a week after another vulnerability in the same tool was exploited. Two WordPress plugins hit the headlines this week too: a donation plugin used by numerous non-profits puts sites at risk of takeover, and a critically flawed plugin with a user base of over 5 million installations makes it trivial for attackers to gain admin access to the WordPress platform.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities) and publishes alerts of known exploitations on an often daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders—and to help every organisation better manage vulnerabilities and keep pace with threat activity.
A serious flaw has been identified in Jenkins, one of the most widely used, open source automation servers, that allows unauthenticated remote attackers to execute arbitrary commands on the host server. Attackers exploiting this vulnerability can read arbitrary files on the Jenkins controller file system, allowing them to gain access to sensitive data. It is also possible to gain access to GitHub SSH keys and access tokens via reading files containing Jenkins secrets as well as cryptographic keys, and use stolen credentials to escalate their privileges to admin level and execute malicious code. Several attack instances were found originating from the Netherlands, Singapore and Germany, as well as instances where remote code execution (RCE) exploits are actively being traded on the dark web. The latest attacks are attributed to the threat actor ‘IntelBroker’ and the ‘RansomExx’ ransomware group.
Microsoft Exchange has once again found itself in the crosshairs, this time with a critical ‘Padding Oracle’ vulnerability known as ‘ProxyOracle’. Successful exploitation allows remote attackers to gain access to the server as an arbitrary user and – in combination with other vulnerabilities – enables an exploit chain leading to the execution of malicious code. This vulnerability is particularly concerning as it can be exploited to gain unauthorised access to email communications, calendar data, and contact information.
A heap-based buffer overflow in the Linux Kernel has been detected, posing a serious threat to systems running multiple Linux distributions. Exploitation of this flaw can be especially damaging as unprivileged local users are able exploit the Filesystem Context API to escalate privileges on the system and/or execute malicious code. The availability of exploit code and detailed technical write-ups has increased the risk of widespread exploitation, especially in environments that have not yet applied the necessary patches.
Dahua’s IP cameras are affected by two resurfacing, critical vulnerabilities that allow remote attackers to bypass device identity authentication by constructing malicious data packets which spoof the packet origin. This authentication bypass allows attackers to gain administrative access in the device’s firmware. In September 2021, Dahua acknowledged this vulnerability affecting over 30 different device models. Previous attacks led to compromised devices being recruited into ‘botnet’ armies that are then weaponised into active as innocent ‘zombie’ hosts in distributed denial of service (DDoS) attacks against onward targets – no details are yet available on the latest activity but it is likely to be a similar threat.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in first report of emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
A critical authentication spoofing vulnerability has been discovered in the GitHub Enterprise Server (GHES), granting unauthorised access to attackers without requiring prior authentication. With the popularity of GitHub Enterprise in large organisations, this flaw poses a significant risk, especially as – according to the FOFA search engine for network assets exposed on the public web – there are more than 36,500 GHES instances accessible. Given that exploitation attempts are highly likely due to the scale of the attack surface, we are emphasising the need for immediate remediation.
Third time’s the charm, as Google patch yet another type confusion bug in V8 this year following CVE-2024-4947 and CVE-2024-5274. This flaw could be exploited to execute arbitrary code. Type confusion vulnerabilities are notorious for their exploitation in the wild, and with Chrome being a leading web browser, this vulnerability is likely to be targeted quickly. Whilst not reported by CISA yet, the flaw was reported by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) on August 19th and is known to be actively exploited in the wild.
Dell’s SupportAssist software is available on PCs for the purpose of removing viruses, detecting issues, optimising settings and telling you when updates are needed. This software’s Home PC’s Installer was found to contain a vulnerability that allows local authenticated attackers to escalate their privileges, so malicious users or software are able to gain full control over a vulnerable system, potentially leading to data theft, system corruption, or the installation of additional malware. Similar privilege escalation vulnerabilities in pre-installed OEM software have been exploited before, notably in CVE-2019-12280, so exploitation should be considered highly likely.
A critical PHP Object Injection vulnerability has been discovered in the ‘GiveWP (Donation Plugin and Fundraising Platform)’ plugin for WordPress, which is used by non-profits and fundraising organisations worldwide. This flaw – when successfully exploited – allows attackers to execute code remotely and delete arbitrary files. This could trigger a site reset, potentially initiating a site takeover. With WordPress being a frequent target for attackers, vulnerabilities like this one have significant implications for the security of websites using the platform. We estimate that tens of thousands of websites may remain unpatched against this vulnerability – so targeted active exploitation is considered highly likely.
A newly discovered exploit in PHP has raised alarms due to its potential to allow a malicious user to execute dangerous commands directly on the operating system. Originally reported to CISA in June, this vulnerability was found to be actively exploited in the wild. There are reports of attackers leveraging this vulnerability to deliver malware as part of the ‘TellYouThePass’ ransomware campaign. Further active exploitation was reported in August as threat actors are leveraging the vulnerability to deploy a previously undocumented backdoor named ‘Msupedge’.
A critical ‘zero-day’, command injection vulnerability in Arcadyan Wi-Fi routers has been identified. Successful exploit of this vulnerability allows remote attackers to gain full root access to the system and execute malicious code on the target device. This flaw could be used to alter router settings, intercept network traffic, or add the device to a botnet for coordinated attacks. Arcadyan routers are widely used by ISPs, making this vulnerability particularly dangerous for both home and business users.
The LiteSpeed Cache plugin for WordPress (LSCWP) is subject to privilege escalation exploit – described as “highly dangerous and expected to become mass exploited” by Patchstack – due to a string of vulnerabilities relating to the ‘role simulation’ functionality. This functionality is burdened with multiple security issues which combine to form a critical attack vector, making it relatively trivial for unauthenticated attackers to spoof their user ID to that of an admin. With administrative access, an attacker could load other, malicious plugins to execute harmful arbitrary code. Given the popularity of this plugin among WordPress users, with over 5 million installations, this vulnerability has been rewarded the highest bounty in the history of WordPress bug bounty hunting.
A vulnerability in Versa Networks’ Versa Director visualisation and service creation platform has been identified. There are restrictions in the exploitability of this vulnerability, due to the fact that the file upload option that necessitates this flaw is only available to users with the correct privileges. However, if an attacker tricks a legitimate administrator into uploading a file or chains the vulnerability with a privilege escalation exploit, they could successfully insert malicious code. With Versa Director being a key component in many corporate and enterprise SD-WAN deployments, this vulnerability poses a significant risk to enterprise networks.
SolarWinds, already under scrutiny due to previous security incidents, has been found to contain another embarrassing security flaw. Whilst not yet picked up by CISA, another known exploited vulnerability (CVE-2024-28986) for this same software was reported by CISA only last week and was present in last week’s roundup. Even before that, SolarWinds’ Orion product (used in US government departments) was found to have a backdoor linked to Russian intelligence. This latest vulnerability in SolarWinds Web Help Desk (WHD) is sufficiently serious to prompt SolarWinds to again rush out a second urgent hotfix outside of normal security patch cycling. Successful exploit allows an attacker to access internal functionality and modify data. Considering the severity of this latest bug and that the customer base of SolarWinds includes government and enterprise clients, opportunistic criminals are highly likely to already be scanning for at-risk systems.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, tune in next Friday for next week’s ‘KEV’ (known exploitation) roundup – and don’t forget to add the next ‘Patch Tuesday’ to your calendar now too – 10th September 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)