This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities. For all our entries below, you can find the full overview and guidance at https://detections.appcheck-ng.com/vulnerabilities/list.
Category: Malware (Trojan Or Embedded Malicious Code)
A vulnerability known as ‘EvilVideo’ allows attackers to send malicious apps to victims, disguised as videos. A user can be tricked into installing malicious software. The exploit uses the Telegram API to programmatically create a message that appears to show a 30-second video. On its default setting, the Telegram app on Android automatically downloads media files, so channel participants receive the payload on their device once they open the conversation. When users attempt to play the fake video, Telegram suggests using an external player, which may cause recipients to tap the “Open” button and execute the payload.
An updates version 10.14.5 (4945) was released on 11/07/2024 which remediates the vulnerability. The updates is directly downloadable from https://telegram.org/dl/android/apk or via the Google Play store at https://play.google.com/store/apps/details?id=org.telegram.messenger&pli=1. Customers are advised to upgrade to the latest version of the impacted product.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Arbitrary Code Execution
The ServiceNow Platform contains an input validation vulnerability in the handling of UI macros. Server-side template injection is possible because the server fails to sanitise malicious code before interpreting it within service-side template that are executed on the server. Template engines such as Jelly are widely used by web applications to present dynamic data via web pages. Unsafely embedding user input in templates enables Server-Side Template Injection (SSTI) attacks, a critical vulnerability. Unlike scripting attacks such as XSS which execute client-side, SSTI attacks can be used to directly attack web servers’ internals and often obtain Remote Code Execution (RCE), turning every vulnerable application into a potential pivot point for ongoing exploit.
The root cause of the vulnerability is that, although the application attempts to sanitise input to templates, it does so using an overly permissive whitelist of HTML elements defined in DEFAULT_GLIDE_HTML_ELEMENT_WHITELIST. Additionally, attempts to prevent template injection in the GlideExpressionScript class are incomplete and fail to consider all forms of quotation marks.
ServiceNow applied an update to hosted instances, and ServiceNow released the update to partners and self-hosted customers on July 10, 2024. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Authentication & Session Management
Any software that is a fork of the upstream Moby Project is impacted. This primarily involves the open-source CE (Community Edition) release of Docker, as detailed below, and not commercial (Mirantis) distributions:
A security vulnerability has been detected in certain versions of Docker Engine in request authorization handling by the Docker Engine API. Using a specially-crafted API request with an HTTP Content-Length header value of 0, an Engine API client could make the daemon forward the request or response to the AuthZ authorization plugin without an accompanying request body containing the authorization request details. In normal (intended) operation, API requests include a body that contains the necessary data for the request to be evaluated, and the authorization plugin inspects this body to make access control decisions. When the Content-Length header is set to 0, the request is forwarded to the AuthZ plugin without the body, so the plugin cannot perform proper validation.
NOTE: this issue was originally fixed in Docker Engine release v18.09.1 in January 2019. However, from 2019-07-22 onwards, the fix was not carried forward to later versions of the upstream Moby project source code, resulting in a regression present in all future releases. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Arbitrary Code Execution
Progress Telerik Reporting contains an object injection vulnerability via an insecure type resolution. The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product’s classpath (CWE-427) or add new entries to the product’s classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product.
Updating to at least version Reporting 2024 Q2 (18.1.24.709) is the only way to remove this vulnerability. Downloads are available via https://www.telerik.com/account/downloads/product-download.
Please visit the upgrade documentation Upgrade Overview – Telerik Reporting and follow the instructions for the version you are upgrading from.
To check your current version of Telerik Reporting, there are two primary options:
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Deserialization Of Untrusted Data
Progress Telerik Report Server insecurely deserializes untrusted data. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
It is often convenient to serialize objects for communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Data that is untrusted can not be trusted to be well-formed. When developers place no restrictions on “gadget chains,” or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell.
Updating to Report Server 2024 Q2 (10.1.24.709) or later is the only way to remove this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to version 10.1.24.709 or later. Update instructions can be found at https://docs.telerik.com/report-server/implementer-guide/setup/upgrade. All customers who have a Telerik Report Server license can access the downloads via the Product Downloads Page.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Disclosure Of Sensitive Or Personal Information (PII)
In the Twilio Authy API, an unauthenticated endpoint provided access to phone-number data used by customers for MFA device registration. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy for MFA (Multi-Factor Authentication) purposes.
The API has since been secured, it can no longer be abused to verify whether a phone number is used with Authy. Twilio have also released a security update for the Authy app and recommends that users upgrade to Authy Android (v25.1.0) and iOS App (v26.1.0), however, the “genie cannot be put back in the bottle” – the threat actors already have the exfiltrated data and an update cannot resolve that. Customers should be alert for SMS phishing attacks, and consider changing devices used for MFA.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Memory Access Violation
Microsoft Internet Explorer contains a use-after-free vulnerability in the mshtml CButton object. Specially-crafted JavaScript can cause Internet Explorer to free the CButton object without removing a pointer, resulting in a state where Internet Explorer may attempt to call an invalid memory address. This memory address may be under the control of an attacker.
It is recommended that Internet Explorer users run Windows Update as soon as possible to apply the MS13-008 update. The security update addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, add the next ‘Patch Tuesday’ to your calendar now – 13th August 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)