Menu
This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities. For all our entries below, you can find the full overview and guidance at https://detections.appcheck-ng.com/vulnerabilities/list.
Category: Credential Management
The following products are affected:
Acronis Cyber Infrastructure (ACI) uses default passwords for potentially critical functionality. It is common practice for products to be designed to use default passwords for authentication. The rationale is to simplify the manufacturing process or the system administrator’s task of installation and deployment into an enterprise. However, if admins do not change the defaults, then it makes it easier for attackers to quickly bypass authentication across multiple organizations. There are many lists of default passwords and default-password scanning tools that are easily available from the World Wide Web.
Customers are advised to upgrade to the latest version of the impacted product. Updates can be obtained via download from https://security-advisory.acronis.com/updates/UPD-2310-9e7e-bd9b. The update contains fixes for this critical severity security vulnerability and should be installed immediately by all users.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Arbitrary Code Execution
The ServiceNow Platform contains an input validation vulnerability in the handling of UI macros. Server-side template injection is possible because the server fails to sanitise malicious code before interpreting it within service-side template that are executed on the server. Template engines such as Jelly are widely used by web applications to present dynamic data via web pages. Unsafely embedding user input in templates enables Server-Side Template Injection (SSTI) attacks, a critical vulnerability. Unlike scripting attacks such as XSS which execute client-side, SSTI attacks can be used to directly attack web servers’ internals and often obtain Remote Code Execution (RCE), turning every vulnerable application into a potential pivot point for ongoing exploit.
The root cause of the vulnerability is that, although the application attempts to sanitise input to templates, it does so using an overly permissive whitelist of HTML elements defined in DEFAULT_GLIDE_HTML_ELEMENT_WHITELIST. Additionally, attempts to prevent template injection in the GlideExpressionScript class are incomplete and fail to consider all forms of quotation marks.
ServiceNow applied an update to hosted instances, and ServiceNow released the update to partners and self-hosted customers on July 10, 2024. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Authentication & Session Management
VMware ESXi contains an authentication bypass vulnerability. Several ESXi advanced settings have default values that are not secure by default. The AD group “ESX Admins” is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named ‘ESX Admins’ to have full administrative access by default, which is not a safe assumption. This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist.
This issue is fixed in ESXi 8.0 U3. Customers are advised to upgrade to the latest version of the impacted product:
NOTE: No Patch Planned for ESXi v7.x or VMware Cloud Foundation v4.x. Customers should consider urgently an upgrade path from these unsupported and vulnerable versions.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Arbitrary Code Execution
A vulnerability exists in the way that Microsoft Office and WordPad parse application files on Microsoft Windows Systems. Microsoft OLE uses the URL Moniker to open and process application data – including remotely-linked content – in a vulnerable manner. The remote content is opened based on the application associated with the server-provided MIME type. This is unsafe because some MIME types are dangerous, as they can result in code execution. For example, the application/hta MIME type is associated with the mshta.exe executable: ppening arbitrary HTA content is equivalent to executing arbitrary code. Arbitrary (malicious) code including VBScript may therefore be executed by the client.
Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file. Depending on the nature of the vulnerability, it may be possible to target Microsoft Windows components other than Microsoft Word/Office.
This issue is addressed in the following Microsoft Security update: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199. You can help protect your system by installing the update from Microsoft. The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue. After you install this update, you may have to restart your system. Install the update, and refer to the advisory for any further configuration that may be required.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Arbitrary Code Execution
The following platforms are known to be affected:
A memory corruption vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. When the Equation Editor component in Office receives data over 17k bytes in length, a buffer overflow occurs. If a file is submitted that contains hidden malicious code, the system may be tricked into downloading and executing a malicious payload such as the spyware “Loki” (TSPY_LOKI) onto the victim’s system. The flaw resides within Equation Editor (EQNEDT32.EXE), a component in Microsoft Office that inserts or edits Object Linking and Embedding (OLE) objects in documents.
Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software:
Affected organisations are encouraged to review the Microsoft Security Update and apply the relevant actions.
You can help protect your system by installing this update from Microsoft. The security update addresses the vulnerability by correcting how the affected Office component handles objects in memory. After you install this update, you may have to restart your system. Install the update, and refer to the advisory for any further configuration that may be required.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, add the next ‘Patch Tuesday’ to your calendar now – 13th August 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
