Between the Black Hat and DEF CON conferences and Patch Tuesday, it’s been a very busy week for security vulnerabilities.
Cyble researchers investigated 40 vulnerabilities in their Aug. 7-13 report for subscribers, and focused on 10 flaws in particular, in products from SAP, Ivanti, AMD, Microsoft, Cisco and Progress Software.
The Cyber Express partners with Cyble each week to bring some of the AI-powered threat intelligence leader’s proprietary insights to our readers to help them better manage their attack surface by focusing on the top vulnerabilities that put their environments most at risk.
The Cyble report published before SolarWinds issued a hotfix for a 9.8 severity Java deserialization RCE vulnerability in Web Help Desk that CISA said yesterday is already under attack, so you don’t need to wait for next week’s report to get started on that one. Patch now.
The Week’s Top Vulnerabilities
Here are the 10 vulnerabilities that Cyble researchers singled out for priority attention by security teams.
CVE-2024-41730: SAP BusinessObjects Business Intelligence
Impact Analysis: This 9.8 severity critical vulnerability impacts the SAP BusinessObjects Business Intelligence suite of reporting and analytics tools for business intelligence (BI) platforms. If Single Sign On is enabled on Enterprise authentication on the impacted platform, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system, resulting in a high impact on confidentiality, integrity, and availability.
Internet Exposure? No
Patch Available? Yes
CVE-2024-7593: Ivanti Virtual Traffic Manager
Impact Analysis: This critical vulnerability – also rated at 9.8 – impacts Ivanti Virtual Traffic Manager (vTM), a software-based application delivery controller (ADC) and load balancer that provides intelligent traffic management, load balancing, and application acceleration for web applications and services. An incorrect implementation of an authentication algorithm in Ivanti vTM in versions other than 22.2R1 or 22.7R2 allows a remote, unauthenticated attacker to bypass the authentication of the admin panel. With the availability of a public Proof of Concept (POC) of the vulnerability, threat actors may start exploiting it, allowing them to create rogue administrator accounts.
Internet Exposure? Yes
Patch Available? Two patches plus mitigations are available now, with four more patches to be issued next week.
CVE-2024-7569: Ivanti Neurons for ITSM
Impact Analysis: This 9.6 severity critical vulnerability impacts Ivanti Neurons for ITSM (IT Service Management), a comprehensive software platform for IT service management. The information disclosure allows an unauthenticated attacker to obtain the OIDC client secret via debug information.
Internet Exposure? No
Patch Available? Yes
CVE-2023-31315: AMD ‘Sinkclose’ Vulnerability
Impact Analysis: This high-severity (7.5) improper validation vulnerability known as “Sinkclose” in a model-specific register (MSR) allows a malicious program with ring 0 access to modify SMM configuration while the SMI lock is enabled, potentially leading to arbitrary code execution. Although not widespread, kernel-level vulnerabilities are surely not uncommon in sophisticated attacks. Since Ring 2 is one of the highest privilege levels on a computer, running above Ring 1 (used for hypervisors and CPU virtualization) and Ring 0, there are possibilities of exploiting the vulnerability in attacks, especially by advanced persistent threat (APT) actors.
Internet Exposure? No
Patch Available? AMD has published patch and mitigation information here.
CVE-2024-38200: Microsoft Office
Impact Analysis: While officially listed as a 6.5 medium-severity vulnerability, this Microsoft Office spoofing vulnerability can be exploited by attackers to grab users’ NTLM hashes. The vulnerability is exploitable remotely and requires no special privileges or user interaction to be triggered. Once attackers get a victim’s NTLM hash, they can relay it to another service and authenticate as the victim, leading to further pivoting into the compromised network. It’s one of many Microsoft vulnerabilities from this month’s Patch Tuesday that are getting attention, including six actively exploited zero-day vulnerabilities and a 9.8 severity zero-click TCP/IP vulnerability.
Internet Exposure? No
Patch Available? Yes
CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454: Cisco Small Business IP Phones
Impact Analysis: These 9.8-severity critical vulnerabilities impact the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones, which could allow an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system with root privileges. These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to overflow an internal buffer and execute arbitrary commands at the root privilege level.
Internet Exposure? No
Patch Available? Yes
CVE-2024-20419: Cisco Smart Software Manager On-Prem
Impact Analysis: This 10.0-severity critical vulnerability impacts Cisco Smart Software Manager On-Prem (SSM On-Prem), a licensing management solution designed to help organizations manage their Cisco product licenses locally. The flaw in the authentication system of the impacted device could allow an unauthenticated remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
Internet Exposure? No
Patch Available? Yes
CVE-2024-4885: Progress WhatsUp Gold
Impact Analysis: This 9.8-severity critical vulnerability impacts Progress WhatsUp Gold, a network monitoring software designed to provide comprehensive visibility into the performance and status of IT infrastructure, including applications, network devices, and servers. The unauthenticated Remote Code Execution vulnerability allows the execution of commands with iisapppoolnmconsole privileges, which allows an attacker to execute code on the server and even access the underlying system. While this vulnerability dates from June, researchers recently observed that threat actors are actively attempting to exploit the remote code execution vulnerability on exposed servers to gain initial access to corporate networks.
Internet Exposure? Yes
Patch Available? Yes
Dark Web Exploits, ICS Vulnerabilities, and More
The full Cyble report for subscribers also looks at eight vulnerability exploits discussed on the dark web, 15 industrial control system (ICS) vulnerabilities (nine of which affect Rockwell Automation products), and the vulnerabilities with the highest number of web asset exposures, some numbering in the hundreds of thousands.
The vulnerability report is just one of hundreds produced by Cyble researchers each week, in addition to client-specific customizable reporting and alerts. Cyble’s weekly sensor report, for example, this week looks at vulnerability exploits and malware, ransomware and phishing attacks, along with indicators of compromise (IoCs).
The Cyber Express will bring you more exclusive coverage from Cyble threat intelligence researchers in the weeks ahead.
