Threat Alerts

Your place for the latest CyberProof cyber threat intelligence alerts and updates

Speak with an Expert
All

Critical Vulnerabilities in Fortinet Products

18-Mar-2024
Label: Vulnerability
Threat Level: Medium

Fortinet has released critical security patches for severe vulnerabilities identified by CVE numbers CVE-2023-48788(CVSS: 9.3), CVE-2023-42789(CVSS: 9.8), and CVE-2023-42790(CVSS: 8.1). These flaws impact their FortiClient Enterprise Management Server (EMS), FortiOS, and FortiProxy solutions.

CVE-2023-48788: This SQL injection flaw could let an unauthenticated attacker run unauthorized commands or code through specific requests.

CVE-2023-42789 and CVE-2023-42790: These out-of-bounds write issues could enable an attacker with access to the captive portal to execute arbitrary code or commands using specially crafted HTTP requests.

The affected product versions are:

FortiClient EMS versions 7.2.0 to 7.2.2, and 7.0.1 to 7.0.10

FortiOS versions 7.4.0 to 7.4.1, 7.2.0 to 7.2.5, 7.0.0 to 7.0.12, 6.4.0 to 6.4.14, and 6.2.0 to 6.2.15

FortiProxy versions 7.4.0, 7.2.0 to 7.2.6, 7.0.0 to 7.0.12, and 2.0.0 to 2.0.13

Administrators and users of these products should promptly upgrade to the latest versions to mitigate these vulnerabilities.

Kubernetes RCE Flaw Allows Full Takeover of Windows Nodes

18-Mar-2024
Label: Vulnerability
Threat Level: Medium

A critical vulnerability has been identified in Kubernetes, exploiting user access privileges on Windows nodes. This could potentially result in escalated admin privileges. Specifically, the vulnerability affects Kubernetes clusters utilizing an in-tree storage plugin for Windows nodes.

Exploiting this vulnerability enables remote code execution with SYSTEM privileges across all Windows endpoints within the Kubernetes cluster, posing significant risks to cloud security. Potential consequences include incidents like crypto mining, denial-of-service (DoS) attacks, and the compromise of sensitive data.

Attackers can exploit this vulnerability by deploying malicious YAML files onto the cluster. Default installations of Kubernetes versions earlier than 1.28.4 are susceptible to exploitation. However, the patch provided by the vendor fully mitigates the vulnerability.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

60 New Vulnerabilities Were Addressed in Microsoft March 2024 Patch Tuesday

18-Mar-2024
Label: Vulnerability
Threat Level: Medium

Microsoft fixed 60 security flaws as part of its March 2024 Patch Tuesday. These vulnerabilities cover a wide range of categories, including remote code execution, elevation of privilege, security feature bypass, information disclosure, denial of service, and spoofing. Notably, within these vulnerabilities, two critical ones – tracked as CVE-2024-21400 and CVE-2024-21408 – were pinpointed.

CVE-2024-21400 (CVSS score: 9.0) was defined as a Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege vulnerability. Successful exploitation potentially allows threat actors to steal credentials and affect resources outside the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC). This means they could access and compromise confidential guests and containers beyond the network boundaries they are supposed to be confined within. A Proof of Concept for this vulnerability is publicly available.

CVE-2024-21408 (CVSS score: 8.1) pertains to a Windows hyper-v denial of service vulnerability that involves an authenticated attacker who operates within a guest virtual machine, sending specially crafted file operation requests to the virtual machine’s hardware resources. This action could potentially lead to the execution of remote code on the host server. To exploit this vulnerability successfully, the attacker must gather specific information about the environment and take additional preparatory actions before attempting exploitation.

DarkGate Malware Deployed: Exploiting Windows SmartScreen Vulnerability

18-Mar-2024
Label: Malware
Threat Level: Medium

A malicious campaign named DarkGate emerged in mid-January 2024, leveraging the CVE-2024-21412 vulnerability. This campaign employed deceptive tactics, utilizing fake software installers distributed via PDFs with Google DoubleClick Digital Marketing (DDM) open redirects. These lures direct to compromised sites hosting malicious Microsoft Windows SmartScreen bypasses – ultimately leading to the installation of DarkGate malware payloads.

This flaw, tracked as CVE-2024-21412 (8.1 CVSS), is a high severity vulnerability that allows attackers to bypass Microsoft Windows SmartScreen security measures. Exploiting this flaw enables threat actors to execute arbitrary code on targeted systems, facilitating the installation of malware.

The DarkGate campaign capitalizes on CVE-2024-21412 by distributing counterfeit Microsoft (.MSI) installers masquerading as legitimate software such as Apple iTunes, Notion, NVIDIA, and others. These fake installers contain sideloaded DLL files housing DarkGate malware payloads.

Multiple Vulnerabilities in QNAP NAS Software Suite

11-Mar-2024
Label: Vulnerability
Threat Level: Medium

QNAP warns of a series of vulnerabilities that were identified in their NAS software suite – which includes QTS, QuTS hero, QuTScloud, and myQNAPcloud. These vulnerabilities, if exploited, could allow unauthorized access and control over affected devices.

The first flow, identified as CVE-2024-21899 (CVSS Score 9.8), allows remote attackers to bypass authentication processes due to improper authentication mechanisms, thereby enabling unauthorized system compromise through the network. This vulnerability is notable for its low complexity, indicating a lower barrier for exploitation by potential attackers.

The second vulnerability, CVE-2024-21900, enables authenticated users to inject and execute arbitrary commands over the network. Such capabilities could lead to unauthorized access or even full control of the affected system.

Lastly, CVE-2024-21901 – which targets database integrity – enables authenticated administrators to inject malicious SQL code via the network, potentially leading to database manipulation or compromise.

Cisco Issues Patch for High-Severity VPN Hijacking Bug in Secure Client

11-Mar-2024
Label: Vulnerability
Threat Level: Medium

Cisco has addressed a high-severity vulnerability within its Cisco Secure Client software, capable of enabling attackers to hijack a user’s VPN session.

The flaw, tracked as CVE-2024-20337 (CVSS 8.2), exploits insufficient validation of user-supplied input during VPN setup. A malicious actor could leverage this flaw to trick a user into clicking a specially crafted link, potentially resulting in:

Stolen Credentials: An attacker could steal a user’s Security Assertion Markup Language (SAML) token through script execution in the user’s browser.
VPN Session Hijacking: The stolen SAML token could be used to establish a fraudulent VPN session, impersonating the compromised user.

This vulnerability impacts Cisco Secure Client for Windows, Linux, and macOS on versions before the following:

4.10.04065 (not vulnerable)
4.10 (fixed in 4.10.08025)
5.0 (migrate to a fixed release)
5.1 (fixed in 5.1.2.42)

NEWS AND RESOURCES

What’s on at CyberProof

Speak with a cybersecurity expert

Speak with an expert

Explore how CyberProof can help you anticipate, prevent, and mitigate ever-evolving cyberattacks in hybrid and cloud-native environments.

SPEAK WITH AN EXPERT