Exposures, Exposed! Weekly Round-up August 19 – August 25
Welcome to 'Exposures, Exposed!' - your go-to weekly source for crucial insights into the dynamic realm of cyber vulnerabilities. Our dedicated experts meticulously analyze the cybersecurity landscape to deliver the most relevant exposure incidents each and every week.
Here’s what we’ve got for you this week:
Microsoft macOS Apps Had Potential Security Flaws
Researchers have identified eight vulnerabilities in popular Microsoft applications for macOS that could have allowed hackers to access users' microphones and cameras. The flaws were discovered in Teams, Outlook, Word, PowerPoint, OneNote, and Excel.
If users had already granted these apps permission to access device resources, hackers could have exploited the vulnerabilities to secretly record video or audio without users' knowledge. Cisco Talos, the researchers who discovered the flaws, warned that compromised applications could be manipulated to abuse their permissions.
The vulnerabilities were all linked to library injection, a technique that macOS defends against with Hardened Runtime. However, Microsoft had added entitlements to some of the affected apps, disabling some of the protections provided by Hardened Runtime.
The Takeaway - Microsoft has since updated Teams and OneNote to remove the entitlement and thus the potential vulnerability. However, Excel, Outlook, PowerPoint, and Word remain vulnerable. Users of Microsoft macOS apps should ensure that their software is updated to the latest version to protect against these vulnerabilities. Learn more here.
Slack AI Flaw Enables Data Theft from Private Channels
Researchers have identified a vulnerability in Slack AI that allows attackers to steal sensitive data from private channels.
Attackers can inject malicious instructions into public channels, even if they are not visible to the target user. When a user queries Slack AI for their API key, the AI could be tricked into generating a phishing link containing the key.
The vulnerability also allows attackers to embed malicious instructions in documents uploaded to Slack.
The Takeaway - Slack has not yet patched the vulnerability, but researchers recommend that users adjust their Slack AI settings to mitigate the risk.
Slack users should be cautious when using Slack AI and avoid querying it for sensitive information. Learn more here.
Critical Jenkins Vulnerability Exploited in Ransomware Attack
A critical vulnerability in the Jenkins open-source continuous integration/continuous delivery (CI/CD) automation server has been exploited by the RansomEXX ransomware group in a supply chain attack targeting C-Edge Technologies' customers. The vulnerability, tracked as CVE-2024-23897, allows attackers to gain remote code execution and steal sensitive information.
The flaw was first patched and disclosed in January 2024, and affects Jenkins 2.441 and earlier and LTS 2.426.2 and earlier. The vulnerability can be exploited by attackers with Overall/Read permissions to read arbitrary files on the Jenkins controller file system.
The Takeaway - Organizations using Jenkins should ensure that their systems are patched with the latest version (2.442 or LTS.426.3) to address this critical vulnerability and prevent potential exploitation by malicious actors. Read our in depth advisory post here to learn more.
SolarWinds Web Help Desk Flaw Allows Unauthorized Access
SolarWinds has released a patch to address a critical vulnerability in its Web Help Desk software. The flaw (CVE-2024-28987) allows remote attackers to gain access to internal systems, potentially compromising sensitive data.
The vulnerability affects Web Help Desk versions 12.8.3 HF1 and earlier. Organizations are urged to install the latest update, version 12.8.3 HF2, which removes the hardcoded credentials.
The Takeaway - SolarWinds Web Help Desk users should update to version 12.8.3 HF2 immediately to address this critical vulnerability. Learn more here.
Atlassian Releases Patches for Multiple High-Severity Vulnerabilities
Atlassian has published its August 2024 security bulletin, detailing nine high-severity vulnerabilities affecting its Bamboo, Confluence, Crowd, and Jira products. The vulnerabilities include remote code execution, denial-of-service, and cross-site scripting flaws.
Patches for these vulnerabilities have been released and users are advised to update their installations as soon as possible. While there is currently no evidence of these flaws being exploited, it is important to apply the patches to protect against potential attacks.
Recommended by LinkedIn
The Takeaway - Organizations using Atlassian products should review the August 2024 security bulletin and apply the necessary patches to address the high-severity vulnerabilities. Learn more here.
Millions of WordPress Sites Vulnerable to Critical Exploit
A critical vulnerability in the LiteSpeed Cache WordPress plugin could allow hackers to gain administrator rights and upload malicious files. Over 5 million WordPress sites are believed to be affected.
Patchstack, a WordPress security company, discovered the vulnerability and notified the plugin developer. The vulnerability was patched in version 6.4.1 on August 19th.
The Takeaway - WordPress users should ensure that their LiteSpeed Cache plugin is updated to version 6.4.1 or later to address this critical vulnerability. Learn more here.
Microsoft Copilot Studio Flaw Could Expose Sensitive Data
A critical security vulnerability has been discovered in Microsoft's Copilot Studio that could allow attackers to access sensitive information. The flaw, tracked as CVE-2024-38206, stems from a server-side request forgery (SSRF) attack.
Microsoft has addressed the vulnerability and released a patch. However, organizations using Copilot Studio should ensure they have applied the update to protect against potential exploitation.
The Takeaway - Organizations using Microsoft Copilot Studio should review the security advisory and apply the necessary patch to address the vulnerability. Learn more here.
Google Chrome Update Fixes Critical Vulnerability
Google has released an update for Chrome that fixes 38 security vulnerabilities, including one that is already being exploited. Users are urged to update their browsers to the latest version to protect against potential attacks.
The vulnerability that has been exploited is a "type confusion" vulnerability in the V8 JavaScript engine. This type of vulnerability can allow attackers to execute arbitrary code.
Other vulnerabilities addressed in the update include heap-based buffer overflows and use-after-free errors. These flaws can be exploited by displaying carefully crafted websites.
The Takeaway - Chrome users should update their browsers to the latest version to address these critical vulnerabilities. Learn more here.
Critical Vulnerability Found in OpenBMC Project
A critical vulnerability has been discovered in the slpd-lite sub-component of the OpenBMC Project, a community-driven initiative to develop server-standard Baseboard Management Controllers (BMCs). The vulnerability, tracked as CVE-2024-41660, could allow attackers to gain remote access to BMCs and potentially compromise server security.
The vulnerability affects OpenBMC builds where the slpd-lite service is installed and enabled. Users are urged to update to the latest version of OpenBMC to address the issue.
The Takeaway - Organizations using OpenBMC should ensure that their systems are patched with the latest version to address this critical vulnerability.
That’s all for this week – have any exposures to add to our list? Let us know!