Exposures, Exposed! Weekly Round-up July 1-7

Welcome to 'Exposures, Exposed!' - your go-to weekly source for crucial insights into the dynamic realm of cyber vulnerabilities. Our dedicated experts meticulously analyze the cybersecurity landscape to deliver the most relevant exposure incidents each and every week. 

Here’s what we’ve got for you this week:

Critical OpenSSH Vulnerability Exposes Millions of Servers

A new critical vulnerability was discovered (CVE-2024-6387) in OpenSSH that could allow attackers to gain full access to vulnerable servers. This vulnerability, nicknamed "regreSSHion," is a regression of a previously patched flaw and affects OpenSSH versions earlier than 4.4p1 unless patched for specific CVE identifiers. Researchers estimate that millions of servers are vulnerable, and attackers could exploit this flaw to steal data or install malware. Patching is crucial to mitigate the risk.

The Takeaway: Patch your OpenSSH servers immediately (version 9.8p1 or apply the fix to older versions) to address this critical vulnerability. Learn more here in our in depth blog.

Splunk Fixes Serious Security Flaws in Enterprise Product

Splunk addressed critical security vulnerabilities in Splunk Enterprise, including remote code execution (RCE) bugs. Three of these RCE flaws require authentication to exploit.

• One vulnerability (CVE-2024-36985) allows a low-privileged user to execute malicious code. Upgrading Splunk Enterprise to versions 9.2.2, 9.1.5, or 9.0.10 or disabling the 'splunk_archiver' application mitigates this risk.
• Another RCE bug (CVE-2024-36984) impacts Windows systems and lets attackers execute arbitrary code. Upgrading is crucial.
• A third RCE vulnerability exists in the dashboard PDF generation component due to an outdated library. Upgrading Splunk or the ReportLab Toolkit addresses this issue.

Splunk also patched a command injection flaw and several other high-severity bugs.

The Takeaway: Update Splunk Enterprise immediately to address these critical vulnerabilities. Learn more here.

Serious Vulnerabilities Found in Rockwell Automation PanelView Plus

Microsoft discovered critical remote code execution (RCE) and denial-of-service (DoS) vulnerabilities in Rockwell Automation PanelView Plus devices. Attackers could exploit these flaws to gain full control of the devices. Rockwell Automation released patches in September and October 2023.

The Takeaway: Apply the security patches from Rockwell Automation immediately to protect your PanelView Plus devices. Learn more here.

CocoaPods Vulnerabilities Threaten Apple Applications

CocoaPods vulnerabilities reported today could allow malicious actors to take over unclaimed pods and insert malicious code into many popular iOS and MacOS applications, potentially affecting almost every Apple device.

Security researchers identified three vulnerabilities in the CocoaPods dependency manager. Applications from Meta, Apple, Microsoft, TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, and Zynga were affected. Although patched, 685 pods still rely on orphaned pods, indicating a broader issue.

The vulnerabilities, one of which (CVE-2024-38366) received a criticality score of 10, date back to a May 2014 CocoaPods migration. Researchers discovered that orphan pods could be claimed without verification, allowing attackers to insert malicious content.

The Takeaway: Developers and organizations should review and secure their use of open-source dependencies to mitigate potential risks. Learn more here.

Logsign Patches Critical Vulnerabilities in SecOps Server

Logsign, a web server built on Python for Unified Security Operations (SecOps), has resolved two critical vulnerabilities that could have allowed threat actors to take full control of the system. The vulnerabilities, identified as CVE-2024-5716 and CVE-2024-5717, posed significant security risks by enabling remote, unauthenticated code execution through HTTP requests.

CVE-2024-5716, an authentication bypass flaw, exploited the password reset mechanism by allowing multiple reset attempts until the correct code was brute-forced. Once the correct code was obtained, attackers could reset the admin’s password and gain administrative access.

CVE-2024-5717, a post-authentication command injection flaw, permitted authenticated users to execute arbitrary code on the system due to improper validation of user-supplied strings before executing a system call. By combining these vulnerabilities, attackers could reset the admin’s password and exploit the command injection flaw to execute commands as the root user, gaining complete control over the system.

The Takeaway: Update to Logsign version 6.4.8 and perform a full audit to safeguard your systems from these vulnerabilities. Learn more here.

HC3 Warns Healthcare Sector About MOVEit Vulnerabilities

The Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health & Human Services (HHS) has issued another warning to the healthcare sector regarding critical vulnerabilities in the MOVEit platform. These vulnerabilities pose significant risks for data breaches and ransomware attacks. According to HC3, Progress, the company behind MOVEit, has released patches to address these vulnerabilities. However, exploit code is publicly available, and the vulnerabilities are actively being targeted by cyber threat actors. Healthcare organizations are urged to identify and patch any vulnerable MOVEit instances immediately.

Progress Software, which develops the MOVEit file transfer platform, identified and patched two improper authentication vulnerabilities last month. These vulnerabilities are specific to different versions of the MOVEit platform and have been resolved. Despite these patches, further research from WatchTowr labs, including proof-of-concept exploit code, has highlighted the ongoing risk. Censys identified 2,700 vulnerable MOVEit instances accessible from the Internet, primarily in the United States.

Additionally, HC3 has released a threat profile for Qilin ransomware, also known as Agenda ransomware. Active since 2022 and believed to originate from Russia, this ransomware-as-a-service (RaaS) targets healthcare organizations and other industries globally.

The Takeaway: Healthcare organizations must identify and patch vulnerable MOVEit instances to protect against potential exploits. Learn more here.

Canonical Releases Crucial Ubuntu Updates for Ghostscript

Canonical has issued critical security updates for Ubuntu to address multiple vulnerabilities in Ghostscript, a tool for interpreting PostScript and PDF files. These vulnerabilities, discovered by various researchers, posed significant risks such as bypassing security restrictions and executing malicious code.

Ghostscript is vital for converting PostScript and PDF files into formats readable by screens or printable by printers. These updates target several vulnerabilities, including CVE-2023-52722, which affected Ubuntu versions 20.04 LTS, 22.04 LTS, and 23.10, allowing attackers to bypass security measures. Another, CVE-2024-29510, allowed arbitrary code execution on vulnerable systems. Additionally, CVE-2024-33869 and CVE-2024-33870 involved flaws in file path validation, potentially granting unauthorized access to sensitive files.

Users are advised to apply these updates immediately using the commands $ sudo apt update and $ sudo apt install –only-upgrade ghostscript to protect against these vulnerabilities.

The Takeaway: Update Ghostscript on Ubuntu systems promptly to ensure security. Learn more here.

That’s all for this week – have any exposures to add to our list? Let us know!