Most recent bundles.

Android Security Bulletin February 2025

2025-02-22T03:36:04.961066+00:00

Android Security Bulletin February 2025 Published February 3, 2025 The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2025-02-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version. Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP. The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform. Android and Google service mitigations This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android. Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible. The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play. Note: There are indications that CVE-2024-53104 may be under limited, targeted exploitation. 2025-02-01 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2025-02-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates. Framework The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2024-49721 A-354682735 EoP High 12, 12L, 13 CVE-2024-49743 A-305695605 [2] [3] EoP High 12, 12L, 13, 14, 15 CVE-2024-49746 A-359179312 [2] EoP High 12, 12L, 13, 14, 15 CVE-2025-0097 A-364037868 EoP High 15 CVE-2025-0098 A-367266072 EoP High 15 CVE-2025-0099 A-370962373 EoP High 15 CVE-2023-40122 A-286235483 ID High 12, 12L, 13, 14, 15 CVE-2023-40133 A-283264674 ID High 12, 12L, 13 CVE-2023-40134 A-283101289 ID High 12, 12L, 13 CVE-2023-40135 A-281848557 ID High 12, 12L, 13 CVE-2023-40136 A-281666022 ID High 12, 12L, 13 CVE-2023-40137 A-281665050 ID High 12, 12L, 13 CVE-2023-40138 A-281534749 ID High 12, 12L, 13 CVE-2023-40139 A-281533566 ID High 12, 12L, 13 CVE-2024-0037 A-292104015 ID High 12, 12L, 13, 14, 15 CVE-2025-0100 A-372670004 ID High 12, 12L, 13, 14, 15 CVE-2024-49741 A-353240784 DoS High 12, 12L, 13, 14, 15 Platform The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2025-0094 A-352542820 EoP High 12, 12L, 13, 14, 15 System The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2025-0091 A-366401629 EoP High 12, 12L, 13, 14, 15 CVE-2025-0095 A-356117796 EoP High 14, 15 CVE-2025-0096 A-356630194 EoP High 15 CVE-2024-49723 A-357870429 [2] ID High 15 CVE-2024-49729 A-368069390 ID High 12, 12L, 13, 14, 15 Google Play system updates The following issues are included in Project Mainline components. Subcomponent CVE Conscrypt CVE-2024-49723 2025-02-05 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2025-02-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Kernel The most severe vulnerability in this section could lead to physical escalation of privilege with no additional execution privileges needed. CVE References Type Severity Subcomponent CVE-2024-53104 A-378455392 Upstream kernel [2] EoP High UVC CVE-2025-0088 A-377672115 Upstream kernel [2] EoP High mremap Arm components This vulnerability affects Arm components and further details are available directly from Arm. The severity assessment of this issue is provided directly by Arm. CVE References Severity Subcomponent CVE-2025-0015 A-376311652 * High Mali Imagination Technologies These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies. CVE References Severity Subcomponent CVE-2024-43705 A-372931317 PP-160756* High PowerVR-GPU CVE-2024-46973 A-379728401 PP-160739* High PowerVR-GPU CVE-2024-47892 A-365954523 PP-160576 * High PowerVR-GPU CVE-2024-52935 A-380478495 PP-171230* High PowerVR-GPU MediaTek components These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek. CVE References Severity Subcomponent CVE-2025-20634 A-381773169 M-MOLY01289384 * High Modem CVE-2024-20141 A-381773173 M-ALPS09291402 * High DA CVE-2024-20142 A-381773175 M-ALPS09291406 * High DA CVE-2025-20635 A-381771695 M-ALPS09403752 * High DA CVE-2025-20636 A-381773171 M-ALPS09403554 * High secmem Unisoc components This vulnerability affects Unisoc components and further details are available directly from Unisoc. The severity assessment of this issue is provided directly by Unisoc. CVE References Severity Subcomponent CVE-2024-39441 A-381429835 U-2811333 * High Android Qualcomm components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Severity Subcomponent CVE-2024-45569 A-377311993 QC-CR#3852339 Critical WLAN CVE-2024-45571 A-377313069 QC-CR#3834424 High WLAN CVE-2024-45582 A-377312377 QC-CR#3868093 High Camera CVE-2024-49832 A-377312238 QC-CR#3874301 High Camera CVE-2024-49833 A-377312639 QC-CR#3874372 [2] [3] [4] High Camera CVE-2024-49834 A-377312055 QC-CR#3875406 High Camera CVE-2024-49839 A-377311997 QC-CR#3895196 High WLAN CVE-2024-49843 A-377313194 QC-CR#3883522 High Display Qualcomm closed-source components These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Severity Subcomponent CVE-2024-38404 A-357616389 * High Closed-source component CVE-2024-38420 A-357616296 * High Closed-source component Common questions and answers This section answers common questions that may occur after reading this bulletin. 1. How do I determine if my device is updated to address these issues? To learn how to check a device's security patch level, see Check and update your Android version. Security patch levels of 2025-02-01 or later address all issues associated with the 2025-02-01 security patch level. Security patch levels of 2025-02-05 or later address all issues associated with the 2025-02-05 security patch level and all previous patch levels. Device manufacturers that include these updates should set the patch string level to: [ro.build.version.security_patch]:[2025-02-01] [ro.build.version.security_patch]:[2025-02-05] For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2025-02-01 security patch level. Please see this article for more details on how to install security updates. 2. Why does this bulletin have two security patch levels? This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level. Devices that use the 2025-02-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins. Devices that use the security patch level of 2025-02-05 or newer must include all applicable patches in this (and previous) security bulletins. Partners are encouraged to bundle the fixes for all issues they are addressing in a single update. 3. What do the entries in the Type column mean? Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability. Abbreviation Definition RCE Remote code execution EoP Elevation of privilege ID Information disclosure DoS Denial of service N/A Classification not available 4. What do the entries in the References column mean? Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs. Prefix Reference A- Android bug ID QC- Qualcomm reference number M- MediaTek reference number N- NVIDIA reference number B- Broadcom reference number U- UNISOC reference number 5. What does an * next to the Android bug ID in the References column mean? Issues that are not publicly available have an * next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site. 6. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin? Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

Command injection and insecure default credentials vulnerabilities in certain legacy DSL CPE from Zyxel

2025-02-22T03:36:04.960947+00:00

## Summary Zyxel recently became aware of CVE-2024-40890 and CVE-2024-40891 being mentioned in a post on GreyNoise’s blog. Additionally, VulnCheck informed us that they will publish the technical details regarding CVE-2024-40891 and CVE-2025-0890 on their blog. We have confirmed that the affected models reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy products that have reached end-of-life (EOL) for years. Therefore, we strongly recommend that users replace them with newer-generation products for optimal protection. What are the vulnerabilities? ### CVE-2024-40890 **UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if user-configured passwords have been compromised. ### CVE-2024-40891 **UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. This vulnerability could allow an authenticated attacker to execute OS commands on an affected device via Telnet. It is important to note that WAN access and the Telnet function are disabled by default on these devices, and this attack can only be successful if the user-configured passwords have been compromised. ### CVE-2025-0890 **UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so. It is important to note that WAN access and the Telnet function are disabled by default on these devices. What should you do? The following models—VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500—are legacy products that have reached EOL status for several years. In accordance with industry product life cycle management practices, Zyxel advises customers to replace these legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support. For ISPs, please contact your Zyxel sales or service representatives for further details. Additionally, disabling remote access and periodically changing passwords are proactive measures that can help prevent potential attacks. Coordinated Timeline: * 2024-07-13: VulnCheck notified Zyxel about vulnerabilities in the EOL CPE VMG4325-B10A without providing any reports. * 2024-07-14: Zyxel requested VulnCheck to provide a detailed report; however, VulnCheck did not respond. * 2024-07-31: VulnCheck published CVE-2024-40890 and CVE-2024-40891 on their blog without informing Zyxel. * 2025-01-28: GreyNoise published CVE-2024-40890 and CVE-2024-40891 on their blog. * 2025-01-29: Zyxel received VulnCheck’s report regarding CVE-2024-40890, CVE-2024-40891, and CVE-2025-0890. * 2025-01-29: Zyxel became aware of the vulnerabilities in certain legacy DSL CPE models.

Unauthenticated RCE on Some Netgear WiFi Routers, PSV-2023-0039

2025-02-22T03:36:04.960826+00:00

NETGEAR has released fixes for an unauthenticated RCE security vulnerability on the following product models: * XR1000 fixed in firmware version 1.0.0.74 * XR1000v2 fixed in firmware version 1.1.0.22 * XR500 fixed in firmware version 2.3.2.134 NETGEAR strongly recommends that you download the latest firmware as soon as possible.

February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs)

2025-02-22T03:36:04.960692+00:00

February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs) Primary Product Connect-Secure Created Date Feb 11, 2025 3:01:15 PM Last Modified Date Feb 11, 2025 3:37:50 PM **Summary** Ivanti has released updates for Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) which addresses medium, high and critical severity vulnerabilities. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure. **Vulnerability Details** **CVE Number** **Description** **CVSS Score (Severity)** **CVSS Vector** **CWE** **Impacted Products** CVE-2024-38657 External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files. 9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-73 Connect Secure & Policy Secure CVE-2025-22467 A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution. 9.9 (Critical) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CWE-121 Connect Secure CVE-2024-10644 Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution. 9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-94 Connect Secure & Policy Secure CVE-2024-12058 External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files. 6.8 (Medium) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CWE-73 Connect Secure & Policy Secure CVE-2024-13830 Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required. 6.1 (Medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE-79 Connect Secure & Policy Secure CVE-2024-13842 A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local unauthenticated attacker to read sensitive data. 6.0 (Medium) CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CWE-321 Connect Secure & Policy Secure CVE-2024-13843 Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a local unauthenticated attacker to read sensitive data. 6.0 (Medium) CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CWE-312 Connect Secure & Policy Secure CVE-2024-13813 Insufficient permissions in Ivanti Secure Access Client before version 22.8R1 allows a local authenticated attacker to delete arbitrary files. 7.1 (High) CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CWE-732 Secure Access Client Affected Versions **Product Name** **Affected Versions** **Resolved Versions** **Patch Availability** Ivanti Connect Secure (ICS) 22.7R2.5 and below 22.7R2.6 Download Portal [https://portal.ivanti.com/](https://portal.ivanti.com/) Ivanti Policy Secure (IPS) 22.7R1.2 and below 22.7R1.3 Download Portal [https://portal.ivanti.com/](https://portal.ivanti.com/) Ivanti Secure Access Client (ISAC) 22.7R4 and below 22.8R1 Download Portal [https://portal.ivanti.com/](https://portal.ivanti.com/) **Solution** These vulnerabilities are resolved on the latest version of the product and can be accessed in the download portal (Login Required): * Ivanti Connect Secure 22.7R2.6 * Ivanti Policy Secure 22.7R1.3 * Ivanti Secure Access Client 22.8R1 **Acknowledgements** Ivanti would like to thank the following for reporting the relevant issues and for working with Ivanti to help protect our customers: * Matthew Galligan, CISA Rapid Action Force (CVE-2024-38657) * Ori David of Akamai (CVE-2024-37374, CVE-2024-37375) * sim0nsecurity of HackerOne (CVE-2024-13813) _Note: Ivanti is dedicated to ensuring the security and integrity of our enterprise software products. We recognize the vital role that security researchers, ethical hackers, and the broader security community play in identifying and reporting vulnerabilities. Visit_ [_HERE_](https://www.ivanti.com/support/contact-security) _to learn more about our Vulnerability Disclosure Policy._ **_FAQ_** 1. **Are you aware of any active exploitation of these vulnerabilities?** We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program. 2. **How can I tell if I have been compromised?** Currently, there is no known public exploitation of this vulnerability that could be used to provide a list of indicators of compromise. 3. **What should I do if I need help?** If you have questions after reviewing this information, you can log a case and/or request a call via the [Success Portal](https://success.ivanti.com/Community_RegStep1_Page?inst=UL) 4. **Are any of these vulnerability fixes backported to any of the 9.x versions?** No. The Pulse Connect Secure 9.x version of the product reached End of Engineering June 2024 and has reached End-of-Support as of December 31, 2024. Because of this, the 9.x version of Connect Secure no longer receives backported fixes. We strongly encourage customers to upgrade to Ivanti Connect Secure 22.7 to benefit from important security updates that we have made throughout the solution. 5. **What does it mean when a vulnerability describes remote authenticated attackers?** It means that an attacker who is able to interact with the vulnerable component and pass authentication is able to exploit the vulnerability. Article Number : 000097586

Fortinet - Authentication bypass in Node.js websocket module and CSF requests

2025-02-22T03:36:04.960561+00:00

PSIRT | FortiGuard Labs ======================= ### Summary An Authentication Bypass Using an Alternate Path or Channel vulnerability \[CWE-288\] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests. Please note that reports show this is being exploited in the wild. Version Affected Solution FortiOS 7.6 Not affected Not Applicable FortiOS 7.4 Not affected Not Applicable FortiOS 7.2 Not affected Not Applicable FortiOS 7.0 7.0.0 through 7.0.16 Upgrade to 7.0.17 or above FortiOS 6.4 Not affected Not Applicable FortiProxy 7.6 Not affected Not Applicable FortiProxy 7.4 Not affected Not Applicable FortiProxy 7.2 7.2.0 through 7.2.12 Upgrade to 7.2.13 or above FortiProxy 7.0 7.0.0 through 7.0.19 Upgrade to 7.0.20 or above FortiProxy 2.0 Not affected Not Applicable Follow the recommended upgrade path using our tool at: [https://docs.fortinet.com/upgrade-tool](https://docs.fortinet.com/upgrade-tool) ### IoCs The following log entries are possible IOC's: * Following login activity log with random scrip and dstip: type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super\_admin" msg="Administrator admin logged in successfully from jsconsole" * Following admin creation log with seemingly randomly generated user name and source IP: type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password\[\*\]accprofile\[super\_admin\]vdom\[root\]" msg="Add system.admin vOcep" * The following IP addresses were mostly found used by attackers in above logs: 1.1.1.1 127.0.0.1 2.2.2.2 8.8.8.8 8.8.4.4 Please note that the above IP parameters are not the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking. Please note as well that sn and cfgtid are not relevant to the attack. The operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below: \- Creating an admin account on the device with random user name \- Creating a Local user account on the device with random user name \- Creating a user group or adding the above local user to an existing sslvpn user group \- Adding/changing other settings (firewall policy, firewall address, ...) \- Logging in the sslvpn with the above added local users to get a tunnel to the internal network. Admin or Local user created by the TA is randomly generated. e.g: Gujhmk Ed8x4k G0xgey Pvnw81 Alg7c4 Ypda8a Kmi8p4 1a2n6t 8ah1t6 M4ix9f ...etc... Additionally, the TA has been seen using the following IP addresses: 45.55.158.47 \[most used IP address\] 87.249.138.47 155.133.4.175 37.19.196.65 149.22.94.37 ### Workaround Disable HTTP/HTTPS administrative interface OR Limit IP addresses that can reach the administrative interface via local-in policies: config firewall address edit "my\_allowed\_addresses" set subnet end Then create an Address Group: config firewall addrgrp edit "MGMT\_IPs" set member "my\_allowed\_addresses" end Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1): config firewall local-in-policy edit 1 set intf port1 set srcaddr "MGMT\_IPs" set dstaddr "all" set action accept set service HTTPS HTTP set schedule "always" set status enable next edit 2 set intf "any" set srcaddr "all" set dstaddr "all" set action deny set service HTTPS HTTP set schedule "always" set status enable end If using non default ports, create appropriate service object for GUI administrative access: config firewall service custom edit GUI\_HTTPS set tcp-portrange 443 next edit GUI\_HTTP set tcp-portrange 80 end Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below. Please note that the trusthost feature achieves the same as the local-in policies above _only_ if all GUI users are configured with it. Therefore, the local-in policies above are the preferred workaround. Please note as well that an attacker needs to know an admin account's username to perform the attack and log in the CLI. Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a [best practice](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/81327170-6878-11ea-9384-00505692583a/FortiOS-6.4.0-Hardening_your_FortiGate.pdf). Keep in mind however that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username. Please contact customer support for assistance. CSF requests issue: Disable Security Fabric from the CLI: Config system csf Set status disable end ### Acknowledgement Fortinet is pleased to thank Sonny of watchTowr ([https://watchtowr.com/)](https://watchtowr.com/)) for reporting the CSF related vulnerability under responsible disclosure. ### Timeline 2025-01-14: Format 2025-01-15: Added non-standard admin account username best practice 2025-01-15: Clarified that IP addresses "under attacker control" means they are arbitrarily generated by the attacker 2025-01-21: Added IPS package info 2025-01-24: Removed IPS package info 2025-02-11: Added CVE-2025-24472 and its acknowledgement CVE-2024-55591 and CVE-2025-24472

Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls - Arctic Wolf

2025-02-22T03:36:04.960418+00:00

Key Takeaways ------------- * Arctic Wolf observed a recent campaign affecting Fortinet FortiGate firewall devices with management interfaces exposed on the public internet. * The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes. * While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable. * Organizations should urgently disable firewall management access on public interfaces as soon as possible. Summary ------- In early December, Arctic Wolf Labs [began observing a campaign](https://arcticwolf.com/resources/blog/arctic-wolf-observes-targeting-of-publicly-exposed-fortinet-firewall-management-interfaces/) involving suspicious activity on Fortinet FortiGate firewall devices. By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations. In compromised environments, threat actors were observed extracting credentials using DCSync. While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected. We are sharing details of this campaign to help organizations defend against this threat. Please note that our investigation of this campaign is ongoing, and we may add further detail to this article as we uncover additional information. **Update:** On January 14, 2025, Fortinet [published an advisory](https://www.fortiguard.com/psirt/FG-IR-24-535) confirming the existence of an authentication bypass vulnerability affecting FortiOS and FortiProxy products, which was designated as CVE-2024-55591. The advisory also confirmed key details observed in the campaign described here. See our [security bulletin](https://arcticwolf.com/resources/blog/cve-2024-55591/) for updated remediation guidance. Background ---------- FortiGate next-generation firewall (NGFW) products have a feature that allow administrators to access the command-line interface through the web-based management interface. This comes as a standard feature on most NGFW devices and is a convenient feature for administrators. The CLI Console feature in the FortiGate web interface ([source](https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/639044/cli-script-action)) According to the [FortiGate Knowledge Base](https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-check-filter-configuration-changes-logs/ta-p/269484), when changes are made via the web-based CLI console, the user interface is logged as jsconsole along with the source IP address of whomever made the changes. In contrast, changes made via ssh would be listed as ssh for the user interface instead. Behind the scenes, there are proprietary command-line tools that FortiGate software uses to perform administrative functions. One binary in particular, newcli, is [described](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Short-list-of-processes-on-the-FortiGate/ta-p/190775) as managing the creation and termination of CLI connections. In a [2023 report](https://www.synacktiv.com/sites/default/files/2023-01/fortimanager_multiple_vulnerabilities_2021_published_lpe.pdf) by Synacktiv about CVE-2022-26118, a privilege escalation vulnerability, a proof-of-concept bash session is provided that demonstrates how threat actors could invoke the newcli utility to add backdoor users. Notably, the –userfrom switch specifies a value of jsconsole(127.0.0.1), suggesting that a loopback interface can be arbitrarily specified as the source IP address for initiation of a CLI console. ``` bash$ cat add_backdoor_user.txt config system admin user edit backdoor set password backdoor set profileid Super_User set adom "all_adoms" end exit bash$ cat add_backdoor_user.txt | /bin/newcli system system \ --userfrom="jsconsole(127.0.0.1)" \ --adminprof=Super_User --adom=root --from_sid=0 ``` Although we do not have direct confirmation that such commands are utilized in the present campaign, the observed activities follow a similar pattern in the way they invoke jsconsole. What We Know About the Campaign ------------------------------- At a high level, the present campaign can be thought of in 4 distinct phases: 1. Vulnerability scanning (November 16, 2024 to November 23, 2024) 2. Reconnaissance (November 22, 2024 to November 27, 2024) 3. SSL VPN configuration (December 4, 2024 to December 7, 2024) 4. Lateral Movement (December 16, 2024 to December 27, 2024) These phases are delineated by the types of malicious configuration changes that were observed on compromised firewall devices across multiple victim organizations, and the activities that were taken by threat actors upon gaining access. Note, however, that our portrayal of these phases may be incomplete or oversimplified given that our visibility is likely limited to a narrow subset of the overall activity in the campaign. What stands out about these activities in contrast with legitimate firewall activities is the fact that they made extensive use of the jsconsole interface from a handful of unusual IP addresses. Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board. The firmware versions of devices that were affected ranged between 7.0.14 and 7.0.16, which were released on February 2024 and October 2024 respectively. ### Phase 1: Vulnerability scanning One of the most notable indicators of compromise in this campaign is the use of jsconsole sessions with connections to and from unusual IP addresses, such as loopback addresses and popular DNS resolvers including Google Public DNS and Cloudflare. These combinations of source and destination IP addresses are not typical for jsconsole activity, making them an ideal target for threat hunting. These values appear to be spoofed, since jsconsole traffic to and from these IP addresses would not be possible without the threat actor having control over them. |Source IP Address|Destination IP address| |-----------------|----------------------| |127.0.0.1 |127.0.0.1 | |8.8.8.8 |8.8.4.4 | |1.1.1.1 |2.2.2.2 | Anomalous source and destination IP addresses for jsconsole administrative logins Numerous successful admin login events from jsconsole were observed originating from the anomalous IP addresses, all using the admin account. Interestingly, jsconsole login events using loopback IP addresses seemed to occur more frequently than events with the other two pairs of addresses using DNS resolvers, especially during the first phase of the campaign. In contrast, beyond the first phase of the campaign, events with the DNS resolver IP addresses were more commonly associated with configuration changes than those with the loopback addresses. ``` date=2024-12-07 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="REDACTED" user="admin" ui="jsconsole" method="jsconsole" srcip=127.0.0.1 dstip=127.0.0.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole" ``` Additionally, there was corresponding traffic to and from loopback interfaces on TCP port 8023, which [according to the Fortinet Knowledge Base](https://community.fortinet.com/t5/Customer-Service/Technical-Tip-FortiGate-inside-socket-for-Web-CLI/ta-p/219844) is the web CLI port. Loopback traffic was also observed on TCP port 9980, which is [used internally](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Logs-regarding-port-9980-and-local-traffic/ta-p/222791) by the web-based management interface for security fabric and REST API queries on FortiGate devices. The timestamps of traffic on ports 8023 and 9980 matched jsconsole activity down to the second. ``` date=2024-12-07 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=127.0.0.2 srcport=REDACTED srcintf="root" srcintfrole="undefined" dstip=127.0.0.1 dstport=8023 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=REDACTED proto=6 action="close" policyid=0 service="tcp/8023" trandisp="noop" app="tcp/8023" duration=1 sentbyte=879 rcvdbyte=778 sentpkt=14 rcvdpkt=14 appcat="unscanned" ``` The first occurrences of this type of jsconsole activity were observed in the wild as early as November 16, 2024 across victim organizations in a variety of sectors. It is important to note, however, that although malicious logins were observed this early, the first signs of impactful configuration changes from these console sessions only began to ramp up en masse between December 4, 2024 and December 7, 2024. ### Web management HTTPS activity Correlated closely in time with the jsconsole activity, we observed HTTPS web management traffic from a group of VPS hosting providers’ IP addresses. Some of these IP addresses would later proceed to establish SSL VPN tunnels to the same compromised firewalls. These HTTPS events took place tens of seconds before the jsconsole activity. There are several noteworthy aspects to this traffic: 1. Action was client-rst, which means that the client side of the TCP session has sent an RST packet to terminate the connection. 2. The amount of data sent to the destination firewall was over a megabyte in size. 3. The duration of the session was over 100 seconds. 4. The app was “Web Management(HTTPS)”. In the example below, the HTTPS management port was 8443 but this is set to 443 by default. However, it can be set arbitrarily to another value and is often different depending on the environment. 5. The traffic originated from a WAN interface. ``` date=2024-12-15 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=157.245.3.251 srcport=56010 srcintf="wan1" srcintfrole="wan" dstip=REDACTED dstport=8443 dstintf="root" dstintfrole="undefined" srccountry="United States" dstcountry="United States" sessionid=REDACTED proto=6 action="client-rst" policyid=0 policytype="local-in-policy" service="HTTPSMGMT" trandisp="noop" app="Web Management(HTTPS)" duration=570 sentbyte=1315775 rcvdbyte=2084318 sentpkt=18225 rcvdpkt=18092 appcat="unscanned" ``` While the technical details of the suspected vulnerability are not yet known, the characteristics outlined here for malicious web management traffic provide a glimpse into the nature of a potential exploit. ### Indications of opportunistic exploitation Typically, the total count of successful jsconsole logins from anomalous IP addresses ranged between several hundred and several thousand entries for each victim organization, spanning between November 16, 2024 and the end of December 2024. Most of these sessions were short-lived, with corresponding logout events within a second or less. In some instances, multiple login or logout events occurred within the same second, with up to 4 events occurring per second. The victimology in this campaign was not limited to any specific sectors or organization sizes. The diversity of victim organization profiles combined with the appearance of automated login/logout events suggests that the targeting was opportunistic in nature rather than being deliberately and methodically targeted. ### Phase 2: Reconnaissance In the first phase of the campaign, although there were extensive login and logout events that appeared to be automated, configuration changes were nonexistent. Then, beginning on November 22, 2024, the first unauthorized configuration changes were made: ``` date=2024-11-22 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0100044546" type="event" subtype="system" level="information" vd="root" logdesc="Attribute configured" user="admin" ui="jsconsole(1.1.1.1)" action="Edit" cfgtid=REDACTED cfgpath="system.console" cfgattr="output[more->standard]" msg="Edit system.console " date=2024-11-22 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=REDACTED tz="-0500" logid="0100044546" type="event" subtype="system" level="information" vd="root" logdesc="Attribute configured" user="admin" ui="jsconsole(1.1.1.1)" action="Edit" cfgtid=REDACTED cfgpath="system.console" cfgattr="output[standard->more]" msg="Edit system.console " ``` Similar configuration changes were made across a handful of victim organizations until November 27, 2024. The [output setting](https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-show-more-command-output-without-pressing/ta-p/193674) referenced in these logs is used to toggle whether user interaction is needed to advance to the next page of console output. The “more” setting means that interaction is required to advance long output and “standard” prints out all output at once. In all intrusions, this setting was first set to “standard” and then set to “more”, usually within 10-30 seconds of each other. The purpose of these changes is not known, but it may hint at threat actors’ preferred mode of interacting with the web console. It is also possible that this was a simple means of verifying that access was successfully obtained to commit changes on exploited firewalls. ### Phase 3: SSL VPN configuration In the third phase of the campaign, beginning on December 4, 2024, threat actors began to make more substantial changes on compromised devices, with the goal of gaining SSL VPN access. There were several distinct approaches for how to achieve this. In some intrusions, new super admin accounts were created, adhering to an alphanumeric naming convention consisting of 5 characters. In other intrusions, the naming convention was slightly different, with 6 randomized alphanumeric characters. ``` date=2024-12 time=REDACTED devname="REDACTED" devid="REDACTED" eventtime=1733554955692189638 tz="-0500" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=REDACTED cfgpath="system.admin" cfgobj="Dbr3W" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin Dbr3W" ``` The newly created super admin accounts were then used to create several local user accounts (up to 6 per device) with similar naming conventions, which were ultimately added to existing groups that had been previously created by victim organizations for SSL VPN access. In other intrusions, existing accounts were hijacked by threat actors to gain SSL VPN access. As with the previous scenario, these accounts were also added to existing groups with VPN access. This included use of the guest account, which is [created by default](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Purpose-and-Function-of-the-Default-Guest-User/ta-p/272456) on FortiGate devices. The password on the guest account was reset to facilitate this process. Threat actors were also observed creating new SSL VPN portals which they added user accounts to directly. In addition, some threat actors assigned specific ports to their VPN portal configurations, changing them between different sessions. These ports included 4433, 59449, and 59450, among others. Upon making the necessary changes, threat actors established SSL VPN tunnels with the affected devices. All of the client IP addresses of the tunnels originated from a handful of VPS hosting providers. In most instances where firewall configuration changes were made, the ui field showed jsconsole with loopback or public DNS resolver IP addresses in parentheses (e.g., jsconsole(8.8.8.8)). However, there were several intrusions where the same field referenced other remote IP addresses, suggesting that the threat actor did not attempt to spoof their actual IP addresses in those instances. These were some of the same client IP addresses of the malicious tunnels that were later established. There were also instances where the https ui was used instead of jsconsole, and newly created accounts were used instead of the admin account for those sessions. ### Phase 4: Lateral Movement In the final phase observed in this campaign, upon successfully establishing SSL VPN access in victim organization environments, threat actors sought to extract credentials for lateral movement. DC sync was used with previously obtained domain admin credentials. The threat actors used a workstation hostname of kali. At this point, the threat actors were removed from affected environments before they could proceed any further. How Arctic Wolf Protects Its Customers -------------------------------------- Arctic Wolf is committed to ending cyber risk with its customers, and when active ransomware campaigns are identified we move quickly to protect our customers. Arctic Wolf Labs has leveraged threat intelligence around this campaign to implement new detections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR) customers. As we discover any new information, we will enhance our detections to account for additional indicators of compromise and techniques leveraged by this threat actor. Remediation ----------- In December 2024, Arctic Wolf sent out a [security bulletin](https://arcticwolf.com/resources/blog/arctic-wolf-observes-targeting-of-publicly-exposed-fortinet-firewall-management-interfaces/) warning of the activity observed in this campaign. See our [follow-up security bulletin](https://arcticwolf.com/resources/blog/cve-2024-55591/) published on January 14, 2025 for additional remediation guidance, including version details. In addition to locking down management interfaces, as a security best practice, regularly upgrading the firmware on firewall devices to the latest available version is advised to protect against known security issues. Conclusion ---------- In this campaign, we observed opportunistic exploitation of a handful of victim organizations. While the final objectives of the threat actor are not known, the technical details we’ve provided should help defenders protect against the early stages of this campaign. As documented in this campaign and in [several](https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/) [others](https://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/), management interfaces should not be exposed on the public internet, regardless of the product specifics. Instead, access to management interfaces should be limited to trusted internal users. When such interfaces are left open on the public internet, it expands the attack surface available to threat actors, opening up the potential to identify vulnerabilities that expose features that are meant to be limited to trusted administrators. From a security best practices standpoint, these types of misconfigurations should be addressed promptly to protect against not only this vulnerability, but an entire class of other potential vulnerabilities in the future. Note: On December 12, 2024, Arctic Wolf Labs notified Fortinet about the activity observed in this campaign. Confirmation was received by FortiGuard Labs PSIRT on December 17, 2024 that the activity was known and under investigation. Acknowledgements ---------------- Arctic Wolf Labs would like to acknowledge members of the Security Services team for their role in identifying this campaign. We thank Mo Sharif who identified the campaign and associated TTPs, as well as Ruben Raymundo and Trevor Daher who helped investigate the intrusions. Appendix -------- ### Tactics, Techniques, and Procedures (TTPs) * Tactic: Initial Access * Technique: T1190: Exploit Public-Facing Application * Sub-techniques or Tools: • Exploited public-facing FortiGate firewall management interfaces * Tactic: Persistence * Technique: T1136.001: Create Account: Local Account * Sub-techniques or Tools: • Created multiple local admin accounts * Tactic: T1133: External Remote Services * Technique: • Modified SSL VPN configurations * Sub-techniques or Tools: * Tactic: T1078.001: Valid Accounts: Default Accounts * Technique: • Hijacked default guest account to obtain SSL VPN access * Sub-techniques or Tools: * Tactic: Credential Access * Technique: T1003.006: OS Credential Dumping: DCSync * Sub-techniques or Tools: • The threat actors used a domain admin account to conduct a DCSync attack ### Vulnerabilities Exploited * Vulnerability: No CVE registered * Use: The activity observed in this article has not been assigned a CVE as of publication. ### Indicators of Compromise (IoCs) * Indicator: 23.27.140[.]65 * Type: IPv4 Address * Description: • AS149440 – Evoxt Enterprise• SSL VPN client IP address• Web management interface client * Indicator: 66.135.27[.]178 * Type: IPv4 Address * Description: • AS20473 – The Constant Company Llc• SSL VPN client IP address• Web management interface client * Indicator: 157.245.3[.]251 * Type: IPv4 Address * Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address• Web management interface client * Indicator: 45.55.158[.]47 * Type: IPv4 Address * Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address• Web management interface client * Indicator: 167.71.245[.]10 * Type: IPv4 Address * Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address• Web management interface client * Indicator: 137.184.65[.]71 * Type: IPv4 Address * Description: • AS14061 – Digitalocean Llc• SSL VPN client IP address * Indicator: 155.133.4[.]175 * Type: IPv4 Address * Description: • AS62240 – Clouvider Limited• SSL VPN client IP address• Web management interface client * Indicator: 31.192.107[.]165 * Type: IPv4 Address * Description: • AS50867 – Hostkey B.V.• SSL VPN client IP address * Indicator: 37.19.196[.]65 * Type: IPv4 Address * Description: • AS212238 – Datacamp Limited• Web management interface client * Indicator: 64.190.113[.]25 * Type: IPv4 Address * Description: • AS399629 – BL Networks• Web management interface client Detection Opportunities ----------------------- As part of our Managed Detection and Response service, Arctic Wolf has detections in place for techniques described in this blog article, in addition to other techniques employed by threat actors described here. ### Firewall This campaign was identified early because external monitoring was in place for unexpected firewall configuration changes. As described in this article, jsconsole activity was observed from a handful of anomalous IP addresses that appeared to be spoofed. Monitoring for jsconsole activity from commonly spoofed IP addresses might be helpful in responding early to such attacks. The weakness of this approach is that threat actors may choose to spoof jsconsole activity using different IP addresses in the future. Additionally, although details of the vulnerability in this article are not yet available, monitoring for web management traffic on the WAN interface over 1MB originating from VPS hosting IP addresses may be a worthwhile means of detecting exploitation. This detection criteria could be further narrowed down by setting a minimum session duration of 100 seconds. Please note, however, that a better long-term approach to this detection would be to remove web management from the public internet entirely. Finally, given that malicious SSL VPN logins were known to take place with client IP addresses originating from VPS hosting providers, monitoring for unexpected logins from such providers would also potentially be worth exploring. Additional Resources -------------------- Get actionable insights and access to the security operations expertise of one of the largest security operations centers (SOCs) in the world in [Arctic Wolf’s 2024 Security Operations Report](https://arcticwolf.com/resource/security-operations-report/arctic-wolf-security-operations-report-2024). Learn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000 global IT and security leaders in the [Arctic Wolf State of Cybersecurity: 2024 Trends Report](https://arcticwolf.com/resource/aw/the-state-of-cybersecurity-2024-trends-report?lb-mode=overlay). About Arctic Wolf Labs ---------------------- [Arctic Wolf Labs](https://arcticwolf.com/labs/) is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence, including machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their deep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large. Authors ------- ### Stefan Hostetler Stefan is a Lead Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively. ### Julian Tuin Julian is a Senior Threat Intelligence Researcher at Arctic Wolf Labs with more than 6 years of industry experience. He has experience in identifying and tracking campaigns for new and emerging threats. ### Trevor Daher Trevor Daher is a Technical Lead within Arctic Wolf’s Security Services group supporting the Managed Detection and Response (MDR) service. ### Jon Grimm Jon is a Threat Intelligence Analyst at Arctic Wolf dedicated to identifying new cyber threats and producing actionable intelligence that enhances organizational defenses. He has background of 10 years’ experience in several domains of cybersecurity, holds a bachelor’s degree in law enforcement, and holds several industry certifications (CISSP, GCFA, GCTI). ### Alyssa Newbury Alyssa Newbury is a Threat Intelligence Analyst at Arctic Wolf, with over a decade of experience in tactical threat intelligence and cybersecurity. She has background working for various agencies within the intelligence community, including the FBI and NGA, and focuses primarily on researching and identifying emerging cyber threats and producing impactful finished intelligence products. ### Joe Wedderspoon Joe Wedderspoon is a Sr. Forensic Analyst at Arctic Wolf Incident Response, focused on leading complex incident response and digital forensic investigations. He holds multiple certifications and has over 7 years of operational experience in incident response, defensive cyber operations, and researching adversary tradecraft in both the public and private sectors. ### Markus Neis Markus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research. He has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks.

disabling cert checks: "we have not learned much" from @bagder@mastodon.social

2025-02-22T03:36:04.960257+00:00

The article "Disabling cert checks: we have not learned much" by Daniel Stenberg, published on February 11, 2025, discusses the persistent issue of developers disabling SSL/TLS certificate verification in applications, despite the security risks involved. Stenberg reflects on the history of SSL/TLS usage, emphasizing that since 2002, curl has verified server certificates by default to prevent man-in-the-middle attacks. He highlights common challenges that lead developers to disable certificate verification, such as development environment mismatches, outdated CA stores, or expired certificates. Despite efforts to educate and design APIs that encourage secure practices, the problem persists, indicating a need for continued emphasis on the importance of proper certificate verification in software development. A quick CVE search immediately reveals security vulnerabilities for exactly this problem published only last year: * CVE-2024-32928 – The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices. * CVE-2024-56521 – An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely. * CVE-2024-5261 – In affected versions of Collabora Online, in LibreOfficeKit, curl’s TLS certificate verification was disabled (CURLOPT_SSL_VERIFYPEER of false).

A Mirai botnet is attempting exploitation in the wild using a new (at least to us) set of CVEs

2025-02-22T03:36:04.960052+00:00

A Mirai botnet is attempting exploitation in the wild using a new set of CVEs, focusing mostly on IoT devices. Includes: - Tenda CVE-2024-41473 - Draytek CVE-2024-12987 - HuangDou UTCMS V9 CVE-2024-9916 - Totolink CVE-2024-2353 CVE-2024-24328 CVE-2024-24329 - (likely) Four-Faith CVE-2024-9644 Source: The Shadowserver Foundation

HP Universal Print Driver Series (PCL 6 and PostScript) - Potential Security Vulnerabilities

2025-02-22T03:36:04.957989+00:00

| CVE | CVSS | Level | CVSS String | library | | | ----------------------------------------------------------------- | --- | -------- | ----------------------------------------------- | ------- | ------------------------ | | [CVE-2017-12652](https://nvd.nist.gov/vuln/detail/CVE-2017-12652) | 9.8 | Critical | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | libpng | Arbitrary Code Execution | | [CVE-2022-2068](https://nvd.nist.gov/vuln/detail/CVE-2022-2068) | 9.8 | Critical | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | OpenSSL | Arbitrary Code Execution | | [CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853) | 9.8 | Critical | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | zlib | Information Disclosure | | [CVE-2020-14152](https://nvd.nist.gov/vuln/detail/CVE-2020-14152) | 7.1 | High | CVSS:3.1/AF4AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H | libjpeg | Denial of Service | # Resolution Update your version of the HP Universal Print Driver Series. HP has provided updates to the HP Universal Print Driver Series. To obtain the updated version, go to www.hp.com/go/UPD. [https://support.hp.com/us-en/document/ish_11892982-11893015-16/hpsbpi03995](https://support.hp.com/us-en/document/ish_11892982-11893015-16/hpsbpi03995)

Potential privilege escalation in IDPKI (CVE-2024-39327, CVE-2024-39328, CVE-2024-51505)

2025-02-22T03:36:04.954744+00:00

A security assessment of IDPKI implementation revealed a weakness potentially allowing an operator to exceed its privileges. In the course of a pentest security assessment of IDPKI, some security measures protecting internal communications were found potentially compromised for an internal user with high privileges. None of these vulnerabilities put Certificate Authority (CA) private key at risk. Eviden analyzed the root cause of the weakness. It revealed two separate vulnerabilities. During validation of the fix, an additional vulnerability of similar nature was identified, leveraging some race condition to alter an internal automata state and achieve a system privilege escalation: * CVE-2024-39327: The vulnerability could allow the possibility to obtain CA signing in an illegitimate way. * CVE-2024-39328: Highly trusted role (Config Admin) could exceed their configuration privileges in a multi-partition environment and access some confidential data. Data integrity and availability is not at risk. * CVE-2024-51505: Highly trusted role (Config Admin) could leverage a race condition to escalate privileges. * CVE-2024-39327 correction has been validated and published. * CVE-2024-39328 correction has been validated and published. This vulnerability has no impact in mono-partition nor in SaaS environments. * CVE-2024-51505 risk is increased if the last fixes are not applied, as a lower privileged role is required. A fix is available and published.