IT-ISAC: Vulnerability and Exploitation Action Report

V.E.A.R.

(Vulnerability and Exploitation Action Report)

Week of December 9, 2024

IT-ISAC Emergency 24/7 Contact: 571-210-2118

TLP: AMBER

Notable Vulnerabilities and Updates

Vulnerability Summary for the Week of December 2, 2024

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.

Notable Vulnerabilities:

SailPoint Technologies--IdentityIQ - CVE-2024-10905 - CVSS: 10

IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.

Progress Software Corporation--WhatsUp Gold - CVE-2024-8785 - CVSS: 9.8

In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.

Siemens--syngo.plaza VB30E - CVE-2024-52335 - CVSS: 9.8

A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_HF05). The affected application do not properly sanitize input data before sending it to the SQL server. This could allow an attacker with access to the application could use this vulnerability to execute malicious SQL commands to compromise the whole database.

CISA Adds One Known Exploited Vulnerability to Catalog

CVE-2024-49138 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability

Adobe Releases Security Updates for Multiple Products

Adobe released security updates to address vulnerabilities in multiple Adobe software products including Adobe Acrobat, Adobe Illustrator, and Adobe InDesign. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Adobe Security Bulletin and apply necessary updates:

Adobe Product Security Updates for December

Microsoft Releases December 2024 Security Updates

Microsoft released security updates to address vulnerabilities in multiple Microsoft products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following and apply necessary updates:

Microsoft Security Update Guide for December

Apple Releases Security Updates for Multiple Products

Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following advisories and apply necessary updates:

ICS Vulnerabilities

ICSA-24-345-01 MOBATIME Network Master Clock
ICSA-24-345-02 Schneider Electric EcoStruxure Foxboro DCS Core Control Services
ICSA-24-345-03 Schneider Electric FoxRTU Station
ICSA-24-345-04 National Instruments LabVIEW
ICSA-24-345-05 Horner Automation Cscape
ICSA-24-345-06 Rockwell Automation Arena
ICSA-24-338-01 Ruijie Reyee OS (Update A)
ICSA-24-347-01 Siemens CPCI85 Central Processing/Communication
ICSA-24-347-02 Siemens Engineering Platforms
ICSA-24-347-03 Siemens RUGGEDCOM ROX II
ICSA-24-347-04 Siemens Parasolid
ICSA-24-347-05 Siemens Engineering Platforms
ICSA-24-347-06 Siemens Simcenter Femap
ICSA-24-347-07 Siemens Solid Edge SE2024
ICSA-24-347-08 Siemens COMOS
ICSA-24-347-09 Siemens Teamcenter Visualization
ICSA-24-347-10 Siemens SENTRON Powercenter 1000

Supplemental Vulnerability Information

Citrix Denial of Service

https://www.assetnote.io/resources/research/citrix-denial-of-service-analysis-of-cve-2024-8534

Vulnerability:

CVE-2024-8534: Memory safety vulnerability leading to memory corruption and Denial of Service in NetScaler ADC and Gateway if the appliance must be configured as a Gateway (VPN Vserver) with RDP Feature enabled OR the appliance must be configured as a Gateway (VPN Vserver) and RDP Proxy Server Profile is created and set to Gateway (VPN Vserver) OR the appliance must be configured as a Auth Server (AAA Vserver) with RDP Feature enabled.

Summary:

“It's been a little while since we last looked at Citrix NetScaler. We're back this time to look at a patch for yet another memory safety vulnerability. In mid-November this year Citrix released a security bulletin for CVE-2024-8534. The issue appears to exist in the "RDP Proxy" feature and the notes from Citrix mention a denial of service and memory corruption, but not necessarily remote code execution.”

Impact:

“Our goal was to reverse the patch and develop a check for our Attack Surface Management platform. However, we also wanted to see if the memory corruption could lead to anything more serious than just denial of service. We were able to confirm the denial of service and track down the fix. However, we were unable to confirm remote code execution. As it stands, running an unpatched Citrix NetScaler with the RDP Proxy feature enabled allows an unauthenticated attacker to remotely force a system restart, leading to a denial of service.”

300,000+ Prometheus Servers and Exporters Exposed to DoS Attacks

https://www.aquasec.com/blog/300000-prometheus-servers-and-exporters-exposed-to-dos-attacks/

Vulnerability:

Denial of Service

Summary:

“In this research, we uncovered several vulnerabilities and security flaws within the Prometheus ecosystem. These findings span across three major areas: information disclosure, denial-of-service (DoS), and code execution. We found that exposed Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys. Additionally, we identified an alarming risk of DoS attacks stemming from the exposure of pprof debugging endpoints, which, when exploited, could overwhelm and crash Prometheus servers, Kubernetes pods and other hosts. Furthermore, our investigation revealed a remote code execution risk due to a vulnerability called “RepoJacking”, where malicious exporters could be introduced through abandoned or renamed GitHub repositories.”

Impact:

“Our findings highlight that at least 336,000 servers expose their Prometheus servers and exporters to the internet—a practice that poses significant security risks. It is crucial to restrict public access to these servers, as attackers can easily exploit this exposure to target organizations.”

The Insecure IoT Cloud Strikes Again: RCE on Ruijie Cloud-Connected Devices

https://claroty.com/team82/research/the-insecure-iot-cloud-strikes-again-rce-on-ruijie-cloud-connected-devices

Vulnerability:

Remote Code Execution

Summary:

“Team82 has researched devices manufactured by Ruijie Networks and discovered 10 vulnerabilities in its Reyee cloud management platform These vulnerabilities affect both the Reyee platform, as well as Reyee OS network devices. In addition, Team82 has devised an attack called Open Sesame, in which an attacker can pinpoint exploit a device in close physical proximity through the cloud, executing arbitrary code on it and gaining access to its internal network.”

Impact:

“The vulnerabilities, if exploited, could allow a malicious attacker to execute code on any cloud-enabled device, giving them the ability to control tens of thousands of devices. Ruijie has addressed all vulnerabilities in the cloud, and no action is required by users.”

Visit our website