Positive Technologies presented the top trending vulnerabilities for March.
In March 2024, Positive Technologies identified five more vulnerabilities as trending.: These are vulnerabilities that have already been used in cyber attacks and those that are expected to be exploited in the near future. The trend experts attributed vulnerabilities found in Fortinet, JetBrains and Microsoft products.
To identify trending vulnerabilities, Positive Technologies experts collect information from various sources (vulnerability databases, vendor security bulletins, social networks, blogs, telegram channels, exploit databases, public code repositories, etc.) and update it.
Remote code execution vulnerability using SQL injection in FortiClient EMS
CVSS scale CVE-2023-48788 (score — 9.8)
According to ShadowServer, there are 1064 devices connected to FortiClient EMS on the Internet.
The possibility of exploiting an SQL injection vulnerability was discovered by the company Horizon3.ai in the central Enterprise Management Server and database access server — FCTDas.exe. During the study, it was revealed that potentially infected SQL queries can be sent to port 8013 in EMS, after which they will be included in the database query. Eventually, an attacker can gain the ability to remotely execute code on a compromised node. This can lead to the development of an attack and the implementation of events that are unacceptable for the organization.
To fix the vulnerability, you need to download the update from the official Fortinet website.
JetBrains TeamCity authentication bypass vulnerability that causes remote code execution
CVE-2024-27198 (CVSS score — 9.8)
According to Shodan, there are more than 20 thousand devices connected to TeamCity on the Internet.
According to a Rapid7 study , an attacker can use a specially generated URL to gain access to the JetBrains TeamCity server while remaining unauthenticated. A hacker can access a critical endpoint and, for example, create a new administrator user or a new administrator access token. After these actions, the user gets full control over the system. But the main danger is that TeamCity is used in companies to build software. Therefore, attackers who have compromised TeamCity can try to introduce malicious functionality into the company's products. This is how an attack on the supply chain can be implemented — the attacker will gain access to the infrastructure of the clients of the attacked software vendor.
To fix the vulnerability, you need to update the TeamCity version to 2023.11.4.
Next, we will talk about vulnerabilities that potentially affect, according to The Verge , about a billion devices. They can affect all users of outdated versionsWindows.
Windows kernel vulnerabilitycauses Windows —AppLocker component privilege escalation
CVE-2024-21338 (CVSS score— 7.8)
According to Avast, the vulnerability was exploited by the Lazarus APT group together with the FudModule rootkit, which provided a more invisible privilege escalation for detection. The rootkit could then directly manipulate Windows kernel objects to disable security products, mask malicious actions, and provide resilience on the infected system.
Exploiting the vulnerability allows an authorized attacker to increase privileges to the maximum on the node. After that, the attacker can gain full control over the node on which he exploited the vulnerability. As a result, this can lead to data loss and theft, as well as to the development of an attack and the implementation of events that are unacceptable for the organization.
Remote code execution vulnerability in Microsoft Outlook
CVE-2024-21378(CVSS — 8.0 rating)
Exploiting the vulnerability allows an attacker to execute arbitrary code on the victim's system when activating a form in Microsoft Outlook. For companies that use Microsoft Exchange and Outlook, there is a risk of exploiting the vulnerability after attackers gain initial access to the infrastructure. This may lead to the implementation of events that are not allowed for the organization.
Researchers from NetSPI, who discovered this vulnerability, promise to add functionality for its exploitation to the open-source Ruler utility. This utility is used for conducting pentests. But it can also be used by attackers in their attacks.
Privilege Escalation Vulnerability caused by Windows Kernel Pool Corruption (clfs.sys)
CVE-2023-36424 (CVSS score — 7.8)
Exploiting the vulnerability allows an authorized attacker to increase privileges to the maximum on the node. After that, the attacker can gain full control over the node on which he exploited the vulnerability.
To fix vulnerabilities in your systems, Microsoft recommends installing updates that can be downloaded from the vulnerability pages: CVE-2024-21338 , CVE-2024-21378 , CVE-2023-36424 . For information security professionals, Microsoft has also published a guide for detecting and correcting violations in Outlook rules and forms.
In March 2024, Positive Technologies identified five more vulnerabilities as trending.: These are vulnerabilities that have already been used in cyber attacks and those that are expected to be exploited in the near future. The trend experts attributed vulnerabilities found in Fortinet, JetBrains and Microsoft products.
To identify trending vulnerabilities, Positive Technologies experts collect information from various sources (vulnerability databases, vendor security bulletins, social networks, blogs, telegram channels, exploit databases, public code repositories, etc.) and update it.
Remote code execution vulnerability using SQL injection in FortiClient EMS
CVSS scale CVE-2023-48788 (score — 9.8)
According to ShadowServer, there are 1064 devices connected to FortiClient EMS on the Internet.
The possibility of exploiting an SQL injection vulnerability was discovered by the company Horizon3.ai in the central Enterprise Management Server and database access server — FCTDas.exe. During the study, it was revealed that potentially infected SQL queries can be sent to port 8013 in EMS, after which they will be included in the database query. Eventually, an attacker can gain the ability to remotely execute code on a compromised node. This can lead to the development of an attack and the implementation of events that are unacceptable for the organization.
To fix the vulnerability, you need to download the update from the official Fortinet website.
JetBrains TeamCity authentication bypass vulnerability that causes remote code execution
CVE-2024-27198 (CVSS score — 9.8)
According to Shodan, there are more than 20 thousand devices connected to TeamCity on the Internet.
According to a Rapid7 study , an attacker can use a specially generated URL to gain access to the JetBrains TeamCity server while remaining unauthenticated. A hacker can access a critical endpoint and, for example, create a new administrator user or a new administrator access token. After these actions, the user gets full control over the system. But the main danger is that TeamCity is used in companies to build software. Therefore, attackers who have compromised TeamCity can try to introduce malicious functionality into the company's products. This is how an attack on the supply chain can be implemented — the attacker will gain access to the infrastructure of the clients of the attacked software vendor.
To fix the vulnerability, you need to update the TeamCity version to 2023.11.4.
Next, we will talk about vulnerabilities that potentially affect, according to The Verge , about a billion devices. They can affect all users of outdated versionsWindows.
Windows kernel vulnerabilitycauses Windows —AppLocker component privilege escalation
CVE-2024-21338 (CVSS score— 7.8)
According to Avast, the vulnerability was exploited by the Lazarus APT group together with the FudModule rootkit, which provided a more invisible privilege escalation for detection. The rootkit could then directly manipulate Windows kernel objects to disable security products, mask malicious actions, and provide resilience on the infected system.
Exploiting the vulnerability allows an authorized attacker to increase privileges to the maximum on the node. After that, the attacker can gain full control over the node on which he exploited the vulnerability. As a result, this can lead to data loss and theft, as well as to the development of an attack and the implementation of events that are unacceptable for the organization.
Remote code execution vulnerability in Microsoft Outlook
CVE-2024-21378(CVSS — 8.0 rating)
Exploiting the vulnerability allows an attacker to execute arbitrary code on the victim's system when activating a form in Microsoft Outlook. For companies that use Microsoft Exchange and Outlook, there is a risk of exploiting the vulnerability after attackers gain initial access to the infrastructure. This may lead to the implementation of events that are not allowed for the organization.
Researchers from NetSPI, who discovered this vulnerability, promise to add functionality for its exploitation to the open-source Ruler utility. This utility is used for conducting pentests. But it can also be used by attackers in their attacks.
Privilege Escalation Vulnerability caused by Windows Kernel Pool Corruption (clfs.sys)
CVE-2023-36424 (CVSS score — 7.8)
Exploiting the vulnerability allows an authorized attacker to increase privileges to the maximum on the node. After that, the attacker can gain full control over the node on which he exploited the vulnerability.
To fix vulnerabilities in your systems, Microsoft recommends installing updates that can be downloaded from the vulnerability pages: CVE-2024-21338 , CVE-2024-21378 , CVE-2023-36424 . For information security professionals, Microsoft has also published a guide for detecting and correcting violations in Outlook rules and forms.
