Teacher
Professional
- Messages
- 2,670
- Reaction score
- 783
- Points
- 113
Fortinet, Microsoft, and Ivanti products are the focus of our analysis over the past month.
In February, Positive Technologies identified eight more vulnerabilities as trending. These are vulnerabilities that have already been used in cyber attacks and those that are expected to be exploited in the near future. Experts considered the shortcomings found in Fortinet, Microsoft and Ivanti products to be trending.
Trending vulnerabilities are the most dangerous flaws that need to be quickly fixed — or compensated for. To identify trending vulnerabilities, Positive Technologies experts collect and update information from various sources (vulnerability databases, vendor security bulletins, social networks, blogs, telegram channels, exploit databases, public code repositories, etc.). In the top, experts collected vulnerabilities that were actively exploited last month.
Remote code execution vulnerability in FortiOS and FortiProxy
CVE-2024-21762 ( CVSS — 9,8)
According to Shadowserver, the number of devices running FortiOS SSL VPN is more than 465,000. In Russia, this software was detected at 2,816 nodes.
Exploiting the vulnerability allows an unauthenticated attacker to execute arbitrary code using specially created HTTP requests. According to the vendor, it is already used in hacker attacks. Earlier, Fortinet reported that attackers used a similar vulnerability in FortiOS to deploy the COATHANGER remote access Trojan.
According to the recommendations of Fortinet, to fix the flaw, you need to update the software. If an immediate update is not possible, you can temporarily disable SSL VPN on FortiOS devices to reduce the risk.
Vulnerability related to bypassing the Windows SmartScreen security feature
CVE-2024-21351 (CVSS — 7,6)
According to The Verge, the vulnerability affects users of Windows versions 10 and 11. As a result of its operation, the intruder gets the opportunity to bypass the Windows Defender SmartScreen checks. The flaw is used to deliver malware to the system: an attacker needs to send a malicious file to the target and convince it to open the content.
Vulnerability related to bypassing the security feature of Web page shortcuts (Internet Shortcut files)
CVE-2024-21412 (CVSS — 8,1)
The vulnerability allows you to deliver malware to the target system. Microsoft Defender doesn't warn the user that a file is being opened from an untrusted resource (the MoTW function doesn't work). The user may also be confused by the fact that the file explorer is sent in the Downloads folder, although in fact it is located on a third-party resource.
Microsoft Outlook vulnerability that causes remote code execution
CVE-2024-21413 (CVSS — 9.8)
Exploiting the vulnerability allows a remote attacker to bypass the built-in security checks (Protected View) in Microsoft Outlook. The victim opens the malicious document in edit mode, which leads to remote code execution in the system.
Microsoft Exchange Server vulnerability that causes unauthorized privilege escalation
CVE-2024-21410 (CVSS — 9,8)
The vulnerability allows an attacker to perform an NTLM relay attack (intercept authentication data using the NTLM protocol and redirect it to another server or service in order to gain unauthorized access) and authenticate on the Exchange server.
According to Microsoft, the facts of exploitation of all the vulnerabilities described above have been recorded. In addition, TrendMicro recorded the exploitation of the vulnerability CVE-2024-21412 by the APT group Water Hydra: its phishing campaigns were aimed at financial market traders.
To fix vulnerabilities, you need to install security updates. You can download them from the official Microsoft website.
Server-side request forgery vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA products
CVE-2024-21893 (CVSS — 8,2)
The vulnerability is present in Ivanti Connect Secure, in the Security Assertion Markup Language (SAML) component. On January 15, Volexity reported that it found evidence of hacking of more than 1,700 devices belonging to companies of different sizes from different industries (financial, government organizations, military institutions, and others). According to Shadowserver, the network has more than 19,500 devices running Ivanti Connect Secure.
Attackers can exploit the vulnerability if the device is not authenticated or has an outdated version of xmltooling installed.
Ivanti Connect Secure, Ivanti Policy Secure authentication bypass vulnerability
CVE-2023-46805 (CVSS — 8,2)
This zero-day vulnerability is present in versions 9 and 22 of Ivanti Connect Secure, software that allows you to use your personal device for work. "If CVE-2023-46805 is exploited in conjunction with CVE-2024-21887, the attacker does not need authentication, the attacker can create malicious requests and execute arbitrary commands on the system without authentication," Ivanti wrote.
Vulnerability related to command injection in Ivanti ICS, Ivanti Policy Secure
CVE-2024-21887 (CVSS — 9,1)
This is another zero-day vulnerability in Ivanti Connect Secure versions 9 and 22. It allows an attacker authenticated as an administrator to execute arbitrary commands on the device and can be exploited over the Internet. Using it in conjunction with CVE-2023-46805, an attacker can remotely execute code on a host without authentication. In this way, an attacker gains access to the internal infrastructure of the organization, and can also conduct an attack and encrypt the servers.
On February 8, Ivanti announced that it had fixed the vulnerability and released security updates for Ivanti Connect Secure (versions 9. 1R14. 5, 9. 1R17. 3, 9. 1R18. 4, 22. 4R2. 3, 22. 5R1. 2, 22. 5R2. 3 and 22. 6R2. 2), Ivanti Policy Secure (versions 9. 1R17. 3, 9. 1R18. 4, and 22. 5R1. 2), and ZTA gateways (versions 22. 5R1. 6, 22. 6R1. 5, and 22. 6R1. 7). If you can't install security updates, use the XML file available for Ivanti clients. It allows you to minimize the consequences of possible exploitation of the vulnerability.
The CISA agency has published an article with options for reducing risks and eliminating vulnerabilities.
In February, Positive Technologies identified eight more vulnerabilities as trending. These are vulnerabilities that have already been used in cyber attacks and those that are expected to be exploited in the near future. Experts considered the shortcomings found in Fortinet, Microsoft and Ivanti products to be trending.
Trending vulnerabilities are the most dangerous flaws that need to be quickly fixed — or compensated for. To identify trending vulnerabilities, Positive Technologies experts collect and update information from various sources (vulnerability databases, vendor security bulletins, social networks, blogs, telegram channels, exploit databases, public code repositories, etc.). In the top, experts collected vulnerabilities that were actively exploited last month.
Remote code execution vulnerability in FortiOS and FortiProxy
CVE-2024-21762 ( CVSS — 9,8)
According to Shadowserver, the number of devices running FortiOS SSL VPN is more than 465,000. In Russia, this software was detected at 2,816 nodes.
Exploiting the vulnerability allows an unauthenticated attacker to execute arbitrary code using specially created HTTP requests. According to the vendor, it is already used in hacker attacks. Earlier, Fortinet reported that attackers used a similar vulnerability in FortiOS to deploy the COATHANGER remote access Trojan.
According to the recommendations of Fortinet, to fix the flaw, you need to update the software. If an immediate update is not possible, you can temporarily disable SSL VPN on FortiOS devices to reduce the risk.
Vulnerability related to bypassing the Windows SmartScreen security feature
CVE-2024-21351 (CVSS — 7,6)
According to The Verge, the vulnerability affects users of Windows versions 10 and 11. As a result of its operation, the intruder gets the opportunity to bypass the Windows Defender SmartScreen checks. The flaw is used to deliver malware to the system: an attacker needs to send a malicious file to the target and convince it to open the content.
Vulnerability related to bypassing the security feature of Web page shortcuts (Internet Shortcut files)
CVE-2024-21412 (CVSS — 8,1)
The vulnerability allows you to deliver malware to the target system. Microsoft Defender doesn't warn the user that a file is being opened from an untrusted resource (the MoTW function doesn't work). The user may also be confused by the fact that the file explorer is sent in the Downloads folder, although in fact it is located on a third-party resource.
Microsoft Outlook vulnerability that causes remote code execution
CVE-2024-21413 (CVSS — 9.8)
Exploiting the vulnerability allows a remote attacker to bypass the built-in security checks (Protected View) in Microsoft Outlook. The victim opens the malicious document in edit mode, which leads to remote code execution in the system.
Microsoft Exchange Server vulnerability that causes unauthorized privilege escalation
CVE-2024-21410 (CVSS — 9,8)
The vulnerability allows an attacker to perform an NTLM relay attack (intercept authentication data using the NTLM protocol and redirect it to another server or service in order to gain unauthorized access) and authenticate on the Exchange server.
According to Microsoft, the facts of exploitation of all the vulnerabilities described above have been recorded. In addition, TrendMicro recorded the exploitation of the vulnerability CVE-2024-21412 by the APT group Water Hydra: its phishing campaigns were aimed at financial market traders.
To fix vulnerabilities, you need to install security updates. You can download them from the official Microsoft website.
Server-side request forgery vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA products
CVE-2024-21893 (CVSS — 8,2)
The vulnerability is present in Ivanti Connect Secure, in the Security Assertion Markup Language (SAML) component. On January 15, Volexity reported that it found evidence of hacking of more than 1,700 devices belonging to companies of different sizes from different industries (financial, government organizations, military institutions, and others). According to Shadowserver, the network has more than 19,500 devices running Ivanti Connect Secure.
Attackers can exploit the vulnerability if the device is not authenticated or has an outdated version of xmltooling installed.
Ivanti Connect Secure, Ivanti Policy Secure authentication bypass vulnerability
CVE-2023-46805 (CVSS — 8,2)
This zero-day vulnerability is present in versions 9 and 22 of Ivanti Connect Secure, software that allows you to use your personal device for work. "If CVE-2023-46805 is exploited in conjunction with CVE-2024-21887, the attacker does not need authentication, the attacker can create malicious requests and execute arbitrary commands on the system without authentication," Ivanti wrote.
Vulnerability related to command injection in Ivanti ICS, Ivanti Policy Secure
CVE-2024-21887 (CVSS — 9,1)
This is another zero-day vulnerability in Ivanti Connect Secure versions 9 and 22. It allows an attacker authenticated as an administrator to execute arbitrary commands on the device and can be exploited over the Internet. Using it in conjunction with CVE-2023-46805, an attacker can remotely execute code on a host without authentication. In this way, an attacker gains access to the internal infrastructure of the organization, and can also conduct an attack and encrypt the servers.
On February 8, Ivanti announced that it had fixed the vulnerability and released security updates for Ivanti Connect Secure (versions 9. 1R14. 5, 9. 1R17. 3, 9. 1R18. 4, 22. 4R2. 3, 22. 5R1. 2, 22. 5R2. 3 and 22. 6R2. 2), Ivanti Policy Secure (versions 9. 1R17. 3, 9. 1R18. 4, and 22. 5R1. 2), and ZTA gateways (versions 22. 5R1. 6, 22. 6R1. 5, and 22. 6R1. 7). If you can't install security updates, use the XML file available for Ivanti clients. It allows you to minimize the consequences of possible exploitation of the vulnerability.
The CISA agency has published an article with options for reducing risks and eliminating vulnerabilities.
