Google is warning of a security vulnerability impacting its Pixel Firmware that has been actively exploited in the wild as a zero-day.

Google warned of an elevation of privilege vulnerability, tracked as CVE-2024-32896, in the Pixel Firmware, which has been exploited in the wild as a zero-day.

“There are indications that CVE-2024-32896 may be under limited, targeted exploitation.” reads the advisory.

As usual, the IT giant did not provide technical information about attacks exploiting the above issue.

The Pixel Update Bulletin provides details of security vulnerabilities and functional improvements for supported Google Pixel devices. The company addressed all the flaws detailed in the bulletin with the release of the security patch levels of 2024-06-05 or later and the June 2024 Android Security Bulletin.

Seven out of 50 security vulnerabilities are rated as critical:

The company addressed multiple information disclosure flaws impacting GsmSs, ACPM, and Trusty and multiple DoS issues in the modem.

In April, Google addressed 28 vulnerabilities in Android and 25 flaws in Pixel devices. Two issues fixed by the IT giant, tracked as CVE-2024-29745 and CVE-2024-29748, were actively exploited in the wild.

CVE-2024-29745 is a High severity Information disclosure issue in the bootloader, while CVE-2024-29748 is a High severity elevation of privilege issues in the Pixel Firmware.

“There are indications that the following may be under limited, targeted exploitation.” reads the advisory.

The company did not provide details about the attacks, but in the past, such kinds of bugs were actively exploited by nation-state actors or commercial spyware vendors.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Google Pixel)

Fortinet released security updates to address multiple vulnerabilities in FortiOS, including a high-severity code execution security issue.

Fortinet addressed multiple vulnerabilities in FortiOS and other products, including some code execution flaws.

The company states that multiple stack-based buffer overflow vulnerabilities in the command line interpreter of FortiOS [CWE-121], collectively tracked as CVE-2024-23110 (CVSS score of 7.4), can be exploited by an authenticated attacker to achieve code or command execution via specially crafted command line arguments

“Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the command line interpreter of FortiOS may allow an authenticated attacker to execute unauthorized code or commands via specially crafted command line arguments” reads the advisory published by the company.

Gwendal Guégniaud of Fortinet Product Security team discovered the vulnerabilities.

The flaws impact the following versions of the Fortinet FortiOS :

The company also addressed the following medium-severity issues:

• CVE-2024-26010 – A stack-based overflow vulnerability [CWE-124] in FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager could allow a remote attacker to execute arbitrary code or commands by sending crafted packets to the fgfmd daemon. However, the exploitability of this vulnerability depends on specific conditions that are not controllable by the attacker.
• CVE-2024-23111 – A cross-site scripting vulnerability [CWE-79] in the reboot page of FortiOS and FortiProxy could enable a remote attacker with super-admin access to execute JavaScript code through specially crafted HTTP GET requests.
• CVE-2023-46720 – Multiple stack-based buffer overflow vulnerabilities [CWE-121] in FortiOS could permit an authenticated attacker to execute arbitrary code by using specially crafted CLI commands.

The company also fixed a low-severity issue tracked as CVE-2024-21754.

The company did not reveal if one of the above issues was actively exploited in the wild.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Fortinet FortiOS)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Mali GPU Kernel Driver, PHP bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-4610 ARM Mali GPU Kernel Driver Use-After-Free Vulnerability
• CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability

The vulnerability CVE-2024-4610 is a use-after-free issue issue that impacts Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) and Valhall GPU Kernel Driver (all versions from r34p0 to r40p0).

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.” reads the advisory published by the company. “Arm is aware of reports of this vulnerability being exploited in the wild. Users are recommended to upgrade if they are impacted by this issue”

Bifrost and Valhall GPU Kernel Driver r41p0, which were released on November 24, 2022, address the vulnerability.

A local non-privileged attacker can prepare the system’s memory to issue improper GPU memory processing operations to gain access to already freed memory.

The company recommends users upgrade if this issue impacts them.

The vulnerability CVE-2024-4577 resides in the Best-Fit feature of encoding conversion within the Windows operating system. An attacker can exploit the flaw to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack, allowing attackers to take control of vulnerable servers.

Since the disclosure of the vulnerability and publicly availability of a PoC exploit code, multiple actors are attempting to exploit it, reported Shadowserver and GreyNoise researchers.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by July 3rd, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Known Exploited Vulnerabilities catalog)

The Ukraine cyber police arrested a Russian man for having developed the crypter component employed in Conti and LockBit ransomware operations.

The Ukraine cyber police arrested a Russian man (28) for his role in developing a crypter used in Conti and LockBit ransomware operations.

The man was arrested in Kyiv on April 18, 2024, as part of the international law enforcement operation called ‘Operation Endgame.’ 

A crypter is a software used to obfuscate or encrypt malicious code to prevent detection by antivirus programs and other security tools. Crypters achieve this by converting the malware into an unreadable form and then packaging it with a decryption routine that will restore the original malicious code when executed. Crypters play a significant role in the cybercrime ecosystem by enabling malware authors to bypass security defenses.

“The police found out that the young man specialized in the development of cryptors (from the English crypt – hiding place) – special software for masking computer viruses under the guise of safe files.” reads the report published by Ukraine cyber police. “Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses.”

The Ukrainian law enforcement was supported by the Dutch police who responded to a ransomware attack that hit a Dutch company.

The police identified the Russian hacker group who was paid with cryptocurrency to disguise the “Conti-malware” encryptor. By the end of 2021, a cybercrime gang deployed the ransomware in the network of companies in the Netherlands and Belgium and demanded a ransom for decrypting the infected systems.

“The police were tipped off by the NCSC (National Cyber ​​Security Center) and, after further investigation, discovered that the Ukrainian man infected the computer networks of a company in the Netherlands with Conti’s malware in 2021; a hacker group that offers ransomware for sale. As a result, company data was encrypted and made inaccessible.” states the Dutch Police. “The group then demanded a ransom for making the company data accessible again and not leaking it. The Dutch company filed a report with the police in 2021 and on this basis Team High Tech Crime was able to continue with the investigation.”

The cyber police discovered that the Russian hacker helped the Russian cybercrime groups “LockBit” and “Conti.” The police, along with the “TacTeam” special unit, conducted a search in Kyiv and, following an international request from Dutch law enforcement, another search in the Kharkiv region. The police seized computer equipment, mobile phones, and draft records.

The investigation is still ongoing, the man was charged under part 5 of Art. 361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks) of the Criminal Code of Ukraine. The man can face up to 15 years of imprisonment. Additional legal qualifications are possible.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit ransomware)