Fortinet addressed multiple vulnerabilities in FortiOS and other products, including some code execution flaws.
The company states that multiple stack-based buffer overflow vulnerabilities in the command line interpreter of FortiOS [CWE-121], collectively tracked as CVE-2024-23110 (CVSS score of 7.4), can be exploited by an authenticated attacker to achieve code or command execution via specially crafted command line arguments
“Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the command line interpreter of FortiOS may allow an authenticated attacker to execute unauthorized code or commands via specially crafted command line arguments” reads the advisory published by the company.
Gwendal Guégniaud of Fortinet Product Security team discovered the vulnerabilities.
The flaws impact the following versions of the Fortinet FortiOS :
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
| FortiOS 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
| FortiOS 6.2 | 6.2.0 through 6.2.15 | Upgrade to 6.2.16 or above |
| FortiOS 6.0 | 6.0 all versions | Migrate to a fixed release |
The company also fixed a low-severity issue tracked as CVE-2024-21754.
The company did not reveal if one of the above issues was actively exploited in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Fortinet FortiOS)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.” reads the advisory published by the company. “Arm is aware of reports of this vulnerability being exploited in the wild. Users are recommended to upgrade if they are impacted by this issue”
Bifrost and Valhall GPU Kernel Driver r41p0, which were released on November 24, 2022, address the vulnerability.
A local non-privileged attacker can prepare the system’s memory to issue improper GPU memory processing operations to gain access to already freed memory.
The company recommends users upgrade if this issue impacts them.
The vulnerability CVE-2024-4577 resides in the Best-Fit feature of encoding conversion within the Windows operating system. An attacker can exploit the flaw to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack, allowing attackers to take control of vulnerable servers.
Since the disclosure of the vulnerability and publicly availability of a PoC exploit code, multiple actors are attempting to exploit it, reported Shadowserver and GreyNoise researchers.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by July 3rd, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Known Exploited Vulnerabilities catalog)
The Ukraine cyber police arrested a Russian man (28) for his role in developing a crypter used in Conti and LockBit ransomware operations.
The man was arrested in Kyiv on April 18, 2024, as part of the international law enforcement operation called ‘Operation Endgame.’
A crypter is a software used to obfuscate or encrypt malicious code to prevent detection by antivirus programs and other security tools. Crypters achieve this by converting the malware into an unreadable form and then packaging it with a decryption routine that will restore the original malicious code when executed. Crypters play a significant role in the cybercrime ecosystem by enabling malware authors to bypass security defenses.
“The police found out that the young man specialized in the development of cryptors (from the English crypt – hiding place) – special software for masking computer viruses under the guise of safe files.” reads the report published by Ukraine cyber police. “Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses.”
The Ukrainian law enforcement was supported by the Dutch police who responded to a ransomware attack that hit a Dutch company.
The police identified the Russian hacker group who was paid with cryptocurrency to disguise the “Conti-malware” encryptor. By the end of 2021, a cybercrime gang deployed the ransomware in the network of companies in the Netherlands and Belgium and demanded a ransom for decrypting the infected systems.
“The police were tipped off by the NCSC (National Cyber Security Center) and, after further investigation, discovered that the Ukrainian man infected the computer networks of a company in the Netherlands with Conti’s malware in 2021; a hacker group that offers ransomware for sale. As a result, company data was encrypted and made inaccessible.” states the Dutch Police. “The group then demanded a ransom for making the company data accessible again and not leaking it. The Dutch company filed a report with the police in 2021 and on this basis Team High Tech Crime was able to continue with the investigation.”
The cyber police discovered that the Russian hacker helped the Russian cybercrime groups “LockBit” and “Conti.” The police, along with the “TacTeam” special unit, conducted a search in Kyiv and, following an international request from Dutch law enforcement, another search in the Kharkiv region. The police seized computer equipment, mobile phones, and draft records.
The investigation is still ongoing, the man was charged under part 5 of Art. 361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks) of the Criminal Code of Ukraine. The man can face up to 15 years of imprisonment. Additional legal qualifications are possible.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, LockBit ransomware)
JetBrains warned customers to address a critical vulnerability, tracked as CVE-2024-37051, that impacts users of its IntelliJ integrated development environment (IDE) apps and exposes GitHub access tokens.
The flaw impacts IntelliJ-based IDEs version 2023.1 and later, where the JetBrains GitHub plugin is enabled and configured/used.
“A new security issue was discovered that affects the JetBrains GitHub plugin on the IntelliJ Platform, which could lead to disclosure of access tokens to third-party sites. The issue affects all IntelliJ-based IDEs as of 2023.1 onwards that have the JetBrains GitHub plugin enabled and configured/in-use.” reads the advisory published by the company.
On the 29th of May 2024, the company received an external security report for the vulnerability potentially affecting its IDE product.
The report demonstrates that specially crafted content in a pull request to a GitHub project, when handled by IntelliJ-based IDEs, would expose access tokens to a third-party host.
JetBrains addressed the flaw with the release of IDEs version 2023.1 or later. Users are strongly recommended updating to the latest version.
Those customers that have used GitHub pull request functionality in the IDE are strongly advised to revoke any GitHub tokens used by the plugin. For OAuth integration, revoke access for the JetBrains IDE Integration application via Applications → Authorized OAuth Apps. For Personal Access Tokens (PAT), delete the token issued for the plugin on the Tokens page, typically named “IntelliJ IDEA GitHub integration plugin,” though custom names may also be used.
Below is the
“If you have not updated to the latest version, we strongly urge you to do so,” concludes the advisory.
The company did not reveal if the vulnerability has been actively exploited in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, GitHub)
Microsoft Patch Tuesday security updates for June 2024 addressed 49 vulnerabilities in Windows and Windows Components; Office and Office Components; Azure; Dynamics Business Central; and Visual Studio. Eight of these bugs were reported through the ZDI program.
Only one of these issues is rated Critical and 48 are rated Important in severity.
Only one of these vulnerabilities is listed as publicly known. Fortunately, none are being actively exploited in the wild.
The most severe issue is a Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability tracked as CVE-2024-30080 (CVSS score 9.8).
Remote, unauthenticated attackers can exploit this issue to execute arbitrary code with elevated privileges of systems where MSMQ is enabled. The flaw is wormable between those servers where MSMQ is disabled.
“To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side.” reads the advisory.
The publicly disclosed zero-day vulnerability, tracked as CVE-2023-50868 (CVSS score 7.5), is regarding a vulnerability in DNSSEC validation. An attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users. MITRE created this CVE on their behalf.
Another interesting issue addressed by Microsoft Patch Tuesday security updates for June 2024 is a Windows Wi-Fi Driver Remote Code Execution vulnerability tracked as CVE-2024-30078 (CVSS score 8.8). An unauthenticated attacker can exploit this vulnerability to execute code on an affected system by sending the target a specially crafted network packet. The target would need to be in Wi-Fi range of the attacker and using a Wi-Fi adapter.
“Exploiting this vulnerability requires an attacker to be within proximity of the target system to send and receive radio transmissions.” reads the advisory. “An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution.”
The full list of vulnerabilities addressed by Microsoft for June 2024 is available here:
https://www.zerodayinitiative.com/blog/2024/6/11/the-june-2024-security-update-review
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft Patch Tuesday)
Microsoft today released updates to fix more than 50 security vulnerabilities in Windows and related software, a relatively light Patch Tuesday this month for Windows users. The software giant also responded to a torrent of negative feedback on a new feature of Redmond’s flagship operating system that constantly takes screenshots of whatever users are doing on their computers, saying the feature would no longer be enabled by default.
Last month, Microsoft debuted Copilot+ PCs, an AI-enabled version of Windows. Copilot+ ships with a feature nobody asked for that Redmond has aptly dubbed Recall, which constantly takes screenshots of what the user is doing on their PC. Security experts roundly trashed Recall as a fancy keylogger, noting that it would be a gold mine of information for attackers if the user’s PC was compromised with malware.
Microsoft countered that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data. But that claim rang hollow after former Microsoft threat analyst Kevin Beaumont detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.
“I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade,” Beaumont said on Mastodon.
In a recent Risky Business podcast, host Patrick Gray noted that the screenshots created and indexed by Recall would be a boon to any attacker who suddenly finds himself in an unfamiliar environment.
“The first thing you want to do when you get on a machine if you’re up to no good is to figure out how someone did their job,” Gray said. “We saw that in the case of the SWIFT attacks against central banks years ago. Attackers had to do screen recordings to figure out how transfers work. And this could speed up that sort of discovery process.”
Responding to the withering criticism of Recall, Microsoft said last week that it will no longer be enabled by default on Copilot+ PCs.
Only one of the patches released today — CVE-2024-30080 — earned Microsoft’s most urgent “critical” rating, meaning malware or malcontents could exploit the vulnerability to remotely seize control over a user’s system, without any user interaction.
CVE-2024-30080 is a flaw in the Microsoft Message Queuing (MSMQ) service that can allow attackers to execute code of their choosing. Microsoft says exploitation of this weakness is likely, enough to encourage users to disable the vulnerable component if updating isn’t possible in the short run. CVE-2024-30080 has been assigned a CVSS vulnerability score of 9.8 (10 is the worst).
Kevin Breen, senior director of threat research at Immersive Labs, said a saving grace is that MSMQ is not a default service on Windows.
“A Shodan search for MSMQ reveals there are a few thousand potentially internet-facing MSSQ servers that could be vulnerable to zero-day attacks if not patched quickly,” Breen said.
CVE-2024-30078 is a remote code execution weakness in the Windows WiFi Driver, which also has a CVSS score of 9.8. According to Microsoft, an unauthenticated attacker could exploit this bug by sending a malicious data packet to anyone else on the same network — meaning this flaw assumes the attacker has access to the local network.
Microsoft also fixed a number of serious security issues with its Office applications, including at least two remote-code execution flaws, said Adam Barnett, lead software engineer at Rapid7.
“CVE-2024-30101 is a vulnerability in Outlook; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition,” Barnett said. “CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.”
Separately, Adobe released security updates for Acrobat, ColdFusion, and Photoshop, among others.
As usual, the SANS Internet Storm Center has the skinny on the individual patches released today, indexed by severity, exploitability and urgency. Windows admins should also keep an eye on AskWoody.com, which often publishes early reports of any Windows patches gone awry.
A threat actor, that goes online with the moniker Sp1d3r, is selling the stolen data for $750,000. The data includes 34 million customer and employee emails, customer / prospect email and PII, products used by organizations, sales prospect list with activity status, Cylance partners list and users list.
— Dark Web Informer (@DarkWebInformer) June 7, 2024
MAJOR DATA FOR SALE
A total of 34,000,000 million customer and employee… pic.twitter.com/D5BBUATBkJ
BlackBerry told several media outlets that it’s aware of the potential data breach and is investigating the alleged incident.
The company states that data was stolen from a third-party platform and appears to be old.
“Based on our initial reviews of the data in question, no current Cylance customers are impacted, and no sensitive information is involved,” BlackBerry told SecurityWeek. “The data in question was accessed from a third-party platform unrelated to BlackBerry and appears to be from 2015-2018, predating BlackBerry’s acquisition of the Cylance product portfolio.”
“We continue to monitor this situation closely and will take all necessary precautions to maintain the integrity of our products and systems and the trust of our customers,” it added
While several experts believe attackers may have obtained the data from the cloud data platform Snowflake, Cylance pointed out that it is currently not a Snowflake customer.
Data claimed to relate to #Blackberry #Cylance customers, partners, and employees has been put up for sale. The same account is also selling data claimed to relate to QuoteWizard and Advance Auto Parts. #Snowflake? pic.twitter.com/vF1zksnGfH
— Brett Callow (@BrettCallow) June 7, 2024
(SecurityAffairs – hacking, data breach)
Arm is warning of an actively exploited zero-day vulnerability, tracked as CVE-2024-4610, in Mali GPU Kernel Driver.
The vulnerability is a use-after-free issue issue that impacts Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) and Valhall GPU Kernel Driver (all versions from r34p0 to r40p0).
“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.” reads the advisory published by the company. “Arm is aware of reports of this vulnerability being exploited in the wild. Users are recommended to upgrade if they are impacted by this issue”
Bifrost and Valhall GPU Kernel Driver r41p0, which were released on November 24, 2022, address the vulnerability.
A local non-privileged attacker can prepare the system’s memory to issue improper GPU memory processing operations to gain access to already freed memory.
The company recommends users upgrade if this issue impacts them.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Mali GPU Kernel Driver)
Researcher Sina Kheirkha analyzed the Veeam Backup Enterprise Manager authentication bypass flaw CVE-2024-29849 and a proof of concept exploit for this issue.
The flaw CVE-2024-29849 is a critical vulnerability (CVSS score: 9.8) in Veeam Backup Enterprise Manager that could allow attackers to bypass authentication.
Veeam Backup Enterprise Manager is a centralized management and reporting tool designed to simplify the administration of Veeam Backup & Replication environments. It offers a web-based interface that allows users to manage multiple Veeam Backup & Replication servers, monitor backup jobs, and generate reports.
“This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.” reads the advisory published by the vendor.
The vulnerability was addressed with the release of version 12.1.2.172. The company also provided the following mitigation:
Administrators are urged to apply the latest security updates as soon as possible due to the availability of the PoC.
Kheirkha explained that the issue resides in the ‘Veeam.Backup.Enterprise.RestAPIService.exe’ service (vVeeamRESTSvc ), which is installed during the setup of the Veeam enterprise manager software.
“When I started to analyze this vulnerability, first I was kind of disappointed on how little information veeam provided, just saying the authentication can be bypassed and not much more, however, just knowing it’s something to do with Authentication and the mitigation suggesting the issue has something to do with the either “VeeamEnterpriseManagerSvc” or “VeeamRESTSvc” services, I began my patch diffing routine and realized the entry point, I’ll introduce VeeamRESTSvc also known as Veeam.Backup.Enterprise.RestAPIService.exe” reads the post published by the researcher.
The service listens on port TCP/9398 and operated as a REST API server, which is basically an API version of the main web application that listens on port TCP/9443
The exploit targets Veeam’s API by sending a specially crafted VMware single-sign-on (SSO) token to a vulnerable service. The expert used a token impersonating an administrator and used an SSO service URL that Veeam failed to verify. The token is initially base64-encoded, then decoded into XML and validated through a SOAP request to an attacker-controlled URL. Then a server under the control of the attack responds positively to the validation, granting the attacker administrator access.
To detect exploitation attempts, the researcher recommends to analyze the following
LoginC:\ProgramData\Veeam\Backup\Svc.VeeamRestAPI.log
searching for Validating Single Sign-On token. Service enpoint URL:
(SecurityAffairs – hacking, PoC exploit)
