VULNERA Pulse

Android — Pixel

CVE-2024-29748 / Added: April 4, 2024

CVSS Not Assigned

Android Pixel contains a privilege escalation vulnerability that allows an attacker to interrupt a factory reset triggered by a device admin app.

Headlines

• April 4, 2024 - Google Patches Pixel Phone Zero-days After Exploitation by "Forensic Companies"
• April 3, 2024 - Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies
• April 3, 2024 - Google fixes two Pixel zero-day flaws exploited by forensics firms
• April 3, 2024 - Google fixed two actively exploited Pixel vulnerabilities
• April 3, 2024 - CVE-2024-29745 & CVE-2024-29748: Critical Google Pixel Flaws Exploited – Update Immediately

Back to top ↑

Android — Pixel

CVE-2024-29745 / Added: April 4, 2024

CVSS Not Assigned

Android Pixel contains an information disclosure vulnerability in the fastboot firmware used to support unlocking, flashing, and locking affected devices.

Headlines

• April 4, 2024 - Google Patches Pixel Phone Zero-days After Exploitation by "Forensic Companies"
• April 3, 2024 - Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies
• April 3, 2024 - Google fixes two Pixel zero-day flaws exploited by forensics firms
• April 3, 2024 - Google fixed two actively exploited Pixel vulnerabilities
• April 3, 2024 - CVE-2024-29745 & CVE-2024-29748: Critical Google Pixel Flaws Exploited – Update Immediately

Back to top ↑

CVE-2024-3094

CRITICAL CVSS 10.00 EPSS Score 0.08 EPSS Percentile 32.77

Actively Exploited Remote Code Execution Public Exploits Available

Published: March 29, 2024

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Vendor Impacted: Tukaani

Product Impacted: Xz

Quotes

• Enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely
• This supply chain attack came as a shock to the OSS community, as XZ Utils was considered a trusted and scrutinized project
• … could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely
• Because the submitter deleted their account as a response to the review, I think it could be a deliberate attempt to insert the vuln
• AnyDesk was observed in all ransomware and pre-ransomware engagements [. . .], underscoring its role in ransomware affiliates' attack chains
• Currently, it appears as though the backdoor is added to the SSH daemon on the vulnerable machine, enabling a remote attacker to execute arbitrary code
• The threat actor started contributing to the XZ project almost two years ago, slowly building credibility until they were given maintainer responsibilities
• XZ Utils users should downgrade to an older version of the utility immediately (i.e., any version before 5.6.0) and update their installations and packages according to distribution maintainer directions
• One of the core techniques used by the XZ backdoor to gain initial control during execution is the GNU Indirect Function (ifunc) attribute for the GCC compiler to resolve indirect function calls in runtime
• To generically detect such implantation, we decided to focus on ifunc transition behavioral analysis with our Binary Intelligence technology. The detection method is completely based on static analysis, where we are detecting generically the tampering of control flow graph transitions
• PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity. Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed. Note that Fedora Rawhide is the development distribution of Fedora Linux, and serves as the basis for future Fedora Linux builds (in this case, the yet-to-be-released Fedora Linux 41)

Headlines

• April 4, 2024 - There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office
• April 4, 2024 - ‘XZ Utils’ Open-Source Software Threat Prompts Concern
• April 3, 2024 - XZ Utils Backdoor Attack Brings Another Similar Incident to Light
• April 2, 2024 - Binarly released a free online scanner to detect the CVE-2024-3094 Backdoor
• April 2, 2024 - Trusted Contributor Plants Backdoor in Critical Open-Source Library
• April 2, 2024 - New XZ backdoor scanner detects implant in any Linux binary
• April 2, 2024 - Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution
• April 1, 2024 - Curious engineer catches backdoor in Linux compression package
• April 1, 2024 - XZ Utils Backdoor Implanted in Intricate Supply Chain Attack
• April 1, 2024 - CVE-2024-3094 Informational: Impact of Malicious Code in XZ Tools and Libraries (CVE-2024-3094)
• March 31, 2024 - CVE-2024-3094: malicious code in Linux distributions
• March 31, 2024 - Week in review: Backdoor found in XZ utilities, weaponized iMessages, Exchange servers at risk
• March 30, 2024 - Expert found a backdoor in XZ tools used many Linux distributions

CVE-2024-2879

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 7.64

Actively Exploited Remote Code Execution Public Exploits Available

Published: April 3, 2024

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Quotes

• This update includes important security fixes
• Insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query

Headlines

• April 4, 2024 - Critical Security Flaw Exposes 1 Million WordPress Sites to SQL Injection
• April 3, 2024 - Critical flaw in LayerSlider WordPress plugin impacts 1 million sites
• April 3, 2024 - Critical Security Flaw Found in Popular LayerSlider WordPress Plugin
• April 3, 2024 - Major WordPress Plugin Exposes Millions of Sites to Data Theft

CVE-2024-0519

HIGH CVSS 8.80 EPSS Score 0.18 EPSS Percentile 54.30

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 16, 2024

Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vendor Impacted: Google

Products Impacted: Chrome, Chromium V8

Quotes

• The Stable channel has been updated to 123.0.6312.105/.106/.107 for Windows and Mac and 123.0.6312.105 to Linux which will roll out over the coming days/weeks

Headlines

• April 3, 2024 - Google fixed another Chrome zero-day exploited at Pwn2Own
• April 3, 2024 - Google fixes one more Chrome zero-day exploited at Pwn2Own

CVE-2023-46805

HIGH CVSS 8.20 EPSS Score 96.43 EPSS Percentile 99.55

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure And Policy Secure, Connect Secure, Policy Secure

Quotes

• Events in recent months have been humbling
• We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure

Headlines

• April 4, 2024 - Ivanti commits to secure-by-design overhaul
• April 4, 2024 - Ivanti fixed for 4 new issues in Connect Secure and Policy Secure
• April 3, 2024 - Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks

CVE-2024-2887

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 13.37

Risk Context N/A

Published: March 26, 2024

Type Confusion in WebAssembly in Google Chrome prior to 123.0.6312.86 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Quotes

• Apple is aware of a report that this issue may have been exploited
• The Stable channel has been updated to 123.0.6312.105/.106/.107 for Windows and Mac and 123.0.6312.105 to Linux which will roll out over the coming days/weeks

Headlines

• April 3, 2024 - Google fixed another Chrome zero-day exploited at Pwn2Own
• April 3, 2024 - Google fixes one more Chrome zero-day exploited at Pwn2Own
• March 31, 2024 - You Should Update Apple iOS and Google Chrome ASAP

CVE-2024-2886

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 13.37

Risk Context N/A

Published: March 26, 2024

Use after free in WebCodecs in Google Chrome prior to 123.0.6312.86 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

Quotes

• Apple is aware of a report that this issue may have been exploited
• The Stable channel has been updated to 123.0.6312.105/.106/.107 for Windows and Mac and 123.0.6312.105 to Linux which will roll out over the coming days/weeks

Headlines

• April 3, 2024 - Google fixed another Chrome zero-day exploited at Pwn2Own
• April 3, 2024 - Google fixes one more Chrome zero-day exploited at Pwn2Own
• March 31, 2024 - You Should Update Apple iOS and Google Chrome ASAP