VULNERA Pulse

CVE-2024-3400

CRITICAL CVSS 10.00 EPSS Score 13.97 EPSS Percentile 95.59

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: April 12, 2024

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Vendors Impacted: Paloaltonetworks, Palo Alto Networks

Product Impacted: Pan-Os

Quotes

• An increasing number of attacks
• The script will then create another thread that runs a function called restore
• Reset credentials and secrets potentially exposed to, or used to access, Sisense services
• At the time of writing, Volexity was unable to link the activity to other threat activity
• Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability
• Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability
• To trigger remote code execution, we perform an unauthenticated cURL request to the GlobalProtect web server with a crafted payload in the SESSID cookie value
• The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations
• This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled
• Anytime a vulnerability impacts devices directly connected to the Internet, it’s a cause for concern. The fact that these are being actively exploited makes this additionally troublesome
• As we can see, we inject our command injection payload into the SESSID cookie value - which, when a Palo Alto GlobalProtect appliance has telemetry enabled - is then concatenated into a string and ultimately executed as a shell command
• Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor

Headlines

• April 19, 2024 - More on the PAN-OS CVE-2024-3400
• April 19, 2024 - 22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks
• April 17, 2024 - Exploits for Palo Alto Networks zero-day published, patch up
• April 17, 2024 - Exploitation of Palo Alto Firewall Vulnerability Picking Up After PoC Release
• April 17, 2024 - Palo Alto firewalls: Public exploits, rising attacks, ineffective mitigation
• April 17, 2024 - Researchers released exploit code for actively exploited Palo Alto PAN-OS bug
• April 16, 2024 - Exploit released for Palo Alto PAN-OS bug used in attacks, patch now
• April 15, 2024 - Palo Alto Network Issues Hot Fixes for Zero-Day Bug in Its Firewall OS
• April 15, 2024 - Palo Alto Networks Zero-Day Flaw Exploited in Targeted Attacks
• April 15, 2024 - CISA adds Palo Alto Networks PAN-OS Command Injection flaw to its Known Exploited Vulnerabilities catalog
• April 15, 2024 - Palo Alto Networks fixes zero-day exploited to backdoor firewalls
• April 15, 2024 - Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor
• April 15, 2024 - Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability
• April 14, 2024 - Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days
• April 13, 2024 - Palo Alto Networks zero-day exploited since March to backdoor firewalls
• April 13, 2024 - Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack

CVE-2024-29204

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 8.27

Remote Code Execution

Published: April 19, 2024

A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

Quotes

• We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program
• Avalanche 6.4.3 has addressed some new security hardening and vulnerabilities in our Q1 2024 release. We are not aware of any exploitation of these vulnerabilities at the time of disclosure
• To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3. The installation will apply a fix for each CVE listed in the table below. These vulnerabilities affect any older versions of Avalanche. You can download the latest Avalanche 6.4.3 release here

Headlines

• April 19, 2024 - Exploit Code Released for Severe Ivanti Avalanche Vulnerability (CVE-2024-29204)
• April 18, 2024 - Ivanti patches critical Avalanche flaw exploitable via a simple message (CVE-2024-29204)
• April 17, 2024 - Ivanti fixed two critical flaws in its Avalanche MDM
• April 17, 2024 - Ivanti Patches Two Critical Avalanche Flaws in Major Update
• April 16, 2024 - Ivanti warns of critical flaws in its Avalanche MDM solution

CVE-2024-28255

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 36.07

Public Exploits Available

Published: March 15, 2024

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.

Quotes

• We observed the attackers using a remote server located in China
• In this case, a vulnerable Kubernetes workload which is exposed to the Internet got exploited
• Once they identify a vulnerable version of the application, the attackers exploit the mentioned vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image

Headlines

• April 19, 2024 - OpenMetadata Vulnerabilities Exploited to Abuse Kubernetes Clusters for Cryptomining
• April 18, 2024 - Attackers Exploit Critical OpenMetadata Flaws for Cryptomining on Kubernetes
• April 17, 2024 - Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
• April 17, 2024 - Active Kubernetes RCE Attack Relies on Known OpenMetadata Vulns
• April 17, 2024 - Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters |

CVE-2024-24996

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 8.27

Risk Context N/A

Published: April 19, 2024

A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.

Quotes

• We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program
• Avalanche 6.4.3 has addressed some new security hardening and vulnerabilities in our Q1 2024 release. We are not aware of any exploitation of these vulnerabilities at the time of disclosure
• To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3. The installation will apply a fix for each CVE listed in the table below. These vulnerabilities affect any older versions of Avalanche. You can download the latest Avalanche 6.4.3 release here

Headlines

• April 18, 2024 - Ivanti patches critical Avalanche flaw exploitable via a simple message (CVE-2024-29204)
• April 17, 2024 - Ivanti fixed two critical flaws in its Avalanche MDM
• April 17, 2024 - Ivanti Patches Two Critical Avalanche Flaws in Major Update
• April 16, 2024 - Ivanti warns of critical flaws in its Avalanche MDM solution

CVE-2024-28253

CRITICAL CVSS 9.40 EPSS Score 0.04 EPSS Percentile 9.53

Remote Code Execution

Published: March 15, 2024

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpression` is also called from `PolicyRepository.prepare`. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/policies` which gets handled by `PolicyResource.createOrUpdate()`. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-252`. This issue may lead to Remote Code Execution and has been addressed in version 1.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Quotes

• We observed the attackers using a remote server located in China
• In this case, a vulnerable Kubernetes workload which is exposed to the Internet got exploited
• Once they identify a vulnerable version of the application, the attackers exploit the mentioned vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image

Headlines

• April 19, 2024 - OpenMetadata Vulnerabilities Exploited to Abuse Kubernetes Clusters for Cryptomining
• April 18, 2024 - Attackers Exploit Critical OpenMetadata Flaws for Cryptomining on Kubernetes
• April 17, 2024 - Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
• April 17, 2024 - Active Kubernetes RCE Attack Relies on Known OpenMetadata Vulns
• April 17, 2024 - Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters |

CVE-2024-28848

HIGH CVSS 8.80 EPSS Score 0.04 EPSS Percentile 14.16

Remote Code Execution

Published: March 15, 2024

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `‎CompiledRule::validateExpression` method evaluates an SpEL expression using an `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/policies/validation/condition/` endpoint passes user-controlled data `CompiledRule::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and therefore any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-236`. This issue may lead to Remote Code Execution and has been resolved in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Quotes

• We observed the attackers using a remote server located in China
• In this case, a vulnerable Kubernetes workload which is exposed to the Internet got exploited
• Once they identify a vulnerable version of the application, the attackers exploit the mentioned vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image

Headlines

• April 19, 2024 - OpenMetadata Vulnerabilities Exploited to Abuse Kubernetes Clusters for Cryptomining
• April 18, 2024 - Attackers Exploit Critical OpenMetadata Flaws for Cryptomining on Kubernetes
• April 17, 2024 - Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
• April 17, 2024 - Active Kubernetes RCE Attack Relies on Known OpenMetadata Vulns
• April 17, 2024 - Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters |

CVE-2024-28847

HIGH CVSS 8.80 EPSS Score 0.04 EPSS Percentile 9.53

Remote Code Execution

Published: March 15, 2024

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. Similarly to the GHSL-2023-250 issue, `AlertUtil::validateExpression` is also called from `EventSubscriptionRepository.prepare()`, which can lead to Remote Code Execution. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that, even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and, therefore, after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/events/subscriptions` which gets handled by `EventSubscriptionResource.createOrUpdateEventSubscription()`. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query. This issue may lead to Remote Code Execution and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-251`.

Quotes

• We observed the attackers using a remote server located in China
• In this case, a vulnerable Kubernetes workload which is exposed to the Internet got exploited
• Once they identify a vulnerable version of the application, the attackers exploit the mentioned vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image

Headlines

• April 19, 2024 - OpenMetadata Vulnerabilities Exploited to Abuse Kubernetes Clusters for Cryptomining
• April 18, 2024 - Attackers Exploit Critical OpenMetadata Flaws for Cryptomining on Kubernetes
• April 17, 2024 - Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
• April 17, 2024 - Active Kubernetes RCE Attack Relies on Known OpenMetadata Vulns
• April 17, 2024 - Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters |

CVE-2024-28254

HIGH CVSS 8.80 EPSS Score 0.05 EPSS Percentile 15.70

Remote Code Execution

Published: March 15, 2024

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `‎AlertUtil::validateExpression` method evaluates an SpEL expression using `getValue` which by default uses the `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/events/subscriptions/validation/condition/` endpoint passes user-controlled data `AlertUtil::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and, therefore, any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-235`. This issue may lead to Remote Code Execution and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Quotes

• We observed the attackers using a remote server located in China
• In this case, a vulnerable Kubernetes workload which is exposed to the Internet got exploited
• Once they identify a vulnerable version of the application, the attackers exploit the mentioned vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image

Headlines

• April 19, 2024 - OpenMetadata Vulnerabilities Exploited to Abuse Kubernetes Clusters for Cryptomining
• April 18, 2024 - Attackers Exploit Critical OpenMetadata Flaws for Cryptomining on Kubernetes
• April 17, 2024 - Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
• April 17, 2024 - Active Kubernetes RCE Attack Relies on Known OpenMetadata Vulns
• April 17, 2024 - Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters |

CVE-2023-1389

HIGH CVSS 8.80 EPSS Score 6.88 EPSS Percentile 93.82

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: March 15, 2023

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

Vendor Impacted: Tp-Link

Products Impacted: Archer Ax21, Archer Ax21 Firmware

Quotes

• Recently, we observed multiple attacks focusing on this year-old vulnerability
• These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies
• Users should be vigilant against DDoS botnets and promptly apply patches to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors

Headlines

• April 17, 2024 - Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks
• April 17, 2024 - Multiple botnets exploiting one-year-old TP-Link flaw to hack routers
• April 17, 2024 - Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services
• April 17, 2024 - Old Vulnerability, New Attacks: Botnets Swarm Exploited CVE-2023-1389 in TP-Link Routers

CVE-2024-31497

CVSS Not Assigned EPSS Score 0.05 EPSS Percentile 15.73

Remote Code Execution Public Exploits Available

Published: April 15, 2024

In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.

Quotes

• The effect of the vulnerability is to compromise the private key
• To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques
• The effect of the vulnerability is to compromise the private key. An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for
• PuTTY's technique worked by making a SHA-512 hash and then reducing it mod q, where q is the order of the group used in the DSA system. For integer DSA (for which PuTTY's technique was originally developed), q is about 160 bits; for elliptic-curve DSA (which came later), it has about the same number of bits as the curve modulus, so 256 or 384 or 521 bits for the NIST curves

Headlines

• April 16, 2024 - PuTTY SSH Client flaw allows of private keys recovery
• April 16, 2024 - PuTTY vulnerability can be exploited to recover private keys (CVE-2024-31497)
• April 16, 2024 - PuTTY SSH client flaw allows recovery of cryptographic private keys
• April 16, 2024 - Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack
• April 15, 2024 - CVE-2024-31497: Critical PuTTY Vulnerability Exposes Private Keys – Immediate Action Required