VULNERA Pulse

Progress — Telerik Report Server

CVE-2024-4358 / Added: June 13, 2024

CRITICAL CVSS 9.80 EPSS Score 5.03 EPSS Percentile 92.91

Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.

Headlines

• June 14, 2024 - CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog
• June 9, 2024 - newsletter Round 475 by Pierluigi Paganini – INTERNATIONAL EDITION
• June 9, 2024 - Week in review: Atlassian Confluence RCE PoC, new Kali Linux, Patch Tuesday forecast
• June 4, 2024 - Telerik Report Server Flaw Could Let Attackers Create Rogue Admin Accounts
• June 4, 2024 - PoC for Progress Telerik RCE chain released (CVE-2024-4358, CVE-2024-1800)
• June 4, 2024 - Experts released PoC exploit code for a critical bug in Progress Telerik Report Servers
• June 3, 2024 - Exploit for critical Progress Telerik auth bypass released, patch now
• May 30, 2024 - CVE-2024-4358: Critical Authentication Bypass Flaw Discovered in Progress Telerik Report Server

Back to top ↑

Microsoft — Windows

CVE-2024-26169 / Added: June 13, 2024

HIGH CVSS 7.80 EPSS Score 0.15 EPSS Percentile 50.68

Microsoft Windows Error Reporting Service contains an improper privilege management vulnerability that allows a local attacker with user permissions to gain SYSTEM privileges.

Headlines

• June 14, 2024 - CISA warns of Windows bug exploited in ransomware attacks
• June 14, 2024 - CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog
• June 12, 2024 - Ransomware crew may have exploited Windows EoP bug as 0-day
• June 12, 2024 - Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw
• June 12, 2024 - CVE-2024-26169: Windows Zero-Day Vulnerability Abused by Black Basta Ransomware
• June 12, 2024 - Black Basta ransomware gang linked to Windows zero-day attacks

Back to top ↑

Android — Pixel

CVE-2024-32896 / Added: June 13, 2024

HIGH CVSS 7.80 EPSS Score 0.15 EPSS Percentile 51.81

Android Pixel contains an unspecified vulnerability in the firmware that allows for privilege escalation.

Headlines

• June 14, 2024 - CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog
• June 13, 2024 - Google fixed an actively exploited zero-day in the Pixel Firmware
• June 13, 2024 - Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day
• June 13, 2024 - CVE-2024-32896: Google Patches Actively Exploited Zero-Day Vulnerability in Pixel Devices
• June 12, 2024 - Google warns of actively exploited Pixel firmware zero-day
• June 12, 2024 - Google patches exploited Android zero-day on Pixel devices

Back to top ↑

PHP Group — PHP

CVE-2024-4577 / Added: June 12, 2024

CRITICAL CVSS 9.80 EPSS Score 93.20 EPSS Percentile 99.07

PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.

Headlines

• June 13, 2024 - PHP command injection flaw exploited to deliver ransomware (CVE-2024-4577)
• June 12, 2024 - CISA adds Arm Mali GPU Kernel Driver, PHP bugs to its Known Exploited Vulnerabilities catalog
• June 12, 2024 - TellYouthePass Ransomware Group Exploits Critical PHP Flaw
• June 12, 2024 - Microsoft fixes hack-me-via-Wi-Fi Windows security hole
• June 11, 2024 - TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers
• June 11, 2024 - PHP Vulnerability (CVE-2024-4577) Actively Exploited in TellYouThePass Ransomware Attacks
• June 9, 2024 - PHP addressed critical RCE potentially impacting millions of servers
• June 8, 2024 - New PHP Vulnerability Exposes Windows Servers to Remote Code Execution
• June 7, 2024 - Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution
• June 7, 2024 - PHP fixes critical RCE flaw impacting all versions for Windows
• June 7, 2024 - Researchers Detail Critical PHP Flaw CVE-2024-4577 with PoC Exploit Code
• June 7, 2024 - CVE-2024-4577: Critical PHP Vulnerability Exposes Millions of Servers to RCE

Back to top ↑

Arm — Mali GPU Kernel Driver

CVE-2024-4610 / Added: June 12, 2024

MEDIUM CVSS 5.50 EPSS Score 21.26 EPSS Percentile 96.45

Arm Bifrost and Valhall GPU kernel drivers contain a use-after-free vulnerability that allows a local, non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.

Headlines

• June 13, 2024 - Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day
• June 12, 2024 - CISA adds Arm Mali GPU Kernel Driver, PHP bugs to its Known Exploited Vulnerabilities catalog
• June 12, 2024 - Google patches exploited Android zero-day on Pixel devices
• June 12, 2024 - Google warns of actively exploited Pixel firmware zero-day
• June 12, 2024 - Microsoft fixes hack-me-via-Wi-Fi Windows security hole
• June 11, 2024 - Arm zero-day in Mali GPU Drivers actively exploited in the wild
• June 11, 2024 - NVIDIA and Arm Urge Customers to Patch Bugs
• June 11, 2024 - Arm Warns of Actively Exploited Zero-Day Vulnerability in Mali GPU Drivers
• June 10, 2024 - Arm warns of actively exploited flaw in Mali GPU kernel drivers
• June 7, 2024 - CVE-2024-4610 - Arm Mali GPU Zero-Day Under Active Exploit: Millions of Devices at Risk

Back to top ↑

CVE-2024-30080

CRITICAL CVSS 9.80 EPSS Score 0.35 EPSS Percentile 71.87

Remote Code Execution

Published: June 11, 2024

Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 1507, Windows Server 2022, Windows 11 22h2, Windows Server 2008, Windows 11 23h2, Windows Server 2016, Windows Server 2019, Windows 10 1607, Windows Server 2022 23h2, Windows 10 1809, Windows 11 21h2, Windows Server 2012, Windows 10 21h1

Quotes

• I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade
• Microsoft has recommended disabling the service until a time at which you can install the update
• NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence
• A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3500 results for 'msmq'
• An attacker who successfully exploited this vulnerability could bypass Outlook registry block lists and enable the creation of malicious DLL files
• To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side

Headlines

• June 12, 2024 - Microsoft Patches One Critical and One Zero-Day Vulnerability
• June 12, 2024 - Microsoft Patch Tuesday security updates for June 2024 fixed only one critical issue
• June 12, 2024 - Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability
• June 12, 2024 - June Patch Tuesday squares up with 49 patches
• June 12, 2024 - Microsoft fixes hack-me-via-Wi-Fi Windows security hole
• June 11, 2024 - Critical RCE Bug Opens Microsoft Servers to Takeover
• June 11, 2024 - Patch Tuesday, June 2024 “Recall” Edition –
• June 11, 2024 - Microsoft fixes RCE vulnerabilities in MSMQ, Outlook (CVE-2024-30080, CVE-2024-30103)
• June 11, 2024 - Only one critical issue disclosed as part of Microsoft Patch Tuesday

CVE-2024-4577

CRITICAL CVSS 9.80 EPSS Score 93.20 EPSS Percentile 99.07

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: June 9, 2024

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Vendors Impacted: Php Group, Php

Product Impacted: Php

Quotes

• A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory
• We noticed a few campaigns, including WebShell upload attempts and several attempts to place ransomware on a target system
• While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system
• Even if PHP is not configured under the CGI mode, merely exposing the PHP executable binary in the CGI directory is affected by this vulnerability, too

Headlines

• June 13, 2024 - PHP command injection flaw exploited to deliver ransomware (CVE-2024-4577)
• June 12, 2024 - CISA adds Arm Mali GPU Kernel Driver, PHP bugs to its Known Exploited Vulnerabilities catalog
• June 12, 2024 - TellYouthePass Ransomware Group Exploits Critical PHP Flaw
• June 12, 2024 - Microsoft fixes hack-me-via-Wi-Fi Windows security hole
• June 11, 2024 - TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers
• June 11, 2024 - PHP Vulnerability (CVE-2024-4577) Actively Exploited in TellYouThePass Ransomware Attacks
• June 9, 2024 - PHP addressed critical RCE potentially impacting millions of servers
• June 8, 2024 - New PHP Vulnerability Exposes Windows Servers to Remote Code Execution

CVE-2022-42475

CRITICAL CVSS 9.80 EPSS Score 32.12 EPSS Percentile 97.03

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 2, 2023

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Vendor Impacted: Fortinet

Products Impacted: Fim-7920e, Fortigate-7060e, Fortiproxy, Fortigate-6501f, Fpm-7630e, Fortigate-6501f-Dc, Fpm-7620e, Fortigate-6300f-Dc, Fortigate-6500f-Dc, Fpm-7620f, Fim-7901e, Fim-7904e, Fim-7910e, Fim-7921f, Fortigate-6500f, Fortigate-7030e, Fortigate-6300f, Fim-7941f, Fortios, Fortigate-7040e, Fortigate-6601f-Dc, Fortigate-7121f, Fortigate-6601f

Quotes

• Much larger than previously known
• It is not known how many victims actually have malware installed
• Dozens of (Western) governments, international organizations and a large number of companies within the defense industry
• The only currently identified way of removing [it] from an infected FortiGate device involves formatting the device and reinstalling and reconfiguring the device
• The state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet disclosed the vulnerability

Headlines

• June 12, 2024 - China's FortiGate attacks more extensive than first thought
• June 12, 2024 - 20,000 FortiGate appliances compromised by Chinese hackers
• June 12, 2024 - Chinese FortiGate Espionage Campaign Snares 20,000+ Victims
• June 12, 2024 - China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally
• June 11, 2024 - Chinese hackers breached 20,000 FortiGate systems worldwide

CVE-2024-30078

HIGH CVSS 8.80 EPSS Score 0.05 EPSS Percentile 21.51

Remote Code Execution

Published: June 11, 2024

Windows Wi-Fi Driver Remote Code Execution Vulnerability

Quotes

• I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade
• NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence
• An attacker who successfully exploited this vulnerability could bypass Outlook registry block lists and enable the creation of malicious DLL files
• To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side

Headlines

• June 12, 2024 - Microsoft Patch Tuesday security updates for June 2024 fixed only one critical issue
• June 12, 2024 - Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability
• June 12, 2024 - Microsoft fixes hack-me-via-Wi-Fi Windows security hole
• June 11, 2024 - Patch Tuesday, June 2024 “Recall” Edition –
• June 11, 2024 - Microsoft fixes RCE vulnerabilities in MSMQ, Outlook (CVE-2024-30080, CVE-2024-30103)
• June 11, 2024 - Only one critical issue disclosed as part of Microsoft Patch Tuesday

CVE-2024-30103

HIGH CVSS 8.80 EPSS Score 0.05 EPSS Percentile 19.25

Remote Code Execution

Published: June 11, 2024

Microsoft Outlook Remote Code Execution Vulnerability

Quotes

• NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence
• A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3500 results for 'msmq'
• An attacker who successfully exploited this vulnerability could bypass Outlook registry block lists and enable the creation of malicious DLL files

Headlines

• June 12, 2024 - Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability
• June 11, 2024 - Critical RCE Bug Opens Microsoft Servers to Takeover
• June 11, 2024 - Microsoft fixes RCE vulnerabilities in MSMQ, Outlook (CVE-2024-30080, CVE-2024-30103)
• June 11, 2024 - Only one critical issue disclosed as part of Microsoft Patch Tuesday

CVE-2024-32896

HIGH CVSS 7.80 EPSS Score 0.15 EPSS Percentile 51.81

CISA Known Exploited Actively Exploited Remote Code Execution

Published: June 13, 2024

there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Vendors Impacted: Google, Android

Products Impacted: Android, Pixel

Quotes

• There are indications that CVE-2024-32896 may be under limited, targeted exploitation
• It was exploited by forensics companies against users with apps like Wasted and Sentry trying to wipe the device when detecting an attack. We addressed it as part of making our duress PIN/password feature and reported it to get Google to fix it across Android which is now done

Headlines

• June 14, 2024 - CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog
• June 13, 2024 - Google fixed an actively exploited zero-day in the Pixel Firmware
• June 13, 2024 - Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day
• June 13, 2024 - CVE-2024-32896: Google Patches Actively Exploited Zero-Day Vulnerability in Pixel Devices
• June 12, 2024 - Google patches exploited Android zero-day on Pixel devices
• June 12, 2024 - Google warns of actively exploited Pixel firmware zero-day

CVE-2024-26169

HIGH CVSS 7.80 EPSS Score 0.15 EPSS Percentile 50.68

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware

Published: March 12, 2024

Windows Error Reporting Service Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 1507, Windows 10 21h2, Windows Server 2022, Windows 11 22h2, Windows Server 2008, Windows Server 2016, Windows Server 2019, Windows 10 22h2, Windows, Windows 10 1607, Windows Server 2022 23h2, Windows 10 1809, Windows 11 21h2, Windows Server 2012, Windows 11 23h2

Quotes

• At least one group may have been exploiting the vulnerability as a zero-day
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• Analysis of an exploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day

Headlines

• June 14, 2024 - CISA warns of Windows bug exploited in ransomware attacks
• June 14, 2024 - CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog
• June 12, 2024 - Ransomware crew may have exploited Windows EoP bug as 0-day
• June 12, 2024 - Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw
• June 12, 2024 - CVE-2024-26169: Windows Zero-Day Vulnerability Abused by Black Basta Ransomware
• June 12, 2024 - Black Basta ransomware gang linked to Windows zero-day attacks

CVE-2024-37051

HIGH CVSS 7.50 EPSS Score 0.09 EPSS Percentile 37.18

Actively Exploited Remote Code Execution Public Exploits Available

Published: June 10, 2024

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

Vendor Impacted: Jetbrains

Products Impacted: Aqua, Goland, Datagrip, Mps, Phpstorm, Rustrover, Pycharm, Rider, Webstorm, Dataspell, Intellij Idea, Rubymine, Clion

Quotes

• A new security issue was discovered that affects the JetBrains GitHub plugin on the IntelliJ Platform, which could lead to disclosure of access tokens to third-party sites. The issue affects all IntelliJ-based IDEs as of 2023.1 onwards that have the JetBrains GitHub plugin enabled and configured/in-use
• On the 29th of May 2024 we received an external security report with details of a possible vulnerability that would affect pull requests within the IDE. In particular, malicious content as part of a pull request to a GitHub project which would be handled by IntelliJ-based IDEs, would expose access tokens to a third-party host

Headlines

• June 13, 2024 - CVE-2024-37051: Critical JetBrains Flaw Exposes GitHub Tokens in IntelliJ IDEs, PoC Published
• June 12, 2024 - JetBrains fixed IntelliJ IDE flaw exposing GitHub access tokens
• June 11, 2024 - JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens
• June 11, 2024 - Users of JetBrains IDEs at risk of GitHub access token compromise (CVE-2024-37051)

CVE-2024-4610

MEDIUM CVSS 5.50 EPSS Score 21.26 EPSS Percentile 96.45

CISA Known Exploited Actively Exploited

Published: June 7, 2024

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r34p0 through r40p0; Valhall GPU Kernel Driver: from r34p0 through r40p0.

Vendor Impacted: Arm

Products Impacted: Mali Gpu Kernel Driver, Bifrost Gpu Kernel Driver, Valhall Gpu Kernel Driver

Quotes

• Improper GPU memory processing operations
• A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory
• It was exploited by forensics companies against users with apps like Wasted and Sentry trying to wipe the device when detecting an attack. We addressed it as part of making our duress PIN/password feature and reported it to get Google to fix it across Android which is now done

Headlines

• June 13, 2024 - Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day
• June 12, 2024 - CISA adds Arm Mali GPU Kernel Driver, PHP bugs to its Known Exploited Vulnerabilities catalog
• June 12, 2024 - Google patches exploited Android zero-day on Pixel devices
• June 12, 2024 - Google warns of actively exploited Pixel firmware zero-day
• June 12, 2024 - Microsoft fixes hack-me-via-Wi-Fi Windows security hole
• June 11, 2024 - Arm zero-day in Mali GPU Drivers actively exploited in the wild
• June 11, 2024 - NVIDIA and Arm Urge Customers to Patch Bugs
• June 11, 2024 - Arm Warns of Actively Exploited Zero-Day Vulnerability in Mali GPU Drivers
• June 10, 2024 - Arm warns of actively exploited flaw in Mali GPU kernel drivers

CVE-2023-50868

CVSS Not Assigned EPSS Score 0.05 EPSS Percentile 17.07

Actively Exploited Remote Code Execution Public Exploits Available

Published: Feb. 14, 2024

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Quotes

• Microsoft has recommended disabling the service until a time at which you can install the update
• It does this by tricking those servers into performing extra calculations that overload their CPU
• NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence
• To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side
• CVE-2023-50868 is regarding a vulnerability in DNSSEC validation where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users
• CVE-2023-50868 is regarding a vulnerability in DNSSEC validation where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users. MITRE created this CVE on their behalf

Headlines

• June 13, 2024 - Microsoft Late to the Game on Dangerous DNSSEC Zero-Day Flaw
• June 12, 2024 - Microsoft Patches One Critical and One Zero-Day Vulnerability
• June 12, 2024 - Microsoft Patch Tuesday security updates for June 2024 fixed only one critical issue
• June 12, 2024 - Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability
• June 12, 2024 - June Patch Tuesday squares up with 49 patches
• June 12, 2024 - Microsoft fixes hack-me-via-Wi-Fi Windows security hole
• June 11, 2024 - Microsoft June 2024 Patch Tuesday fixes 51 flaws, 18 RCEs