VULNERA Pulse

Versa — Director

CVE-2024-39717 / Added: Aug. 23, 2024

MEDIUM CVSS 6.60 EPSS Score 0.18 EPSS Percentile 55.47

The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface. The “Change Favicon” (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image.

Headlines

• Aug. 26, 2024 - Versa fixes Director zero-day vulnerability exploited in attacks
• Aug. 25, 2024 - U.S. CISA adds Versa Director bug to its Known Exploited Vulnerabilities catalog
• Aug. 24, 2024 - CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September
• Aug. 24, 2024 - CVE-2024-39717: Versa Networks Director GUI Flaw Under Active Attack, CISA Issues Urgent Patching Directive

Back to top ↑

Dahua — IP Camera Firmware

CVE-2021-33045 / Added: Aug. 21, 2024

CRITICAL CVSS 9.80 EPSS Score 93.32 EPSS Percentile 99.14

Dahua IP cameras and related products contain an authentication bypass vulnerability when the loopback device is specified by the client during authentication.

Headlines

• Aug. 22, 2024 - U.S. CISA adds Dahua IP Camera, Linux Kernel and Microsoft Exchange Server bugs to its Known Exploited Vulnerabilities catalog
• Aug. 22, 2024 - U.S. CISA adds Dahua IP Camera, Linux Kernel and Microsoft Exchange Server bugs to its Known Exploited Vulnerabilities catalog
• Aug. 21, 2024 - Microsoft, Linux, Dahua Flaws Exploited: CISA Warns

Back to top ↑

Dahua — IP Camera Firmware

CVE-2021-33044 / Added: Aug. 21, 2024

CRITICAL CVSS 9.80 EPSS Score 95.23 EPSS Percentile 99.39

Dahua IP cameras and related products contain an authentication bypass vulnerability when the NetKeyboard type argument is specified by the client during authentication.

Headlines

• Aug. 22, 2024 - U.S. CISA adds Dahua IP Camera, Linux Kernel and Microsoft Exchange Server bugs to its Known Exploited Vulnerabilities catalog
• Aug. 22, 2024 - U.S. CISA adds Dahua IP Camera, Linux Kernel and Microsoft Exchange Server bugs to its Known Exploited Vulnerabilities catalog
• Aug. 21, 2024 - Microsoft, Linux, Dahua Flaws Exploited: CISA Warns

Back to top ↑

Linux — Kernel

CVE-2022-0185 / Added: Aug. 21, 2024

HIGH CVSS 8.40 EPSS Score 0.34 EPSS Percentile 71.80

Linux kernel contains a heap-based buffer overflow vulnerability in the legacy_parse_param function in the Filesystem Context functionality. This allows an attacker to open a filesystem that does not support the Filesystem Context API and ultimately escalate privileges.

Headlines

• Aug. 24, 2024 - CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September
• Aug. 22, 2024 - U.S. CISA adds Dahua IP Camera, Linux Kernel and Microsoft Exchange Server bugs to its Known Exploited Vulnerabilities catalog
• Aug. 22, 2024 - U.S. CISA adds Dahua IP Camera, Linux Kernel and Microsoft Exchange Server bugs to its Known Exploited Vulnerabilities catalog
• Aug. 21, 2024 - Microsoft, Linux, Dahua Flaws Exploited: CISA Warns
• March 22, 2024 - Chinese snoops exploit F5, ConnectWise bugs to sell access
• March 22, 2024 - China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws

Back to top ↑

Microsoft — Exchange Server

CVE-2021-31196 / Added: Aug. 21, 2024

HIGH CVSS 7.20 EPSS Score 6.17 EPSS Percentile 93.69

Microsoft Exchange Server contains an information disclosure vulnerability that allows for remote code execution.

Headlines

• Aug. 24, 2024 - CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September
• Aug. 22, 2024 - U.S. CISA adds Dahua IP Camera, Linux Kernel and Microsoft Exchange Server bugs to its Known Exploited Vulnerabilities catalog
• Aug. 22, 2024 - U.S. CISA adds Dahua IP Camera, Linux Kernel and Microsoft Exchange Server bugs to its Known Exploited Vulnerabilities catalog
• Aug. 21, 2024 - Microsoft investigates a patch breaking dual-boot PCs
• Aug. 21, 2024 - Microsoft, Linux, Dahua Flaws Exploited: CISA Warns

Back to top ↑

Jenkins — Jenkins Command Line Interface (CLI)

CVE-2024-23897 / Added: Aug. 19, 2024

CRITICAL CVSS 9.80 EPSS Score 97.08 EPSS Percentile 99.81

Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution.

Headlines

• Aug. 20, 2024 - Critical, Actively Exploited Jenkins RCE Bug Suffers Patch Lag
• Aug. 20, 2024 - CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks
• Aug. 19, 2024 - CISA adds Jenkins Command Line Interface (CLI) bug to its Known Exploited Vulnerabilities catalog
• Aug. 19, 2024 - CISA warns of Jenkins RCE bug exploited in ransomware attacks
• Aug. 15, 2024 - RansomEXX Group Exploits Jenkins Vulnerability (CVE-2024-23897) in Major Indian Banking Attack
• Aug. 13, 2024 - CVE-2024-23897 Enabled Ransomware Attack on Indian Banks
• Aug. 1, 2024 - RansomEXX Group Targets Indian Banking With New Tactics
• March 11, 2024 - CVE-2024–23897 – Arbitrary file read in Jenkins
• Feb. 4, 2024 - Week in review: Windows Event Log zero-day, exploited critical Jenkins RCE flaw
• Jan. 31, 2024 - 45,000 Exposed Jenkins Instances Found Amid Reports of In-the-Wild Exploitation
• Jan. 31, 2024 - ACSC presses enterprises to patch Jenkins
• Jan. 30, 2024 - 45,000 Jenkins servers remain vulnerable to RCE attacks
• Jan. 29, 2024 - PoC Exploits Heighten Risks Around Critical New Jenkins Vuln
• Jan. 29, 2024 - Multiple Vulnerabilities in Jenkins Could Allow for Remote Code Execution
• Jan. 29, 2024 - Critical Jenkins RCE flaw exploited in the wild. Patch now! (CVE-2024-23897)
• Jan. 29, 2024 - CI/CD at Risk as Exploits Released For Critical Jenkins Bug
• Jan. 28, 2024 - Multiple PoC exploits released for Jenkins flaw CVE-2024-23897
• Jan. 28, 2024 - Exploits released for critical Jenkins RCE flaw, patch now
• Jan. 26, 2024 - Watch out, experts warn of a critical flaw in Jenkins
• Jan. 26, 2024 - Breaking Down CVE-2024-23897: PoC Code Surfaces Just After Jenkins Advisory
• Jan. 25, 2024 - Critical Jenkins Vulnerability Exposes Servers to RCE Attacks - Patch ASAP!
• Jan. 25, 2024 - CVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE Possible

Back to top ↑

CVE-2024-28986

CRITICAL CVSS 9.80 EPSS Score 2.98 EPSS Percentile 91.07

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Aug. 13, 2024

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.   However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.

Vendor Impacted: Solarwinds

Product Impacted: Web Help Desk

Quotes

• Security is hard and a continuous process
• Patched instances will return no content / content-length 0
• Requests to non-existent pages on patched instances will return no content / content-length 0
• Multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties
• This attack is only possible if the attacker escalates privileges they control, or if they can obtain administrator rights
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data

Headlines

• Aug. 23, 2024 - Patch Now: Second SolarWinds Critical Bug in Web Help Desk
• Aug. 23, 2024 - Another critical SolarWinds Web Help Desk bug fixed (CVE-2024-28987)
• Aug. 22, 2024 - SolarWinds left hardcoded credentials in helpdesk product
• Aug. 22, 2024 - SolarWinds fixed hardcoded credential issue in Web Help Desk
• Aug. 22, 2024 - Hardcoded Credential Vulnerability Found in SolarWinds Web Help Desk
• Aug. 22, 2024 - SolarWinds fixes hardcoded credentials flaw in Web Help Desk
• Aug. 22, 2024 - SolarWinds Web Help Desk Hit by Critical Vulnerability (CVE-2024-28987)
• Aug. 19, 2024 - RansomHub-linked EDR-killing malware spotted in the wild
• Aug. 18, 2024 - Week in review: MS Office flaw may leak NTLM hashes, malicious Chrome, Edge browser extensions

CVE-2024-4577

CRITICAL CVSS 9.80 EPSS Score 96.32 EPSS Percentile 99.58

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: June 9, 2024

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Vendors Impacted: Fedoraproject, Php Group, Php

Products Impacted: Php, Fedora

Quotes

• Msupedge is a backdoor in the form of a dynamic link library (DLL)
• Have found no evidence allowing us to attribute [Msupedge], and the motive behind the attack remains unknown
• The initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577)
• The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic
• Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown

Headlines

• Aug. 21, 2024 - Taiwan University Under Fire From Unique DLL Backdoor
• Aug. 21, 2024 - Analyzing the vulnerability landscape in Q2 2024
• Aug. 20, 2024 - Hackers use PHP exploit to backdoor Windows systems with new malware
• Aug. 20, 2024 - Previously unseen Msupedge backdoor targeted a university in Taiwan
• Aug. 20, 2024 - New DNS-Based Backdoor Threat Discovered at Taiwanese University
• Aug. 20, 2024 - Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor
• Aug. 20, 2024 - Unseen Msupedge Malware Exploits PHP Flaw CVE-2024-4577 in Taiwanese University Cyberattack

CVE-2024-28000

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 9.52

Actively Exploited Remote Code Execution Public Exploits Available

Published: Aug. 21, 2024

Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1.

Quotes

• We have no doubts that this vulnerability will be actively exploited very soon
• The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and installed
• We were able to determine that a brute force attack that iterates all 1 million known possible values for the security hash and passes them in the litespeed_hash cookie — even running at a relatively low 3 requests per second — is able to gain access to the site as any given user ID within between a few hours and a week

Headlines

• Aug. 22, 2024 - Hackers are exploiting critical bug in LiteSpeed Cache plugin
• Aug. 22, 2024 - CVE-2024-28000 in LiteSpeed Cache Plugin Actively Exploited: Over 30,000 Attacks Blocked in 24 Hours
• Aug. 22, 2024 - Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access
• Aug. 21, 2024 - Litespeed Cache bug exposes millions of WordPress sites to takeover attacks
• Aug. 21, 2024 - Critical CVE-2024-28000 (CVSS 9.8) Flaw Puts 5 Million WordPress Sites at Risk of Complete Takeover
• Aug. 21, 2024 - CVE-2024-28000 (CVSS 9.8): Active Exploitation of Litespeed Cache Vulnerability, 5 Million WordPress Sites at Risk of Complete Takeover

CVE-2024-23897

CRITICAL CVSS 9.80 EPSS Score 97.08 EPSS Percentile 99.81

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Jan. 24, 2024

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Vendor Impacted: Jenkins

Products Impacted: Jenkins, Jenkins Command Line Interface (Cli)

Quotes

• If your Jenkins is compromised, it's quite a big deal, because Jenkins is at the core of your business software
• This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's contents (expandAtFiles)
• Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution

Headlines

• Aug. 20, 2024 - Critical, Actively Exploited Jenkins RCE Bug Suffers Patch Lag
• Aug. 20, 2024 - CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks
• Aug. 19, 2024 - CISA adds Jenkins Command Line Interface (CLI) bug to its Known Exploited Vulnerabilities catalog
• Aug. 19, 2024 - CISA warns of Jenkins RCE bug exploited in ransomware attacks

CVE-2024-28987

CRITICAL CVSS 9.10 EPSS Score 0.09 EPSS Percentile 39.63

Risk Context N/A

Published: Aug. 21, 2024

The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.

Quotes

• Security is hard and a continuous process
• Patched instances will return no content / content-length 0
• Requests to non-existent pages on patched instances will return no content / content-length 0
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data

Headlines

• Aug. 23, 2024 - Patch Now: Second SolarWinds Critical Bug in Web Help Desk
• Aug. 23, 2024 - Another critical SolarWinds Web Help Desk bug fixed (CVE-2024-28987)
• Aug. 22, 2024 - SolarWinds left hardcoded credentials in helpdesk product
• Aug. 22, 2024 - SolarWinds fixed hardcoded credential issue in Web Help Desk
• Aug. 22, 2024 - Hardcoded Credential Vulnerability Found in SolarWinds Web Help Desk
• Aug. 22, 2024 - SolarWinds fixes hardcoded credentials flaw in Web Help Desk
• Aug. 22, 2024 - SolarWinds Web Help Desk Hit by Critical Vulnerability (CVE-2024-28987)

CVE-2024-7971

HIGH CVSS 8.80 EPSS Score 0.04 EPSS Percentile 9.52

Actively Exploited Remote Code Execution Used In Ransomware

Published: Aug. 21, 2024

Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vendor Impacted: Google

Product Impacted: Chrome

Quotes

• Google is aware that an exploit for CVE-2024-7971 exists in the wild
• In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access
• Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page

Headlines

• Aug. 23, 2024 - Urgent Edge Security Update: Microsoft Patches Zero-day & RCE Vulnerabilities
• Aug. 23, 2024 - Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
• Aug. 22, 2024 - Google Chrome Update Fixes Flaw Exploited in the Wild
• Aug. 22, 2024 - New Chrome zero-day actively exploited, patch quickly! (CVE-2024-7971)
• Aug. 22, 2024 - Google addressed the ninth actively exploited Chrome zero-day this year
• Aug. 22, 2024 - Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild
• Aug. 22, 2024 - Urgent Chrome Update: Active Zero-Day Exploit Detected (CVE-2024-7971)
• Aug. 21, 2024 - Google fixes ninth Chrome zero-day exploited in attacks this year

CVE-2022-2601

HIGH CVSS 8.60 EPSS Score 0.07 EPSS Percentile 32.95

Risk Context N/A

Published: Dec. 14, 2022

A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.

Vendors Impacted: Redhat, Gnu, Fedoraproject

Products Impacted: Enterprise Linux Eus, Enterprise Linux Server Aus, Enterprise Linux Server For Power Little Endian Update Services , Grub2, Fedora, Enterprise Linux Server Tus, Enterprise Linux Server Update Services For Sap Solutions, Enterprise Linux For Power Little Endian Eus

Quotes

• Have an impact on Windows security
• The latest builds of Windows are no longer vulnerable to this security feature bypass using the Linux GRUB2 boot loader
• Resulting from this issue, your device might fail to boot Linux and show the error message 'Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

Headlines

• Aug. 23, 2024 - Microsoft shares temp fix for Linux boot issues on dual-boot systems
• Aug. 22, 2024 - Microsoft confirms August updates break Linux boot in dual-boot systems
• Aug. 21, 2024 - Microsoft investigates a patch breaking dual-boot PCs
• Aug. 20, 2024 - August Windows updates break dual boot on some Linux systems
• Aug. 20, 2024 - August Windows security update breaks dual boot on Linux systems

CVE-2024-38193

HIGH CVSS 7.80 EPSS Score 0.04 EPSS Percentile 10.05

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Aug. 13, 2024

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows Server 2016, Windows 10 21h2, Windows, Windows 10 1809, Windows 10 22h2, Windows Server 2022, Windows 10 1507, Windows Server 2008, Windows Server 2019, Windows 11 21h2, Windows Server 2022 23h2, Windows Server 2012, Windows 11 23h2, Windows 11 24h2, Windows 11 22h2, Windows 10 1607

Quotes

• Stoke discord and undermine confidence in our democratic institutions
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• Bypass normal security restrictions and access sensitive system areas that most users and administrators can’t reach
• In early June, Luigino Camastra and Milanek discovered that the Lazarus group was exploiting a hidden security flaw in a crucial part of Windows called the AFD.sys driver
• Gen Threat Labs recently uncovered and reported a major security flaw known as a zero-day vulnerability (CVE-2024-38193), which Microsoft has now fixed. This repair is important because it addresses a security issue that was being used by the Lazarus APT group, a North Korean hacker group known for targeting specific professionals

Headlines

• Aug. 22, 2024 - No, not every Social Security number in the U.S. was stolen
• Aug. 20, 2024 - 0-day in Windows driver exploited by North Korean hackers to deliver rootkit (CVE-2024-38193)
• Aug. 20, 2024 - Lazarus Group Exploits Microsoft Zero-Days CVE-2024-38193, Patch Urgently
• Aug. 20, 2024 - Windows driver zero-day exploited by Lazarus hackers to install rootkit
• Aug. 19, 2024 - Microsoft Zero-Day CVE-2024-38193 was exploited by North Korea-linked Lazarus APT
• Aug. 19, 2024 - Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group

CVE-2021-31196

HIGH CVSS 7.20 EPSS Score 6.17 EPSS Percentile 93.69

CISA Known Exploited Remote Code Execution

Published: July 14, 2021

Microsoft Exchange Server Remote Code Execution Vulnerability

Vendor Impacted: Microsoft

Product Impacted: Exchange Server

Quotes

• The latest builds of Windows are no longer vulnerable to this security feature bypass using the Linux GRUB2 boot loader
• The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets

Headlines

• Aug. 22, 2024 - U.S. CISA adds Dahua IP Camera, Linux Kernel and Microsoft Exchange Server bugs to its Known Exploited Vulnerabilities catalog
• Aug. 21, 2024 - Microsoft investigates a patch breaking dual-boot PCs
• Aug. 21, 2024 - Microsoft, Linux, Dahua Flaws Exploited: CISA Warns

CVE-2024-6800

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 16.34

Risk Context N/A

Published: Aug. 20, 2024

An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication with specific identity providers utilizing publicly exposed signed federation metadata XML. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.

Quotes

• On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges. GitHub has requested CVE ID CVE-2024-6800 for this vulnerability, which was reported via the GitHub Bug Bounty program

Headlines

• Aug. 22, 2024 - Critical GitHub Enterprise Server auth bypass flaw fixed (CVE-2024-6800)
• Aug. 22, 2024 - GitHub fixed a new critical flaw in the GitHub Enterprise Server
• Aug. 22, 2024 - GitHub Patches Critical Security Flaw in Enterprise Server Granting Admin Privileges
• Aug. 21, 2024 - Patch this critical GitHub Enterprise Server bug now
• Aug. 21, 2024 - GitHub Enterprise Server vulnerable to critical auth bypass flaw
• Aug. 21, 2024 - CVE-2024-6800 (CVSS 9.5): Critical GitHub Enterprise Server Flaw Patched, Admin Access at Risk