VULNERA Pulse

Check Point — Quantum Security Gateways

CVE-2024-24919 / Added: May 30, 2024

HIGH CVSS 8.60 EPSS Score 1.85 EPSS Percentile 88.34

Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways connected to the internet, with IPSec VPN, Remote Access VPN or Mobile Access enabled. This issue affects several product lines from Check Point, including CloudGuard Network, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances.

Headlines

• May 31, 2024 - Check Point VPN zero-day exploited since beginning of April (CVE-2024-24919)
• May 30, 2024 - CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog
• May 30, 2024 - CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw
• May 30, 2024 - CISA Warns of Actively Exploited Linux Kernel and Check Point Gateway Vulnerabilities
• May 30, 2024 - Technical Details Released for Check Point Remote Access VPN 0-Day Flaw
• May 29, 2024 - Check Point VPN zero-day exploited in attacks since April 30
• May 29, 2024 - Check Point released hotfix for actively exploited VPN zero-day
• May 29, 2024 - Check Point Warns of Zero-Day Attacks on its VPN Gateway Products
• May 29, 2024 - Check Point releases emergency fix for VPN zero-day exploited in attacks
• May 29, 2024 - CVE-2024-24919: Active Exploitation of Check Point Remote Access VPN Vulnerability

Back to top ↑

Linux — Kernel

CVE-2024-1086 / Added: May 30, 2024

HIGH CVSS 7.80 EPSS Score 0.26 EPSS Percentile 65.46

Linux kernel contains a use-after-free vulnerability in the netfilter: nf_tables component that allows an attacker to achieve local privilege escalation.

Headlines

• May 30, 2024 - CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog
• May 30, 2024 - CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw
• May 30, 2024 - CISA Warns of Actively Exploited Linux Kernel and Check Point Gateway Vulnerabilities
• March 29, 2024 - Easy privilege escalation exploit lands for Linux kernels
• March 29, 2024 - Easy privilege escalation exploit lands for Linux kernels
• March 29, 2024 - New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking
• March 27, 2024 - CVE-2024-1086: Critical Linux Kernel Flaw Demands Immediate Patching, PoC Published!

Back to top ↑

Justice AV Solutions — Viewer

CVE-2024-4978 / Added: May 29, 2024

HIGH CVSS 8.40 EPSS Score 0.23 EPSS Percentile 61.53

Justice AV Solutions (JAVS) Viewer installer contains a malicious version of ffmpeg.exe, named fffmpeg.exe (SHA256: 421a4ad2615941b177b6ec4ab5e239c14e62af2ab07c6df1741e2a62223223c4). When run, this creates a backdoor connection to a malicious C2 server.

Headlines

• May 26, 2024 - newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
• May 24, 2024 - Mystery criminals backdoor courtroom recording software
• May 24, 2024 - Courtroom Software Backdoored to Deliver RustDoor Malware in Supply Chain Attack
• May 23, 2024 - JAVS courtroom recording software backdoored in supply chain attack
• May 23, 2024 - CVE-2024-4978: Backdoor Discovered in Justice AV Solutions Courtroom Software

Back to top ↑

Google — Chromium V8

CVE-2024-5274 / Added: May 28, 2024

HIGH CVSS 8.80 EPSS Score 1.37 EPSS Percentile 86.26

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Headlines

• May 29, 2024 - CISA Warns: Actively Exploited Chrome Zero-Day Joins 'Must-Patch' List
• May 27, 2024 - Major drug companies caught up in Cencora data loss
• May 26, 2024 - Week in review: Google fixes yet another Chrome zero-day exploit, YouTube as a cybercrime channel
• May 24, 2024 - Google Discovers Fourth Zero-Day in Less Than a Month
• May 24, 2024 - Google fixes eighth actively exploited Chrome zero-day this year
• May 24, 2024 - Google Detects 4th Chrome Zero-Day in May Actively Under Attack - Update ASAP
• May 24, 2024 - Google fixes eighth actively exploited Chrome zero-day this year
• May 24, 2024 - Google fixes yet another Chrome zero-day exploited in the wild (CVE-2024-5274)
• May 24, 2024 - CVE-2024-5274: Google Patches Zero-Day Vulnerability Actively Exploited in the Wild

Back to top ↑

CVE-2024-23108

CRITICAL CVSS 9.80 EPSS Score 0.08 EPSS Percentile 33.17

Public Exploits Available

Published: Feb. 5, 2024

An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.

Vendor Impacted: Fortinet

Product Impacted: Fortisiem

Quotes

• Blindly execute commands as root on vulnerable FortiSIEM appliances
• There is very little difference in the exploitation of the previous command injection, CVE-2023-34992, to this one, CVE-2024-23108, reported 6 months later
• Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests

Headlines

• May 29, 2024 - Multiple Vulnerabilities in Fortinet FortiSIEM Could Allow for Remote Code Execution
• May 29, 2024 - Exploit for Fortinet Critical RCE Bug Allows SIEM Root Access
• May 29, 2024 - PoC exploits for critical FortiSIEM command execution flaws released (CVE-2024-23108, CVE-2023-34992)
• May 28, 2024 - Experts released PoC exploit code for RCE in Fortinet SIEM
• May 28, 2024 - Exploit released for maximum severity Fortinet RCE bug, patch now

CVE-2024-23109

CRITICAL CVSS 9.80 EPSS Score 0.07 EPSS Percentile 29.38

Risk Context N/A

Published: Feb. 5, 2024

An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.

Vendor Impacted: Fortinet

Product Impacted: Fortisiem

Quotes

• Blindly execute commands as root on vulnerable FortiSIEM appliances
• Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests

Headlines

• May 29, 2024 - Exploit for Fortinet Critical RCE Bug Allows SIEM Root Access
• May 29, 2024 - PoC exploits for critical FortiSIEM command execution flaws released (CVE-2024-23108, CVE-2023-34992)
• May 28, 2024 - Experts released PoC exploit code for RCE in Fortinet SIEM
• May 28, 2024 - Exploit released for maximum severity Fortinet RCE bug, patch now

CVE-2023-34992

CRITICAL CVSS 9.80 EPSS Score 0.08 EPSS Percentile 33.17

Remote Code Execution Public Exploits Available

Published: Oct. 10, 2023

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.0.0 and 6.7.0 through 6.7.5 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via crafted API requests.

Vendor Impacted: Fortinet

Product Impacted: Fortisiem

Quotes

• There is very little difference in the exploitation of the previous command injection, CVE-2023-34992, to this one, CVE-2024-23108, reported 6 months later
• Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests

Headlines

• May 29, 2024 - Multiple Vulnerabilities in Fortinet FortiSIEM Could Allow for Remote Code Execution
• May 29, 2024 - PoC exploits for critical FortiSIEM command execution flaws released (CVE-2024-23108, CVE-2023-34992)
• May 28, 2024 - Exploit released for maximum severity Fortinet RCE bug, patch now

CVE-2024-23601

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 38.93

Risk Context N/A

Published: May 28, 2024

A code injection vulnerability exists in the scan_lib.bin functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted scan_lib.bin can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Quotes

• Where did I store that document again

Headlines

• May 30, 2024 - Attackers are impersonating a road toll payment processor across the U.S. in phishing attacks
• May 29, 2024 - Out-of-bounds reads in Adobe Acrobat; Foxit PDF Reader contains vulnerability that could lead to SYSTEM-level privileges

CVE-2024-21785

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 38.93

Risk Context N/A

Published: May 28, 2024

A leftover debug code vulnerability exists in the Telnet Diagnostic Interface functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted series of network requests can lead to unauthorized access. An attacker can send a sequence of requests to trigger this vulnerability.

Quotes

• Where did I store that document again

Headlines

• May 30, 2024 - Attackers are impersonating a road toll payment processor across the U.S. in phishing attacks
• May 29, 2024 - Out-of-bounds reads in Adobe Acrobat; Foxit PDF Reader contains vulnerability that could lead to SYSTEM-level privileges

CVE-2024-5274

HIGH CVSS 8.80 EPSS Score 1.37 EPSS Percentile 86.26

CISA Known Exploited Actively Exploited Remote Code Execution

Published: May 28, 2024

Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Vendor Impacted: Google

Products Impacted: Chromium V8, Chrome

Quotes

• We are aware of reports that an exploit for CVE-2024-5274 exists in the wild
• Based on our investigation, personal information was affected, including potentially your first name, last name, address, date of birth, health diagnosis, and/or medications and prescriptions

Headlines

• May 29, 2024 - CISA Warns: Actively Exploited Chrome Zero-Day Joins 'Must-Patch' List
• May 27, 2024 - Major drug companies caught up in Cencora data loss
• May 26, 2024 - Week in review: Google fixes yet another Chrome zero-day exploit, YouTube as a cybercrime channel

CVE-2024-24919

HIGH CVSS 8.60 EPSS Score 1.85 EPSS Percentile 88.34

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: May 28, 2024

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.

Vendors Impacted: Check Point, Checkpoint

Products Impacted: Quantum Spark Firmware, Cloudguard Network Security, Quantum Security Gateway Firmware, Quantum Security Gateway, Quantum Security Gateways, Quantum Spark

Quotes

• Suspected path traversal attack from
• The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely
• Linux kernel contains a use-after-free vulnerability in the netfilter: nf_tables component that allows an attacker to achieve local privilege escalation
• The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled
• We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers. By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method

Headlines

• May 31, 2024 - Check Point VPN zero-day exploited since beginning of April (CVE-2024-24919)
• May 30, 2024 - CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog
• May 30, 2024 - CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw
• May 30, 2024 - CISA Warns of Actively Exploited Linux Kernel and Check Point Gateway Vulnerabilities
• May 30, 2024 - Technical Details Released for Check Point Remote Access VPN 0-Day Flaw
• May 29, 2024 - Check Point VPN zero-day exploited in attacks since April 30
• May 29, 2024 - Check Point released hotfix for actively exploited VPN zero-day
• May 29, 2024 - Check Point Warns of Zero-Day Attacks on its VPN Gateway Products
• May 29, 2024 - Check Point releases emergency fix for VPN zero-day exploited in attacks
• May 29, 2024 - CVE-2024-24919: Active Exploitation of Check Point Remote Access VPN Vulnerability

CVE-2024-1086

HIGH CVSS 7.80 EPSS Score 0.26 EPSS Percentile 65.46

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 31, 2024

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

Vendor Impacted: Linux

Products Impacted: Kernel, Linux Kernel

Quotes

• Linux kernel contains a use-after-free vulnerability in the netfilter: nf_tables component that allows an attacker to achieve local privilege escalation

Headlines

• May 30, 2024 - CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog
• May 30, 2024 - CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw
• May 30, 2024 - CISA Warns of Actively Exploited Linux Kernel and Check Point Gateway Vulnerabilities

CVE-2023-38831

HIGH CVSS 7.80 EPSS Score 33.85 EPSS Percentile 97.08

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Aug. 23, 2023

RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.

Vendor Impacted: Rarlab

Product Impacted: Winrar

Quotes

• The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures
• FlyingYeti sought to capitalize on that pressure, leveraging debt restructuring and payment-related lures in an attempt to increase their chances of successfully targeting Ukrainian individuals

Headlines

• May 31, 2024 - FlyingYeti APT Serves Up Cookbox Malware Using WinRAR
• May 30, 2024 - FlyingYeti Exploits WinRAR Vulnerability to Deliver COOKBOX Malware in Ukraine
• May 29, 2024 - The most dangerous CVEs of 2023 and 2024: fix these today

CVE-2024-5035

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 8.74

Actively Exploited Remote Code Execution

Published: May 27, 2024

The affected device expose a network service called "rftest" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890. By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with elevated privileges.This issue affects Archer C4500X: through 1_1.1.6.

Quotes

• By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with elevated privileges

Headlines

• May 28, 2024 - TP-Link Archer C5400X gaming router is affected by a critical flaw
• May 28, 2024 - TP-Link Gaming Router Vulnerability Exposes Users to Remote Code Attacks
• May 28, 2024 - CVE-2024-5035 (CVSS 10) in TP-Link Archer C5400X Routers Exposes Users to Remote Hacking
• May 27, 2024 - TP-Link fixes critical RCE bug in popular C5400X gaming router