VULNERA Pulse

Fortinet — Multiple Products

CVE-2024-23113 / Added: Oct. 9, 2024

CRITICAL CVSS 9.80 EPSS Score 0.80 EPSS Percentile 82.00

Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Headlines

• Oct. 10, 2024 - CISA demands govt patches exploited Fortinet, Ivanti bugs
• Oct. 10, 2024 - U.S. CISA adds Ivanti CSA and Fortinet bugs to its Known Exploited Vulnerabilities catalog
• Oct. 10, 2024 - CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches
• Oct. 9, 2024 - CISA says critical Fortinet RCE flaw now exploited in attacks
• Oct. 9, 2024 - CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
• March 14, 2024 - Siemens RUGGEDCOM APE1808 | CISA
• Feb. 12, 2024 - Fortinet, Ivanti Keep Customers Busy With Yet More Critical Bugs
• Feb. 9, 2024 - Critical Alert: FortiOS Vulnerable to Remote Code Execution (CVE-2024-23113)
• Feb. 9, 2024 - A look at Fortinet's week to forget
• Feb. 9, 2024 - Fortinet Warns of New FortiOS Zero-Day
• Feb. 9, 2024 - Fortinet warns of a new actively exploited RCE flaw in FortiOS SSL VPN
• Feb. 8, 2024 - New Fortinet RCE flaw in SSL VPN likely exploited in attacks

Back to top ↑

Ivanti — Cloud Services Appliance (CSA)

CVE-2024-9380 / Added: Oct. 9, 2024

HIGH CVSS 7.20 EPSS Score 1.18 EPSS Percentile 85.40

Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.

Headlines

• Oct. 10, 2024 - CISA demands govt patches exploited Fortinet, Ivanti bugs
• Oct. 10, 2024 - U.S. CISA adds Ivanti CSA and Fortinet bugs to its Known Exploited Vulnerabilities catalog
• Oct. 9, 2024 - 3 More Ivanti Cloud Vulns Exploited in the Wild
• Oct. 9, 2024 - CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
• Oct. 9, 2024 - Ivanti: Three CSA Zero-Days Are Being Exploited in Attacks
• Oct. 9, 2024 - Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
• Oct. 8, 2024 - Three new Ivanti CSA zero-day actively exploited in attacks
• Oct. 8, 2024 - Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
• Oct. 8, 2024 - Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited
• Oct. 8, 2024 - Ivanti warns of three more CSA zero-days exploited in attacks
• Oct. 8, 2024 - Ivanti Patches CSA Appliance Against Vulnerabilities, Including Actively Exploited Flaws

Back to top ↑

Ivanti — Cloud Services Appliance (CSA)

CVE-2024-9379 / Added: Oct. 9, 2024

HIGH CVSS 7.20 EPSS Score 1.30 EPSS Percentile 86.17

Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.

Headlines

• Oct. 10, 2024 - CISA demands govt patches exploited Fortinet, Ivanti bugs
• Oct. 10, 2024 - U.S. CISA adds Ivanti CSA and Fortinet bugs to its Known Exploited Vulnerabilities catalog
• Oct. 9, 2024 - 3 More Ivanti Cloud Vulns Exploited in the Wild
• Oct. 9, 2024 - CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
• Oct. 9, 2024 - Ivanti: Three CSA Zero-Days Are Being Exploited in Attacks
• Oct. 9, 2024 - Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
• Oct. 8, 2024 - Three new Ivanti CSA zero-day actively exploited in attacks
• Oct. 8, 2024 - Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
• Oct. 8, 2024 - Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited
• Oct. 8, 2024 - Ivanti warns of three more CSA zero-days exploited in attacks
• Oct. 8, 2024 - Ivanti Patches CSA Appliance Against Vulnerabilities, Including Actively Exploited Flaws

Back to top ↑

Microsoft — Windows

CVE-2024-43573 / Added: Oct. 8, 2024

HIGH CVSS 8.10 EPSS Score 0.63 EPSS Percentile 79.36

Microsoft Windows MSHTML Platform contains an unspecified spoofing vulnerability which can lead to a loss of confidentiality.

Headlines

• Oct. 10, 2024 - What NIST’s latest password standards mean, and why the old ones weren’t working
• Oct. 9, 2024 - Microsoft Fixes Five Zero-Days in October Patch Tuesday
• Oct. 9, 2024 - Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild
• Oct. 9, 2024 - October Patch Tuesday harvest hauls in 117 CVEs
• Oct. 9, 2024 - Microsoft's October 2024 Patch Tuesday: Zero-Day Exploits and Critical Vulnerabilities Patched
• Oct. 8, 2024 - Microsoft issues 117 patches – two under active attack
• Oct. 8, 2024 - Patch Tuesday, October 2024 Edition –
• Oct. 8, 2024 - 5 CVEs in Microsoft's October Update to Patch Immediately
• Oct. 8, 2024 - Critical Patches Issued for Microsoft Products, October 8, 2024
• Oct. 8, 2024 - Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572)
• Oct. 8, 2024 - Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities
• Oct. 8, 2024 - Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws

Back to top ↑

Microsoft — Windows

CVE-2024-43572 / Added: Oct. 8, 2024

HIGH CVSS 7.80 EPSS Score 0.21 EPSS Percentile 59.71

Microsoft Windows Management Console contains unspecified vulnerability that allows for remote code execution.

Headlines

• Oct. 10, 2024 - What NIST’s latest password standards mean, and why the old ones weren’t working
• Oct. 9, 2024 - Microsoft Fixes Five Zero-Days in October Patch Tuesday
• Oct. 9, 2024 - Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild
• Oct. 9, 2024 - Microsoft's October 2024 Patch Tuesday: Zero-Day Exploits and Critical Vulnerabilities Patched
• Oct. 8, 2024 - Microsoft issues 117 patches – two under active attack
• Oct. 8, 2024 - Patch Tuesday, October 2024 Edition –
• Oct. 8, 2024 - 5 CVEs in Microsoft's October Update to Patch Immediately
• Oct. 8, 2024 - Critical Patches Issued for Microsoft Products, October 8, 2024
• Oct. 8, 2024 - Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572)
• Oct. 8, 2024 - Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities
• Oct. 8, 2024 - Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws

Back to top ↑

Qualcomm — Multiple Chipsets

CVE-2024-43047 / Added: Oct. 8, 2024

HIGH CVSS 7.80 EPSS Score 0.11 EPSS Percentile 45.59

Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory.

Headlines

• Oct. 9, 2024 - U.S. CISA adds Windows and Qualcomm bugs to its Known Exploited Vulnerabilities catalog
• Oct. 8, 2024 - Qualcomm urges OEMs to patch after 'targeted' exploitation
• Oct. 8, 2024 - Qualcomm fixed a zero-day exploited limited, targeted attacks
• Oct. 8, 2024 - Qualcomm zero-day under targeted exploitation (CVE-2024-43047)
• Oct. 8, 2024 - Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits
• Oct. 7, 2024 - Qualcomm patches high-severity zero-day exploited in attacks
• Oct. 7, 2024 - Qualcomm Patched Multi Flaws, Including 0-day CVE-2024-43047 & RCE (CVE-2024-33066, CVSS 9.8)

Back to top ↑

CVE-2024-9680

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 9.69

Actively Exploited Remote Code Execution

Published: Oct. 9, 2024

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, and Firefox ESR < 115.16.1.

Quotes

• An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

Headlines

• Oct. 10, 2024 - A Vulnerability in Mozilla Firefox Could Allow for Arbitrary Code Execution
• Oct. 10, 2024 - Actively exploited Firefox zero-day fixed, update ASAP! (CVE-2024-9680)
• Oct. 10, 2024 - Mozilla releases patches for actively exploited Firefox bug
• Oct. 10, 2024 - Mozilla issued an urgent Firefox update to fix actively exploited flaw
• Oct. 10, 2024 - Firefox Zero-Day Under Attack: Update Your Browser Immediately
• Oct. 9, 2024 - Mozilla fixes Firefox zero-day actively exploited in attacks
• Oct. 9, 2024 - Firefox Zero-Day Vulnerability: Urgent Update Needed to Patch CVE-2024-9680

CVE-2024-43468

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 39.75

Remote Code Execution

Published: Oct. 8, 2024

Microsoft Configuration Manager Remote Code Execution Vulnerability

Quotes

• There's no word from Microsoft on whether it's [Void Banshee], but considering there is no acknowledgment here, it makes me think the original patch was insufficient
• There’s no word from Microsoft on whether it’s the same group, but considering there is no acknowledgment here, it makes me think the original patch was insufficient

Headlines

• Oct. 9, 2024 - Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild
• Oct. 9, 2024 - October Patch Tuesday harvest hauls in 117 CVEs
• Oct. 8, 2024 - Microsoft issues 117 patches – two under active attack
• Oct. 8, 2024 - 5 CVEs in Microsoft's October Update to Patch Immediately
• Oct. 8, 2024 - Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572)
• Oct. 8, 2024 - Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

CVE-2024-8963

CRITICAL CVSS 9.10 EPSS Score 30.99 EPSS Percentile 97.04

CISA Known Exploited

Published: Sept. 19, 2024

Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

Vendor Impacted: Ivanti

Products Impacted: Endpoint Manager Cloud Services Appliance, Cloud Services Appliance (Csa)

Quotes

• We are aware of the exploitation of a limited number of customers on CSA 4.6
• Ivanti recommends reviewing the CSA for modified or newly added administrative users
• We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963
• Please also note that a local-in policy that only allows fgfm connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP
• A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests
• Please note, CSA 4.6 is end-of-life and the last security fix for this version was released on September 10. Additionally, it is important for customers to know that we have not observed exploitation of these vulnerabilities in any version of CSA 5.0

Headlines

• Oct. 10, 2024 - CISA demands govt patches exploited Fortinet, Ivanti bugs
• Oct. 10, 2024 - U.S. CISA adds Ivanti CSA and Fortinet bugs to its Known Exploited Vulnerabilities catalog
• Oct. 9, 2024 - 3 More Ivanti Cloud Vulns Exploited in the Wild
• Oct. 9, 2024 - CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
• Oct. 9, 2024 - Ivanti: Three CSA Zero-Days Are Being Exploited in Attacks
• Oct. 9, 2024 - Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
• Oct. 8, 2024 - Three new Ivanti CSA zero-day actively exploited in attacks
• Oct. 8, 2024 - Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
• Oct. 8, 2024 - Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited
• Oct. 8, 2024 - Ivanti warns of three more CSA zero-days exploited in attacks
• Oct. 8, 2024 - Ivanti Patches CSA Appliance Against Vulnerabilities, Including Actively Exploited Flaws

CVE-2024-43573

HIGH CVSS 8.10 EPSS Score 0.63 EPSS Percentile 79.36

CISA Known Exploited

Published: Oct. 8, 2024

Windows MSHTML Platform Spoofing Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 22h2, Windows 11 23h2, Windows Server 2012 R2, Windows 11 22h2, Windows Server 2019, Windows Server 2016, Windows 11 22h3, Windows 11 24h2, Windows Server 2022, Windows, Windows 10 1809, Windows 10 1507, Windows 10 21h2, Windows Server 23h2, Windows 10 1607

Quotes

• There's no word from Microsoft on whether it's [Void Banshee], but considering there is no acknowledgment here, it makes me think the original patch was insufficient
• There’s no word from Microsoft on whether it’s the same group, but considering there is no acknowledgment here, it makes me think the original patch was insufficient
• The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials
• Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services
• While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported

Headlines

• Oct. 10, 2024 - What NIST’s latest password standards mean, and why the old ones weren’t working
• Oct. 9, 2024 - Microsoft Fixes Five Zero-Days in October Patch Tuesday
• Oct. 9, 2024 - Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild
• Oct. 9, 2024 - October Patch Tuesday harvest hauls in 117 CVEs
• Oct. 9, 2024 - Microsoft's October 2024 Patch Tuesday: Zero-Day Exploits and Critical Vulnerabilities Patched
• Oct. 8, 2024 - Microsoft issues 117 patches – two under active attack
• Oct. 8, 2024 - Patch Tuesday, October 2024 Edition –
• Oct. 8, 2024 - 5 CVEs in Microsoft's October Update to Patch Immediately
• Oct. 8, 2024 - Critical Patches Issued for Microsoft Products, October 8, 2024
• Oct. 8, 2024 - Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572)
• Oct. 8, 2024 - Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities
• Oct. 8, 2024 - Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws

CVE-2024-43572

HIGH CVSS 7.80 EPSS Score 0.21 EPSS Percentile 59.71

CISA Known Exploited Remote Code Execution

Published: Oct. 8, 2024

Microsoft Management Console Remote Code Execution Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 22h2, Windows 11 23h2, Windows Server 2012 R2, Windows Server 2008 Sp2, Windows 11 22h2, Windows Server 2019, Windows Server 2016, Windows 11 22h3, Windows 11 24h2, Windows Server 2022, Windows, Windows 10 1809, Windows 10 1507, Windows Server 2012, Windows 10 21h2, Windows Server 23h2, Windows 10 1607, Windows 11 21h2

Quotes

• Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system
• Given the widespread use of Windows-based systems in corporate and government settings, CVE-2024-43572 poses a considerable risk
• There's no word from Microsoft on whether it's [Void Banshee], but considering there is no acknowledgment here, it makes me think the original patch was insufficient
• There’s no word from Microsoft on whether it’s the same group, but considering there is no acknowledgment here, it makes me think the original patch was insufficient
• The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials
• Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services
• While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported

Headlines

• Oct. 10, 2024 - What NIST’s latest password standards mean, and why the old ones weren’t working
• Oct. 9, 2024 - Microsoft Fixes Five Zero-Days in October Patch Tuesday
• Oct. 9, 2024 - Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild
• Oct. 9, 2024 - Microsoft's October 2024 Patch Tuesday: Zero-Day Exploits and Critical Vulnerabilities Patched
• Oct. 8, 2024 - Microsoft issues 117 patches – two under active attack
• Oct. 8, 2024 - Patch Tuesday, October 2024 Edition –
• Oct. 8, 2024 - 5 CVEs in Microsoft's October Update to Patch Immediately
• Oct. 8, 2024 - Critical Patches Issued for Microsoft Products, October 8, 2024
• Oct. 8, 2024 - Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572)
• Oct. 8, 2024 - Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities
• Oct. 8, 2024 - Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws

CVE-2024-43047

HIGH CVSS 7.80 EPSS Score 0.11 EPSS Percentile 45.59

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Oct. 7, 2024

Memory corruption while maintaining memory maps of HLOS memory.

Vendor Impacted: Qualcomm

Products Impacted: Qcs410, Snapdragon Auto 5g Modem-Rf, Sg4150p, Sa8155p, Qcs6490, Wcd9335, Wsa8830 Firmware, Sd660 Firmware, Snapdragon 660 Mobile, Sa8195p Firmware, Snapdragon 680 4g Mobile Firmware, Sw5100, Wsa8810 Firmware, Qca6584au Firmware, Multiple Chipsets , Qcs6490 Firmware, Wcd9385, Sa6155p Firmware, Wsa8815 Firmware, Qca6436, Snapdragon 865\+ 5g Mobile Firmware, Snapdragon 8 Gen 1 Mobile Firmware, Sa4150p Firmware, Sd865 5g Firmware, Qca6574au, Snapdragon 685 4g Mobile Firmware, Fastconnect 7800 Firmware, Qca6698aq, Qca6595au, Qca6595 Firmware, Qca6688aq Firmware, Sa4155p Firmware, Qcs610, Snapdragon 865\+ 5g Mobile, Sa8295p Firmware, Wcn3988, Snapdragon Auto 5g Modem-Rf Gen 2, Sxr2130 Firmware, Wcd9375 Firmware, Sw5100p Firmware, Snapdragon 660 Mobile Firmware, Qca6426 Firmware, Snapdragon 870 5g Mobile, Snapdragon 8 Gen 1 Mobile, Sw5100p, Sa8295p, Video Collaboration Vc1 Firmware, Wcd9370 Firmware, Qca6595au Firmware, Snapdragon X55 5g Modem-Rf, Sa8150p, Qca6391, Sa8195p, Qca6595, Sa6150p Firmware, Snapdragon...

Quotes

• Memory corruption while maintaining memory maps of HLOS memory
• Memory corruption while maintaining memory maps of [high level operating system (HLOS)] memory
• Currently, the DSP updates header buffers with unused DMA handle fds. In the put_args section, if any DMA handle FDs are present in the header buffer, the corresponding map is freed
• There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation. Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible

Headlines

• Oct. 9, 2024 - U.S. CISA adds Windows and Qualcomm bugs to its Known Exploited Vulnerabilities catalog
• Oct. 8, 2024 - Qualcomm urges OEMs to patch after 'targeted' exploitation
• Oct. 8, 2024 - Qualcomm fixed a zero-day exploited limited, targeted attacks
• Oct. 8, 2024 - Qualcomm zero-day under targeted exploitation (CVE-2024-43047)
• Oct. 8, 2024 - Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits
• Oct. 7, 2024 - Qualcomm patches high-severity zero-day exploited in attacks
• Oct. 7, 2024 - Qualcomm Patched Multi Flaws, Including 0-day CVE-2024-43047 & RCE (CVE-2024-33066, CVSS 9.8)

CVE-2024-9380

HIGH CVSS 7.20 EPSS Score 1.18 EPSS Percentile 85.40

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Oct. 8, 2024

An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.

Vendor Impacted: Ivanti

Products Impacted: Endpoint Manager Cloud Services Appliance, Cloud Services Appliance (Csa)

Quotes

• We are aware of the exploitation of a limited number of customers on CSA 4.6
• Ivanti recommends reviewing the CSA for modified or newly added administrative users
• We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963
• Please also note that a local-in policy that only allows fgfm connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP
• A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests
• Please note, CSA 4.6 is end-of-life and the last security fix for this version was released on September 10. Additionally, it is important for customers to know that we have not observed exploitation of these vulnerabilities in any version of CSA 5.0

Headlines

• Oct. 10, 2024 - CISA demands govt patches exploited Fortinet, Ivanti bugs
• Oct. 10, 2024 - U.S. CISA adds Ivanti CSA and Fortinet bugs to its Known Exploited Vulnerabilities catalog
• Oct. 9, 2024 - 3 More Ivanti Cloud Vulns Exploited in the Wild
• Oct. 9, 2024 - CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
• Oct. 9, 2024 - Ivanti: Three CSA Zero-Days Are Being Exploited in Attacks
• Oct. 9, 2024 - Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
• Oct. 8, 2024 - Three new Ivanti CSA zero-day actively exploited in attacks
• Oct. 8, 2024 - Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
• Oct. 8, 2024 - Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited
• Oct. 8, 2024 - Ivanti warns of three more CSA zero-days exploited in attacks
• Oct. 8, 2024 - Ivanti Patches CSA Appliance Against Vulnerabilities, Including Actively Exploited Flaws

CVE-2024-9379

HIGH CVSS 7.20 EPSS Score 1.30 EPSS Percentile 86.17

CISA Known Exploited Public Exploits Available

Published: Oct. 8, 2024

SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

Vendor Impacted: Ivanti

Products Impacted: Endpoint Manager Cloud Services Appliance, Cloud Services Appliance (Csa)

Quotes

• We are aware of the exploitation of a limited number of customers on CSA 4.6
• Ivanti recommends reviewing the CSA for modified or newly added administrative users
• We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963
• Please also note that a local-in policy that only allows fgfm connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP
• A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests
• Please note, CSA 4.6 is end-of-life and the last security fix for this version was released on September 10. Additionally, it is important for customers to know that we have not observed exploitation of these vulnerabilities in any version of CSA 5.0

Headlines

• Oct. 10, 2024 - CISA demands govt patches exploited Fortinet, Ivanti bugs
• Oct. 10, 2024 - U.S. CISA adds Ivanti CSA and Fortinet bugs to its Known Exploited Vulnerabilities catalog
• Oct. 9, 2024 - 3 More Ivanti Cloud Vulns Exploited in the Wild
• Oct. 9, 2024 - CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
• Oct. 9, 2024 - Ivanti: Three CSA Zero-Days Are Being Exploited in Attacks
• Oct. 9, 2024 - Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
• Oct. 8, 2024 - Three new Ivanti CSA zero-day actively exploited in attacks
• Oct. 8, 2024 - Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
• Oct. 8, 2024 - Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited
• Oct. 8, 2024 - Ivanti warns of three more CSA zero-days exploited in attacks
• Oct. 8, 2024 - Ivanti Patches CSA Appliance Against Vulnerabilities, Including Actively Exploited Flaws

CVE-2024-9381

HIGH CVSS 7.20 EPSS Score 0.04 EPSS Percentile 11.21

Risk Context N/A

Published: Oct. 8, 2024

Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.

Quotes

• We are aware of the exploitation of a limited number of customers on CSA 4.6
• Ivanti recommends reviewing the CSA for modified or newly added administrative users
• We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963
• Please also note that a local-in policy that only allows fgfm connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP
• A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests
• Please note, CSA 4.6 is end-of-life and the last security fix for this version was released on September 10. Additionally, it is important for customers to know that we have not observed exploitation of these vulnerabilities in any version of CSA 5.0

Headlines

• Oct. 10, 2024 - CISA demands govt patches exploited Fortinet, Ivanti bugs
• Oct. 10, 2024 - U.S. CISA adds Ivanti CSA and Fortinet bugs to its Known Exploited Vulnerabilities catalog
• Oct. 9, 2024 - 3 More Ivanti Cloud Vulns Exploited in the Wild
• Oct. 9, 2024 - Ivanti: Three CSA Zero-Days Are Being Exploited in Attacks
• Oct. 9, 2024 - Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
• Oct. 8, 2024 - Three new Ivanti CSA zero-day actively exploited in attacks
• Oct. 8, 2024 - Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
• Oct. 8, 2024 - Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited
• Oct. 8, 2024 - Ivanti warns of three more CSA zero-days exploited in attacks
• Oct. 8, 2024 - Ivanti Patches CSA Appliance Against Vulnerabilities, Including Actively Exploited Flaws

CVE-2024-8190

HIGH CVSS 7.20 EPSS Score 15.12 EPSS Percentile 95.94

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Sept. 10, 2024

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

Vendor Impacted: Ivanti

Product Impacted: Cloud Services Appliance

Quotes

• Please also note that a local-in policy that only allows fgfm connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP
• Please note, CSA 4.6 is end-of-life and the last security fix for this version was released on September 10. Additionally, it is important for customers to know that we have not observed exploitation of these vulnerabilities in any version of CSA 5.0
• Currently, the DSP updates header buffers with unused DMA handle fds. In the put_args section, if any DMA handle FDs are present in the header buffer, the corresponding map is freed. However, since the header buffer is exposed to users in unsigned PD, users can update invalid FDs. If this invalid FD matches with any FD that is already in use, it could lead to a use-after-free (UAF) vulnerability

Headlines

• Oct. 10, 2024 - CISA demands govt patches exploited Fortinet, Ivanti bugs
• Oct. 9, 2024 - Ivanti: Three CSA Zero-Days Are Being Exploited in Attacks
• Oct. 9, 2024 - U.S. CISA adds Windows and Qualcomm bugs to its Known Exploited Vulnerabilities catalog
• Oct. 8, 2024 - Three new Ivanti CSA zero-day actively exploited in attacks
• Oct. 8, 2024 - Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
• Oct. 8, 2024 - Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited
• Oct. 8, 2024 - Ivanti warns of three more CSA zero-days exploited in attacks