VULNERA Pulse

Synacor — Zimbra Collaboration

CVE-2024-45519 / Added: Oct. 3, 2024

CRITICAL CVSS 9.80 EPSS Score 0.05 EPSS Percentile 22.67

Synacor Zimbra Collaboration contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands.

Headlines

• Oct. 2, 2024 - Critical Zimbra RCE flaw exploited to backdoor servers using emails
• Oct. 2, 2024 - Critical Zimbra RCE flaw actively exploited to take over servers
• Oct. 2, 2024 - Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519)
• Oct. 2, 2024 - Critical Zimbra RCE now mass-exploited, experts say
• Oct. 2, 2024 - Critical Zimbra RCE now mass-exploited, experts say
• Oct. 2, 2024 - Critical Zimbra Postjournal flaw CVE-2024-45519 actively exploited in the wild. Patch it now!
• Oct. 2, 2024 - Researchers Sound Alarm on Active Attacks Exploiting Critical Zimbra Postjournal Flaw
• Oct. 2, 2024 - A Vulnerability in Zimbra Collaboration Could Allow for Remote Code Execution
• Oct. 2, 2024 - PoC Exploit Releases for Zimbra RCE Flaw CVE-2024-45519: Mass Exploitation Detected
• Oct. 1, 2024 - Zimbra RCE Vuln Under Attack Needs Immediate Patching

Back to top ↑

Ivanti — Endpoint Manager (EPM)

CVE-2024-29824 / Added: Oct. 2, 2024

HIGH CVSS 8.80 EPSS Score 2.17 EPSS Percentile 89.57

Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code.

Headlines

• Oct. 3, 2024 - Critical Ivanti Endpoint Manager flaw exploited (CVE-2024-29824)
• Oct. 3, 2024 - Ivanti Endpoint Manager Flaw Actively Targeted, CISA Warns Agencies to Patch
• Oct. 2, 2024 - US CISA adds Ivanti EPM flaw to its Known Exploited Vulnerabilities catalog
• Oct. 2, 2024 - Critical Ivanti RCE flaw with public exploit now used in attacks
• Oct. 2, 2024 - CVE-2024-29824: Critical Vulnerability in Ivanti Endpoint Manager Actively Exploited, PoC Published
• June 13, 2024 - PoC Exploit Emerges for Critical RCE Bug in Ivanti Endpoint Manager
• May 23, 2024 - Critical SQL Injection flaws impact Ivanti Endpoint Manager (EPM)

Back to top ↑

SAP — Commerce Cloud

CVE-2019-0344 / Added: Sept. 30, 2024

CRITICAL CVSS 9.80 EPSS Score 21.36 EPSS Percentile 96.52

SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection.

Headlines

• Oct. 1, 2024 - U.S. CISA adds D-Link DIR-820 Router, DrayTek Multiple Vigor Router, Motion Spell GPAC, SAP Commerce Cloud bugs to its Known Exploited Vulnerabilities catalog
• Oct. 1, 2024 - CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

Back to top ↑

DrayTek — Multiple Vigor Routers

CVE-2020-15415 / Added: Sept. 30, 2024

CRITICAL CVSS 9.80 EPSS Score 94.31 EPSS Percentile 99.25

DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.

Headlines

• Oct. 1, 2024 - U.S. CISA adds D-Link DIR-820 Router, DrayTek Multiple Vigor Router, Motion Spell GPAC, SAP Commerce Cloud bugs to its Known Exploited Vulnerabilities catalog
• Oct. 1, 2024 - CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog
• Feb. 17, 2023 - New Mirai botnet variant V3G4 targets Linux servers, IoT devices
• Feb. 16, 2023 - Mirai Variant V3G4 Targets 13 Vulnerabilities to Infect IoT Devices

Back to top ↑

D-Link — DIR-820 Router

CVE-2023-25280 / Added: Sept. 30, 2024

CRITICAL CVSS 9.80 EPSS Score 2.15 EPSS Percentile 89.52

D-Link DIR-820 routers contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.

Headlines

• Oct. 1, 2024 - U.S. CISA adds D-Link DIR-820 Router, DrayTek Multiple Vigor Router, Motion Spell GPAC, SAP Commerce Cloud bugs to its Known Exploited Vulnerabilities catalog
• Oct. 1, 2024 - CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

Back to top ↑

Motion Spell — GPAC

CVE-2021-4043 / Added: Sept. 30, 2024

MEDIUM CVSS 5.50 EPSS Score 0.91 EPSS Percentile 83.11

Motion Spell GPAC contains a null pointer dereference vulnerability that could allow a local attacker to cause a denial-of-service (DoS) condition.

Headlines

• Oct. 3, 2024 - Linux Servers Under Siege: "Perfctl" Malware Evades Detection for Years
• Oct. 3, 2024 - Linux malware “perfctl” behind years-long cryptomining campaign
• Oct. 3, 2024 - New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking
• Oct. 3, 2024 - Near-'perfctl' Fileless Malware Targets Millions of Linux Servers
• Oct. 1, 2024 - U.S. CISA adds D-Link DIR-820 Router, DrayTek Multiple Vigor Router, Motion Spell GPAC, SAP Commerce Cloud bugs to its Known Exploited Vulnerabilities catalog
• Oct. 1, 2024 - CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog
• Sept. 17, 2024 - Exploit Kits, Cryptominers, Proxyjackers: The New Face of Selenium Grid Abuse
• Sept. 12, 2024 - Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking
• Sept. 12, 2024 - Hackers Proxyjack & Cryptomine Selenium Grid Servers

Back to top ↑

CVE-2024-45519

CRITICAL CVSS 9.80 EPSS Score 0.05 EPSS Percentile 22.67

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Oct. 2, 2024

The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.

Vendors Impacted: Zimbra, Synacor

Products Impacted: Collaboration, Zimbra Collaboration

Quotes

• Some emails from the same sender used a series of CC'd addresses attempting to build a Web shell on a vulnerable Zimbra server
• The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands
• Successful exploitation can lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality
• The vulnerability stems from unsanitized user input being passed to popen [function] in the unpatched version [of the postjournal binary], enabling attackers to inject arbitrary commands
• Zimbra, a widely used email and collaboration platform, recently released a critical security update addressing a severe vulnerability in its postjournal service. This vulnerability, identified as CVE-2024-45519, allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations

Headlines

• Oct. 2, 2024 - Critical Zimbra RCE flaw actively exploited to take over servers
• Oct. 2, 2024 - Critical Zimbra RCE flaw exploited to backdoor servers using emails
• Oct. 2, 2024 - Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519)
• Oct. 2, 2024 - Critical Zimbra RCE now mass-exploited, experts say
• Oct. 2, 2024 - Critical Zimbra Postjournal flaw CVE-2024-45519 actively exploited in the wild. Patch it now!
• Oct. 2, 2024 - Researchers Sound Alarm on Active Attacks Exploiting Critical Zimbra Postjournal Flaw
• Oct. 2, 2024 - A Vulnerability in Zimbra Collaboration Could Allow for Remote Code Execution
• Oct. 2, 2024 - PoC Exploit Releases for Zimbra RCE Flaw CVE-2024-45519: Mass Exploitation Detected
• Oct. 1, 2024 - Zimbra RCE Vuln Under Attack Needs Immediate Patching

CVE-2024-47177

CRITICAL CVSS 9.00 EPSS Score 0.04 EPSS Percentile 10.95

Remote Code Execution Public Exploits Available

Published: Sept. 26, 2024

CUPS is a standards-based, open-source printing system, and cups-filters provides backends, filters, and other software for CUPS 2.x to use on non-Mac OS systems. Any value passed to `FoomaticRIPCommandLine` via a PPD file will be executed as a user controlled command. When combined with other logic bugs as described in CVE_2024-47176, this can lead to remote command execution.

Quotes

• The limited resources required to initiate a successful attack highlights the danger
• Akamai researchers have found. Instead of instructing CUPS to add a malicious printer, the packet instructs it to send an IPP/HTTP request to the target and port specified by the attacker
• Although these bandwidth numbers may not be considered earth-shattering, they would still result in the target's need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario

Headlines

• Oct. 3, 2024 - CUPS vulnerabilities could be abused for DDoS attacks
• Oct. 3, 2024 - CUPS Exploit Turns Common Devices into DDoS Weapons
• Oct. 2, 2024 - Unix Printing Vulnerabilities Enable Easy DDoS Attacks

CVE-2024-29824

HIGH CVSS 8.80 EPSS Score 2.17 EPSS Percentile 89.57

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: May 31, 2024

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Vendor Impacted: Ivanti

Products Impacted: Endpoint Manager (Epm), Endpoint Manager

Quotes

• Blindly execute commands on vulnerable Ivanti EPM appliances
• An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code

Headlines

• Oct. 3, 2024 - Critical Ivanti Endpoint Manager flaw exploited (CVE-2024-29824)
• Oct. 3, 2024 - Ivanti Endpoint Manager Flaw Actively Targeted, CISA Warns Agencies to Patch
• Oct. 2, 2024 - US CISA adds Ivanti EPM flaw to its Known Exploited Vulnerabilities catalog
• Oct. 2, 2024 - Critical Ivanti RCE flaw with public exploit now used in attacks
• Oct. 2, 2024 - CVE-2024-29824: Critical Vulnerability in Ivanti Endpoint Manager Actively Exploited, PoC Published

CVE-2024-47175

HIGH CVSS 8.60 EPSS Score 0.04 EPSS Percentile 14.87

Remote Code Execution

Published: Sept. 26, 2024

CUPS is a standards-based, open-source printing system, and `libppd` can be used for legacy PPD file support. The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.

Quotes

• The limited resources required to initiate a successful attack highlights the danger
• Akamai researchers have found. Instead of instructing CUPS to add a malicious printer, the packet instructs it to send an IPP/HTTP request to the target and port specified by the attacker
• Although these bandwidth numbers may not be considered earth-shattering, they would still result in the target's need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario

Headlines

• Oct. 3, 2024 - CUPS vulnerabilities could be abused for DDoS attacks
• Oct. 3, 2024 - CUPS Exploit Turns Common Devices into DDoS Weapons
• Oct. 2, 2024 - Unix Printing Vulnerabilities Enable Easy DDoS Attacks
• Oct. 2, 2024 - Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.7.0

CVE-2024-47076

HIGH CVSS 8.60 EPSS Score 0.04 EPSS Percentile 14.87

Remote Code Execution Public Exploits Available

Published: Sept. 26, 2024

CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.

Quotes

• The limited resources required to initiate a successful attack highlights the danger
• Akamai researchers have found. Instead of instructing CUPS to add a malicious printer, the packet instructs it to send an IPP/HTTP request to the target and port specified by the attacker
• Although these bandwidth numbers may not be considered earth-shattering, they would still result in the target's need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario

Headlines

• Oct. 3, 2024 - CUPS vulnerabilities could be abused for DDoS attacks
• Oct. 3, 2024 - CUPS Exploit Turns Common Devices into DDoS Weapons
• Oct. 2, 2024 - Unix Printing Vulnerabilities Enable Easy DDoS Attacks
• Sept. 30, 2024 - Critical RCE Vulnerabilities Found in Common Unix Printing System

CVE-2024-0132

HIGH CVSS 8.30 EPSS Score 0.09 EPSS Percentile 39.65

Actively Exploited Remote Code Execution

Published: Sept. 26, 2024

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Vendors Impacted: Linux, Nvidia

Products Impacted: Nvidia Gpu Operator, Linux Kernel, Nvidia Container Toolkit

Quotes

• NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system

Headlines

• Oct. 2, 2024 - Issue with NVIDIA Container Toolkit (CVE-2024-0132, CVE-2024-0133)
• Sept. 30, 2024 - NVIDIA Container Toolkit Vulnerability Exposes AI Systems to Risk
• Sept. 30, 2024 - Critical NVIDIA Container Toolkit flaw could allow access to the underlying host
• Sept. 29, 2024 - Critical flaw in NVIDIA Container Toolkit allows full host takeover

CVE-2024-2961

HIGH CVSS 7.30 EPSS Score 0.05 EPSS Percentile 17.78

Actively Exploited Remote Code Execution Public Exploits Available

Published: April 17, 2024

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Quotes

• Worst bug to hit Magento and Adobe Commerce stores in two years
• Sansec projects that more stores will get hacked in the coming months, as 75% of the Adobe Commerce & Magento install base hadn't patched when the automated scanning for secret encryption keys started
• CosmicSting targets a critical bug in the Adobe Commerce and Magento platforms. Bad actors use it to read any of your files, such as passwords and other secrets. The typical attack strategy is to steal your secret crypt key from app/etc/env.php and use that to modify your CMS blocks via the Magento API. Then, attackers inject malicious Javascript to steal your customer’s data

Headlines

• Oct. 3, 2024 - Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks
• Oct. 3, 2024 - Thousands of Adobe Commerce e-stores hacked by exploiting CosmicSting bug
• Oct. 2, 2024 - Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit

CVE-2021-4043

MEDIUM CVSS 5.50 EPSS Score 0.91 EPSS Percentile 83.11

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Feb. 4, 2022

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 1.1.0.

Vendors Impacted: Motion Spell, Gpac, Debian

Products Impacted: Debian Linux, Gpac

Quotes

• Perfctl is particularly elusive and persistent, employing several sophisticated techniques
• I only became aware of the malware because my monitoring setup alerted me to 100% CPU utilization
• When a new user logs into the server, it immediately stops all ‘noisy’ activities, lying dormant until the server is idle again
• We've seen blog and forum posts over the past three or four years — maybe even longer — saying, 'something is attacking me, I don't know, I'm trying to kill it

Headlines

• Oct. 3, 2024 - Linux Servers Under Siege: "Perfctl" Malware Evades Detection for Years
• Oct. 3, 2024 - Linux malware “perfctl” behind years-long cryptomining campaign
• Oct. 3, 2024 - New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking
• Oct. 3, 2024 - Near-'perfctl' Fileless Malware Targets Millions of Linux Servers
• Oct. 1, 2024 - U.S. CISA adds D-Link DIR-820 Router, DrayTek Multiple Vigor Router, Motion Spell GPAC, SAP Commerce Cloud bugs to its Known Exploited Vulnerabilities catalog
• Oct. 1, 2024 - CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

CVE-2024-47176

MEDIUM CVSS 5.30 EPSS Score 0.06 EPSS Percentile 27.66

Remote Code Execution Public Exploits Available

Published: Sept. 26, 2024

CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.

Quotes

• The limited resources required to initiate a successful attack highlights the danger
• Akamai researchers have found. Instead of instructing CUPS to add a malicious printer, the packet instructs it to send an IPP/HTTP request to the target and port specified by the attacker
• Although these bandwidth numbers may not be considered earth-shattering, they would still result in the target's need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario

Headlines

• Oct. 3, 2024 - CUPS vulnerabilities could be abused for DDoS attacks
• Oct. 3, 2024 - CUPS Exploit Turns Common Devices into DDoS Weapons
• Oct. 2, 2024 - Unix Printing Vulnerabilities Enable Easy DDoS Attacks
• Sept. 30, 2024 - Critical RCE Vulnerabilities Found in Common Unix Printing System