Fortra has patched a critical-severity vulnerability in FileCatalyst Workflow leading to the creation of administrator accounts.

The post Fortra Patches Critical SQL Injection in FileCatalyst Workflow appeared first on SecurityWeek.

A critical security flaw has been uncovered in the Vanna.AI library, exposing SQL databases to potential remote code execution (RCE) attacks through prompt injection techniques. Tracked as CVE-2024-5565 with a CVSS score of 8.1, this Vanna AI vulnerability allows malicious actors to manipulate prompts in Vanna.AI's "ask" function of Vanna.AI, leveraging large language models (LLMs) to execute arbitrary commands. Vanna.AI is a Python-based machine learning library designed to simplify interaction with SQL databases by converting natural language prompts into SQL queries. This functionality, facilitated by LLMs, enables users to query databases simply by asking questions.

Vanna AI Vulnerability Leads to Remote Code Execution (RCE)

The Vanna AI vulnerability was first identified by cybersecurity researchers at JFrog. They found that by injecting malicious prompts into the "ask" function, attackers could bypass security controls and force the library to execute unintended SQL commands. This technique, known as prompt injection, exploits the inherent flexibility of LLMs in interpreting user inputs. According to JFrog, "Prompt injection vulnerabilities like CVE-2024-5565 highlight the risks associated with integrating LLMs into user-facing applications, particularly those involving sensitive data or backend systems. In this case, the flaw in Vanna.AI allows attackers to subvert intended query behavior and potentially gain unauthorized access to databases." The issue was also independently discovered and reported by Tong Liu through the Huntr bug bounty platform, highlighting its significance and widespread impact potential.

Understanding Prompt Injection and Its Implications

Prompt injection exploits the design of LLMs, which are trained on diverse datasets and thus susceptible to misinterpreting prompts that deviate from expected norms. While developers often implement pre-prompting safeguards to guide LLM responses, these measures can be circumvented by carefully crafted malicious inputs. "In the context of Vanna.AI," explains JFrog, "prompt injection occurs when a user-supplied prompt manipulates the SQL query generation process, leading to unintended and potentially malicious database operations. This represents a critical security concern, particularly in applications where SQL queries directly influence backend operations."

Technical Details and Exploitation

The Vanna AI vulnerability arises primarily from how Vanna.AI handles user prompts within its ask function. By injecting specially crafted prompts containing executable code, attackers can influence the generation of SQL queries. This manipulation can extend to executing arbitrary Python code, as demonstrated in scenarios where the library dynamically generates Plotly visualizations based on user queries. "In our analysis," notes JFrog, "we observed that prompt injection in Vanna.AI allows for direct code execution within the context of generated SQL queries. This includes scenarios where the generated code inadvertently includes malicious commands, posing a significant risk to database security." Upon discovery, Vanna.AI developers were promptly notified and have since released mitigation measures to address the CVE-2024-5565 vulnerability. These include updated guidelines on prompt handling and additional security best practices to safeguard against future prompt injection attacks. "In response to CVE-2024-5565," assures JFrog, "Vanna.AI has reinforced its prompt validation mechanisms and introduced stricter input sanitization procedures. These measures are crucial in preventing similar vulnerabilities and ensuring the continued security of applications leveraging LLM technologies."

A newly disclosed vulnerability in Progress MOVEit Transfer has sparked concern among cybersecurity experts due to the lingering memory of high-profile attacks by ransomware gangs using a different vulnerability last year that hit organizations such as the BBC and FBI. The new authentication bypass flaw, officially designated CVE-2024-5806, could potentially allow unauthorized access to sensitive data. MOVEit Transfer, designed for large-scale enterprise use, boasts features compliant with regulations like PCI and HIPAA. It offers various file transfer methods, including SFTP and HTTPS, making it a critical component in many organizations' data management infrastructure. Progress initially kept details of CVE-2024-5806 under wraps, advising customers to patch systems before its disclosure. On June 25th, 2024, Progress officially un-embargoed the vulnerability, revealing that it affects both MOVEit Transfer version 2023.0 and newer, as well as MOVEit Gateway version 2024.0 and newer.

Progress MOVEit Vulnerability Details

WatchTowr Labs was sent details of the vulnerability by a user who identified as 'dav1d_bl41ne' on its IRC channel, an unusual method of vulnerability sharing, the researchers noted. The researchers decided to investigate further, setting up a test environment to replicate the vulnerability. [caption id="attachment_79318" align="alignnone" width="471"] Source: labs.watchtowr.com[/caption] The debugger output from the test environment showed that the server was throwing exceptions and attempting to access files in unexpected ways. Upon further investigation, the researchers discovered that the vulnerability could be exploited by providing a valid file path instead of the SSH public key during authentication. This led to the server attempting to access the file, giving the attacker unauthorized access to the system. The researchers shared the following steps on exploiting the vulnerability:

• Upload a public key to the File Transfer server.
• Rather than supplying a legitimate public key, send a file path to the public key, signing the authentication request with the same public key.
• The key will be accepted by the server with successful login, allowing for the access of target files.

The flaw affects MOVEit Transfer versions 2023.0 and newer, as well as MOVEit Gateway 2024.0 and later. Progress describes it as an "Improper Authentication vulnerability" in the SFTP module that could lead to "Authentication Bypass in limited scenarios." In limited scenarios, CVE-2024-5806 allows for authentication bypass, potentially giving attackers unauthorized access to sensitive files. The vulnerability is particularly concerning because the software is widely used among enterprises, making it a prime target for APT groups, ransomware gangs, and other malicious actors. Progress has shared the following recommendations to prevent exploitation of the flaw:

• Block public inbound RDP access to MOVEit Transfer server(s).
• Limit outbound access on MOVEit Transfer server(s) to only trusted endpoints.

According to a post on X from The Shadowserver Foundation, the foundation has already observed active exploitation attempts using the vulnerability soon after its disclosure. [caption id="attachment_79326" align="alignnone" width="1170"] Source: X.com[/caption]

Implications of the MOVEit Vulnerability

The discovery of this vulnerability soon after major exploitation last year has reignited discussions about the security of file transfer solutions in enterprise environments. The potential for unauthorized access to sensitive files could have far-reaching consequences for the large number of enterprises that rely on MOVEit Transfer. While the full extent of the vulnerability's impact is still being assessed, the incident has sparked more debate about responsible disclosure practices in the cybersecurity community. Some argue that early, private notifications to affected parties are crucial, while others advocate for more transparent, public disclosures to ensure widespread awareness and prompt action. As the situation develops, IT administrators and security professionals are advised to stay vigilant, monitor for any signs of exploitation, and implement recommended security measures to protect their MOVEit Transfer deployments.  

Apple has taken steps to enhance the security of its popular AirPods lineup by addressing a critical Bluetooth vulnerability through a new firmware update. This AirPods firmware update,  identified as Firmware 6A326 and 6F8, is aimed at several models including AirPods, AirPods Pro, AirPods Max, Powerbeats Pro, and Beats Fit Pro. The AirPods vulnerability tracked as CVE-2024-27867 and discovered by Jonas Dreßler, posed a potential risk where attackers within Bluetooth range could spoof a user's device and gain unauthorized access to their AirPods. This issue highlights the importance of timely updates to protect Apple devices from cyberattacks. 

AirPods Firmware Update Fixes Major Bluetooth Vulnerability

Initially, Apple's AirPods firmware update patch notes appeared routine, mentioning "bug fixes and other improvements." However, further details on Apple's security website revealed the update's critical nature, specifically addressing an authentication issue with improved state management related to Bluetooth connections. For affected users, the AirPods firmware update will be applied automatically when AirPods are paired with an iPhone or another compatible device. To verify the update, users can check the firmware version by navigating to Settings > Bluetooth on iOS devices or System Settings > Bluetooth on Macs. This proactive approach highlights the regular updates required by devices regardless of operation systems. By promptly addressing vulnerabilities such as the AirPods vulnerability, Apple aims to create a safer digital environment for its users worldwide.

Fixing Several Apple Product Vulnerabilities

Beyond addressing the AirPods vulnerability, the firmware update also includes general bug fixes and performance improvements. This comprehensive approach ensures not only enhanced security but also a smoother user experience across the AirPods ecosystem. Users are encouraged to stay vigilant and keep their devices updated to the latest firmware version. This practice is crucial for safeguarding against potential security risks and maintaining the integrity of personal data. Apple's dedication to security is further demonstrated through its adherence to industry-standard practices, including not disclosing specific security issues until patches or releases are available and thoroughly tested. This approach ensures that users can trust Apple products to protect their privacy and security effectively. For more detailed information about the update and additional security-related matters, users can visit Apple's official security updates page and review the comprehensive product security documentation available.

A critical security flaw has been reported in Fortra FileCatalyst Workflow, a widely used platform designed for efficient file exchange and collaboration within private cloud environments. This vulnerability, identified as CVE-2024-5276, allows remote attackers to exploit SQL injection to potentially create unauthorized administrative accounts and manipulate the application's database. Fortra FileCatalyst Workflow serves as a pivotal tool for organizations requiring rapid and secure data transfers across large file sizes. It facilitates seamless collaboration in secure, private cloud spaces, making it indispensable for many businesses globally.

Understanding Fortra FileCatalyst Workflow Vulnerability 

[caption id="attachment_79207" align="alignnone" width="1382"] Source: Fortra[/caption] Tenable researchers discovered Fortra FileCatalyst Workflow vulnerability or CVE-2024-5276 on June 18, 2024, marking it as a critical vulnerability due to its potential impact. This flaw affects versions up to and including FileCatalyst Workflow 5.1.6 Build 135. The vulnerability arises from improper input validation within the application's handling of SQL queries, specifically through the 'jobID' parameter in various URL endpoints. Exploitation of this flaw can allow attackers to inject malicious SQL code, thereby gaining unauthorized access to the system. Fortra promptly addressed the issue following Tenable's responsible disclosure. In their security bulletin, Fortra clarified that while the vulnerability allows for the creation of admin users and manipulation of data, it does not facilitate data theft directly. They have released a fix in FileCatalyst Workflow version 5.1.6 Build 139, which patches the vulnerability and is strongly recommended for all users.

Mitigation and Upgrade Steps

Users of affected versions (up to Build 135) are advised to upgrade immediately to the patched version (Build 139) to mitigate the risk of exploitation. For those unable to upgrade immediately, disabling anonymous access on the Workflow system can reduce exposure to potential attacks leveraging CVE-2024-5276. As of the latest reports, there have been no documented cases of CVE-2024-5276 being actively exploited. However, given the severity of the vulnerability and the availability of exploit details, organizations are urged to prioritize updates to safeguard their systems against potential threats. The identification and swift response to CVE-2024-5276 highlight the critical importance of proactive security measures in maintaining the integrity and confidentiality of organizational data. Fortra's proactive approach in releasing a patch highlights the rise of vulnerabilities within internet devices and the security of user data. For more information on CVE-2024-5276 and to download the latest patched version of FileCatalyst Workflow, visit the official Fortra FileCatalyst Workflow website.

CISA on Wednesday warned that three older flaws in GeoServer, Linux kernel, and Roundcube webmail are exploited in the wild.

The post CISA Warns of Exploited GeoServer, Linux Kernel, and Roundcube Vulnerabilities appeared first on SecurityWeek.

30,000 websites at risk: Check yours ASAP! (800 Million Ostriches Can’t Be Wrong.)

The post WordPress Plugin Supply Chain Attack Gets Worse appeared first on Security Boulevard.

Several vulnerabilities patched recently in Siemens Sicam products could be exploited in attacks aimed at the energy sector.

The post Siemens Sicam Vulnerabilities Could Facilitate Attacks on Energy Sector appeared first on SecurityWeek.

Security analysts at Google are developing a framework that they hope will enable large language models (LLMs) to eventually be able to run automated vulnerability research, particularly analyses of malware variants. The analysts with Google’s Project Zero – a group founded a decade ago whose job it is to find zero-day vulnerabilities – have been..

The post Google’s Project Naptime Aims for AI-Based Vulnerability Research appeared first on Security Boulevard.

A security threat has surfaced on dark web forums: a zero-day exploit targeting a use-after-free (UAF) vulnerability in the Linux Kernel, specifically version 6.6.15-amd64. This use-after-free vulnerability, advertised for sale by an actor known as Cas, promises capabilities that include privileged code execution and potential access to sensitive data. According to the post, which has garnered attention from cybersecurity communities, the Linux Kernel vulnerability exploit is being offered for $150,000 in either Monero or Bitcoin. The threat actor Cas has specified that interested buyers must demonstrate proof of sufficient funds before any transaction can proceed, highlighting the illicit nature and high stakes of such transactions.

Use-After-Free Vulnerability Targets Linux Kernel

[caption id="attachment_78815" align="alignnone" width="1553"] Source: Dark Web[/caption] The Linux Kernel vulnerability, if successfully deployed, could allow malicious actors to escalate their privileges locally within affected systems, potentially executing code with root-level permissions. This type of vulnerability poses severe risks to both individual users and organizations relying on Linux-based systems. Selling Oday Use-after free in the Linux Kernel, you can use it to do a Privileged Code Execution (LPE (Local Privilege Escalation), or execute code with root privileges), (Data Leakage )..etc Affected version: 6.6.15-amd64. Environment arch: 64-bit and Price: 150k Monero & BTC", reads the threat actor post. Moderators on these forums have highlighted another individual, known as IntelBroker, who claims to have verified the proof-of-concept (PoC) behind the exploit privately. This endorsement adds credibility to Cas's offer, despite the lack of publicly available evidence.

Previous Instances and Industry Impact

Earlier, cybersecurity firm Rewterz reported a similar instance involving CVE-2024-36886, where a use-after-free flaw in the Linux Kernel (version 4.1) could be exploited by remote attackers to execute arbitrary code. This use-after-free vulnerability, triggered by fragmented TIPC messages, highlights ongoing challenges in securing Linux environments against sophisticated exploits. A use-after-free (UAF) vulnerability occurs when a program continues to access memory that has already been deallocated. This issue arises when dynamic memory allocation, typically managed by functions like free() in languages such as C or C++, is mishandled.  The program may inadvertently reference this freed memory, leading to unpredictable behavior such as crashes or security vulnerabilities. Exploitation of UAF vulnerabilities can allow attackers to manipulate the program's behavior, potentially executing arbitrary code or escalating privilege Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A new supply chain attack has impacted several plugins hosted on WordPress.org. This WordPress vulnerability, discovered on June 24th, 2024, by the Wordfence Threat Intelligence team, initially centered around the Social Warfare plugin. The plugin was found to have been compromised with malicious code inserted as early as June 22nd, 2024, according to a forum post by the WordPress.org Plugin Review team. Upon identifying the malicious file within Social Warfare, the Wordfence team promptly uploaded it to their internal Threat Intelligence platform for analysis. Subsequently, their investigation revealed that the same malicious code had infected four additional plugins. Despite efforts to notify the WordPress plugins team about these compromised plugins, the response has been limited, although the affected plugins have since been delisted from the official repository.

WordPress Plugin Vulnerability Leads to Supply Chain Attack

According to Wordfence researchers, the listed plugins leading to supply chain attacks include 5 popular names. Among them, Social Warfare versions 4.4.6.4 to 4.4.7.1 were compromised, but a patched version (4.4.7.3) has since been released. Blaze Widget versions 2.2.5 to 2.5.2 and Wrapper Link Element versions 1.0.2 to 1.0.3 were also affected, with no available patched versions. Interestingly, although the malicious code appears removed in Wrapper Link Element version 1.0.0, this version is lower than the infected ones, complicating the update process. Users are advised to uninstall the plugin until a properly tagged version is issued. Similarly impacted were Contact Form 7 Multi-Step Addon versions 1.0.4 to 1.0.5 and Simply Show Hooks version 1.2.1, with no patched versions currently released for either plugin. The injected malware's primary function involves attempting to create unauthorized administrative user accounts on affected websites. These accounts are then leveraged to exfiltrate sensitive data back to servers controlled by the attackers. Additionally, the attackers embedded malicious JavaScript into the footers of compromised websites, potentially impacting SEO by introducing spammy content.

Ongoing Investigation and Recovery

Despite the malicious code's discovery, it was noted for its relative simplicity and lack of heavy obfuscation, featuring comments throughout that made it easier to trace. The attackers appear to have begun their activities as early as June 21st, 2024, and were actively updating plugins as recently as a few hours before detection. The Wordfence team is currently conducting a thorough analysis to develop malware signatures aimed at detecting compromised versions of these plugins. They advise website administrators to utilize the Wordfence Vulnerability Scanner to check for vulnerable plugins and take immediate action—either by updating to patched versions or removing affected plugins altogether. Key indicators of compromise include the IP address 94.156.79.8, used by the attackers' server, and specific unauthorized administrative usernames such as 'Options' and 'PluginAuth'. To mitigate risks, administrators are urged to conduct comprehensive security audits, including checking for unauthorized accounts and conducting thorough malware scans.

A newly discovered vulnerability, CVE-2024-0762, dubbed "UEFIcanhazbufferoverflow," has recently come to light in the Phoenix SecureCore UEFI firmware, impacting various Intel Core desktop and mobile processors. The UEFIcanhazbufferoverflow vulnerability, disclosed by cybersecurity researchers, exposes a critical buffer overflow issue within the Trusted Platform Module (TPM) configuration, potentially allowing malicious actors to execute unauthorized code. Eclypsium, a firm specializing in supply chain security, identified the vulnerability through its automated binary analysis system, Eclypsium Automata. They reported that the flaw could be exploited locally to escalate privileges and gain control over the UEFI firmware during runtime. This exploitation bypasses higher-level security measures, making it particularly concerning for affected devices.

Decoding the UEFIcanhazbufferoverflow Vulnerability and its Impact

The affected Phoenix SecureCore UEFI firmware is utilized across multiple generations of Intel Core processors, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. Given the widespread adoption of these processors by various OEMs, the UEFIcanhazbufferoverflow vulnerability has the potential to impact a broad array of PC products in the market. According to Eclypsium researchers, the vulnerability arises due to an insecure variable handling within the TPM configuration, specifically related to the TCG2_CONFIGURATION variable. This oversight could lead to a scenario where a buffer overflow occurs, facilitating the execution of arbitrary code by an attacker. Phoenix Technologies, in response to the disclosure, promptly assigned CVE-2024-0762 to the UEFIcanhazbufferoverflow vulnerability and released patches on May 14, 2024, to mitigate the issue. The severity of the vulnerability is reflected in its CVSS score of 7.5, indicating a high-risk threat.

The Importance of UEFI Architecture Security 

In practical terms, the exploitation of UEFI firmware vulnerabilities like "UEFIcanhazbufferoverflow" highlights the critical role of firmware in device security. The UEFI architecture serves as the foundational software that initializes hardware and manages system runtime operations, making it a prime target for attackers seeking persistent access and control. This incident also highlights the challenges associated with supply chain security, where vulnerabilities in upstream components can have cascading effects across multiple vendors and products. As such, organizations are advised to leverage comprehensive scanning tools to identify affected devices and promptly apply vendor-supplied firmware updates. For enterprises relying on devices with potentially impacted firmware, proactive measures include deploying solutions to continuously monitor and assess device integrity. This approach helps mitigate risks associated with older devices and ensures ongoing protection against active exploitation of firmware-based vulnerabilities.

Hundreds of PC and server models may be affected by CVE-2024-0762, a privilege escalation and code execution flaw in Phoenix SecureCore UEFI firmware.

The post Hundreds of PC, Server Models Possibly Affected by Serious Phoenix UEFI Vulnerability appeared first on SecurityWeek.

Atlassian has released Confluence, Crucible, and Jira updates to address multiple high-severity vulnerabilities.

The post Atlassian Patches High-Severity Vulnerabilities in Confluence, Crucible, Jira appeared first on SecurityWeek.

Google has released a Chrome 126 security update with six fixes, including four for externally reported high-severity flaws.

The post Chrome 126 Update Patches Vulnerability Exploited at Hacking Competition appeared first on SecurityWeek.

Or junk it if EOL: Two nasty vulnerabilities need an update—pronto.

The post ASUS Router User? Patch ASAP! appeared first on Security Boulevard.

Researchers have targeted the MTE security feature in Arm CPUs and showed how attackers could bypass protections.

The post New TikTag Attack Targets Arm CPU Security Feature  appeared first on SecurityWeek.

The Cyber Express, in collaboration with Cyble Research & Intelligence Labs (CRIL), is dedicated to providing the latest and most comprehensive information on security vulnerabilities. Each week, we deliver actionable insights for IT administrators and security professionals, crafted by highly skilled dark web and threat intelligence researchers at Cyble. Cyble has identified several important bugs in its Weekly Vulnerability Report that require urgent attention. The full report covers these vulnerabilities, along with details and discussion around exploits found on the dark web, industrial control system (ICS) vulnerability intelligence, and cybersecurity defenses. Cyble security analysts have also conducted scans of customer environments to alert them of any exposures.  These vulnerabilities, highlighted from June 05, 2024, to June 11, 2024, include critical issues that could be easily exploited. Failure to patch these vulnerabilities could result in unauthorized access, data breaches, and significant operational disruptions.  Cyble researchers found over 1 million internet-facing assets exposed to these vulnerabilities, highlighting the urgency of addressing these security flaws.

Critical Vulnerabilities and Their Impact

Here are details and analysis of five of the most critical vulnerabilities identified by Cyble.

GitHub Access Token (CVE-2024-37051)

Overview: Exposed access tokens have been identified, which could allow unauthorized individuals to access GitHub accounts. This can lead to the manipulation or theft of code, posing a severe threat to software integrity and security.  Impact: Unauthorized access to repositories can result in the leakage of sensitive information, insertion of malicious code, and potential compromise of projects dependent on the affected repositories. 

FortiOS SSL-VPN (CVE-2022-42475)

Overview: A critical heap-based buffer overflow vulnerability in FortiOS SSL-VPN has been actively exploited in cyber-espionage campaigns. This vulnerability allows attackers to execute arbitrary code on the affected systems.  Impact: Successful exploitation can lead to full control over the compromised system, enabling data theft, network breaches, and service disruptions. 

PHP Remote Code Execution (CVE-2024-4577) 

Overview: Multiple versions of PHP have been found vulnerable to remote code execution. This vulnerability has been exploited to deploy ransomware, affecting web servers running the compromised PHP versions.  Impact: Exploitation can result in the complete compromise of web servers, data exfiltration, and file encryption for ransom. 

Netgear Authentication Bypass (CVE-2024-36787)

Overview: A vulnerability in Netgear routers allows attackers to bypass authentication mechanisms, granting unauthorized access to router settings.  Impact: Unauthorized access can modify network settings, intercept data, and further network compromises. 

Veeam Backup Enterprise Manager (CVE-2024-29849)

Overview: A critical vulnerability in Veeam Backup Enterprise Manager allows unauthenticated users to log in, posing a high risk of data theft and manipulation.  Impact: Unauthorized access to backup systems can result in data breaches, loss of critical backup data, and potential operational disruptions. 

Weekly Vulnerability Report: Highlights

CVE-2024-37051 

Impact Analysis: A critical vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform affects all IntelliJ-based IDEs, leading to the exposure of GitHub access tokens. TAs can leverage the vulnerability by using exposed tokens to gain unauthorized access to user GitHub accounts and repositories and possibly deploy malicious code or delete the repositories.  Internet Exposure: No  Patch: Available 

CVE-2022-42475 

Impact Analysis: A critical heap-based buffer overflow vulnerability in FortiOS SSL-VPN and FortiProxy SSL-VPN allows remote unauthenticated attackers to execute arbitrary code or commands via specially crafted requests. Reports suggest that Chinese TAs weaponized this vulnerability in cyber-espionage campaigns targeting government institutions for a few months between 2022 and 2023 to deploy malware on vulnerable Fortigate network security appliances.  Internet Exposure: Yes  Patch: Available 

CVE-2024-4577 

Impact Analysis: A critical remote code execution (RCE) vulnerability affecting PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 when using Apache and PHP-CGI on Windows. PHP is a widely used open-source scripting language designed for web development, and the vulnerability can reveal the source code of scripts and enable TAs to run arbitrary PHP code on the server. Recently, researchers observed that the TellYouThePass ransomware gang has been exploiting the vulnerability to deliver webshells and execute the encryptor payload on target systems.  Internet Exposure: Yes  Patch: Available 

CVE-2024-4610 

Impact Analysis: A use-after-free vulnerability in Arm Ltd Bifrost GPU Kernel Driver and Arm Ltd Valhall GPU Kernel Driver allows local non-privileged users to gain access to already freed memory through improper GPU memory processing operations.  Internet Exposure: No  Patch: Available 

CVE-2024-36787 

Impact Analysis: This vulnerability in Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 allows attackers to bypass authentication and access the administrative interface, posing a severe threat to network security and sensitive user data.  Internet Exposure: Yes  Patch: Not specified 

CVE-2024-29849 

Impact Analysis: A vulnerability in Veeam Backup Enterprise Manager (VBEM) allows unauthenticated attackers to log in as any user to the enterprise manager web interface. This poses a high risk due to the global use of Veeam products and the availability of publicly available proof-of-concept (PoC).  Internet Exposure: Yes  Patch: Available 

CVE-2019-9082 & CVE-2018-20062 

Impact Analysis: These vulnerabilities impact ThinkPHP, an open-source PHP framework with an MVC structure, leading to remote code execution (RCE). Chinese threat actors have leveraged these vulnerabilities to install a persistent web shell named Dama.  Internet Exposure: No  Patch: Not specified 

CVE-2024-24919 

Impact Analysis: This vulnerability impacts Check Point Remote Access VPN and allows attackers to read information from Internet-connected gateways with remote access VPN or mobile access enabled. It has been exploited in zero-day attacks since April 30, enabling lateral movement through victim networks by stealing Active Directory data.  Internet Exposure: Yes  Patch: Available 

CVE-2024-30080 

Impact Analysis: A critical remote code execution vulnerability in Microsoft’s Message Queuing (MSMQ) can be exploited by unauthenticated attackers via specially crafted malicious MSMQ packets. Microsoft addressed the flaw in its monthly Patch Tuesday update. Internet Exposure: Yes  Patch: Available 

Industrial Control Systems (ICS) Vulnerabilities 

The report also highlights vulnerabilities in Industrial Control Systems (ICS), which are critical to sectors such as healthcare, emergency services, and energy. The majority of these vulnerabilities are categorized as high and critical severity, emphasizing the importance of securing ICS environments. 

Recommended Mitigation Strategies 

To mitigate the risks associated with these vulnerabilities, the following strategies are recommended: 

• Regular Software and Hardware Updates: Ensure all systems and devices are up to date with the latest security patches and firmware updates. 
• Patch Management: Implement a comprehensive patch management process to promptly address and apply patches for known vulnerabilities. 
• Network Segmentation: Segment networks to limit the spread of attacks and reduce the attack surface. 
• Incident Response and Recovery Plans: Develop and regularly update incident response and recovery plans to ensure swift action in the event of a breach. 
• Monitoring and Logging Solutions: Deploy advanced monitoring and logging solutions to detect and respond to suspicious activities in real time. 
• Regular Vulnerability Assessments and Penetration Testing: Conduct regular vulnerability assessments and penetration tests to identify and remediate security weaknesses. 
• Strong Password Policies and Multi-Factor Authentication: Enforce strong password policies and implement multi-factor authentication to enhance access control.

The report also notes the active discussion and sharing of several vulnerabilities on underground forums. These include vulnerabilities affecting popular platforms such as WordPress and macOS, which cybercriminals are exploiting. 

Conclusion 

The findings of the Weekly Vulnerability Intelligence Report highlight the critical need for continuous vigilance and proactive cybersecurity measures. Organizations must prioritize patch management, conduct regular security audits, and maintain incident response plans to protect against emerging threats.  Stay ahead of cyber threats with the Weekly Vulnerability Intelligence Report by Cyble, brought to you by The Cyber Express. Subscribe now for the latest insights powered by Cyble's advanced AI-driven threat intelligence.

Rockwell Automation has patched three high-severity vulnerabilities in its FactoryTalk View SE HMI software.

The post Rockwell Automation Patches High-Severity Vulnerabilities in FactoryTalk View SE appeared first on SecurityWeek.

Protect AI warns of a dozen critical vulnerabilities in open source AI/ML tools reported via its bug bounty program.

The post Easily Exploitable Critical Vulnerabilities Found in Open Source AI/ML Tools appeared first on SecurityWeek.

Analysis and insights on the prevalence and impact of password exposure vulnerabilities in ICS and other OT products.

The post Prevalence and Impact of Password Exposure Vulnerabilities in ICS/OT  appeared first on SecurityWeek.

Check Point has issued an alert regarding a critical zero-day vulnerability identified in its Network Security gateway products. As per the Check Point warning This vulnerability, tracked as CVE-2024-24919 with a CVSS score of 8.6, has been actively exploited by threat actors in the wild. The affected products include CloudGuard Network, Quantum Maestro, Quantum Scalable […]

The post Check Point Warning: VPN Gateway Products’ Zero-Day Attack appeared first on TuxCare.

The post Check Point Warning: VPN Gateway Products’ Zero-Day Attack appeared first on Security Boulevard.

A long-running ransomware campaign that has been targeting Windows and Linux systems since 2019 is the latest example of how closely threat groups track public disclosures of vulnerabilities and proofs-of-concept (PoCs) and how quickly they move in to exploit them. The PHP Group last week disclosed a high-severity flaw – tracked as CVE-2024-4577 and with..

The post Ransomware Group Jumps on PHP Vulnerability appeared first on Security Boulevard.

Google and Mozilla have released patches for 21 and 15 vulnerabilities in Chrome and Firefox, respectively.

The post Chrome 126, Firefox 127 Patch High-Severity Vulnerabilities appeared first on SecurityWeek.

The GNU C Library, commonly known as glibc, is a critical component in many Linux distributions. It provides core functions essential for system operations. However, like any software library, it is not immune to vulnerabilities. Recently, multiple security issues have been identified in glibc, which could result in a denial of service. These vulnerabilities are […]

The post Recent glibc Vulnerabilities and How to Protect Your Linux System appeared first on TuxCare.

The post Recent glibc Vulnerabilities and How to Protect Your Linux System appeared first on Security Boulevard.

A critical vulnerability in the PyTorch distributed RPC framework could be exploited for remote code execution.

The post Critical PyTorch Vulnerability Can Lead to Sensitive AI Data Theft appeared first on SecurityWeek.

A threat actor known as spr1ngtr4p has purportedly advertised a Remote Code Execution (RCE) vulnerability affecting a subdomain of Italy's Ministry of Defence website. This RCE vulnerability was posted on June 7, 2024, on a Russian-language cybercrime forum called XSS and sheds light on the malicious intent of the threat actor.  RCE vulnerabilities, such as the one claimed by spr1ngtr4p, pose significant risks as they allow malicious actors to execute code remotely on targeted systems. The implications of such an exploit can be severe, ranging from the deployment of malware to the complete compromise of affected machines.

The RCE Vulnerability and Possible Cyberattack on the Italian Ministry of Defence

[caption id="attachment_76184" align="alignnone" width="1240"] Source: Dark Web[/caption] The affected organization, as claimed by the threat actor, is the Ministry of Defence of Italy, Ministero Difesa, highlighting the gravity of the situation. The website in question, difesa.it, falls under the purview of this governmental body, making it a matter of national security concern. With Italy being the impacted country, the ramifications extend to the wider European and UK regions, emphasizing the potential for geopolitical implications. The post by the threat actor, shared on the cybercrime forum, offers insights into the nature of the RCE vulnerability. However, it lacks substantial evidence to validate the claims made. The absence of proof raises doubts about the credibility of the assertions and necessitates a thorough investigation into the matter.

No Confirmation of Intrusion

Efforts to ascertain the authenticity of the alleged cyberattack on the Italian Ministry have been initiated, with inquiries directed towards the Ministry of Defence of Italy. As of the time of this report, official confirmation or denial from the ministry is pending, leaving the status of the Italian Ministry of Defence cyberattack unresolved. Despite the alarming nature of the disclosure, there are indications that the Ministry of Defence website remains operational and unaffected by any apparent cyber intrusion. This suggests that either the threat actor has refrained from exploiting the vulnerability or that the website's security measures have effectively thwarted any attempted attacks. Nevertheless, the potential threat posed by the RCE vulnerability cannot be understated, warranting proactive measures to mitigate risks and fortify cyber defenses. Organizations, especially those in the government and law enforcement sectors, must remain vigilant and employ robust security protocols to safeguard against emerging cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: www.databreachtoday.com – Author: 1 Governance & Risk Management , Patch Management , Vulnerability Assessment & Penetration Testing (VA/PT) Remote Code Execution Exploit Found; Patch Now Available Prajeet Nair (@prajeetspeaks) • June 8, 2024     Image: Shutterstock Server administrators should take immediate action to patch a critical remote code execution vulnerability in PHP for […]

La entrada Critical PHP Vulnerability Threatens Windows Servers – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

It took code security firm Kiuwan nearly two years to patch several serious vulnerabilities found in its SAST products.

The post Vulnerabilities Patched in Kiuwan Code Security Products After Long Disclosure Process appeared first on SecurityWeek.

Attention Apache Flink users! The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added an Apache Flink vulnerability to its Known Exploited Vulnerabilities Catalog, highlighting evidence of its active exploitation. Apache Flink is a popular open-source framework for processing large streams of data. It’s widely used in big data analytics and real-time applications. However, like […]

The post CISA Alert: Urgent Update Needed for Apache Flink Vulnerability appeared first on TuxCare.

The post CISA Alert: Urgent Update Needed for Apache Flink Vulnerability appeared first on Security Boulevard.

SonicWall has shared technical details on a recently addressed high-severity remote code execution flaw in Confluence.

The post Details of Atlassian Confluence RCE Vulnerability Disclosed appeared first on SecurityWeek.

A critical vulnerability in the Progress Telerik Report Server could allow unauthenticated attackers to access restricted functionality.

The post Progress Patches Critical Vulnerability in Telerik Report Server appeared first on SecurityWeek.

Cox recently patched a series of vulnerabilities that could have allowed hackers to remotely take control of millions of modems.

The post Vulnerabilities Exposed Millions of Cox Modems to Remote Hacking appeared first on SecurityWeek.

The post Risk vs. Threat vs. Vulnerability: What is the difference? appeared first on Click Armor.

The post Risk vs. Threat vs. Vulnerability: What is the difference? appeared first on Security Boulevard.

Daft name, serious risk: Kit from ActionTec and Sagemcom remotely ruined and required replacement.

The post ‘Pumpkin Eclipse’ — 600,000+ Rural ISP Routers Bricked Beyond Repair appeared first on Security Boulevard.

The recently disclosed Check Point VPN attacks involve the zero-day vulnerability CVE-2024-24919, which allows hackers to obtain passwords.

The post Check Point VPN Attacks Involve Zero-Day Exploited Since April appeared first on SecurityWeek.

Vulnerabilities in the real-time IoT operating system Eclipse ThreadX before version 6.4 could lead to denial-of-service and code execution.

The post Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution appeared first on SecurityWeek.