Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues
Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution.
The list of shortcomings is below –
- CVE-2024-40711 (CVSS score: 9.8) – A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution.
- CVE-2024-42024 (CVSS score: 9.1) – A vulnerability in Veeam ONE that enables an attacker in possession of the Agent service account credentials to perform remote code execution on the underlying machine
- CVE-2024-42019 (CVSS score: 9.0) – A vulnerability in Veeam ONE that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account
- CVE-2024-38650 (CVSS score: 9.9) – A vulnerability in Veeam Service Provider Console (VPSC) that allows a low privileged attacker to access the NTLM hash of the service account on the server
- CVE-2024-39714 (CVSS score: 9.9) – A vulnerability in VPSC that permits a low-privileged user to upload arbitrary files to the server, resulting in remote code execution on the server
In addition, the September 2024 updates address 13 other high-severity flaws that could permit privilege escalation, multi-factor authentication (MFA) bypass, and execute code with elevated permissions.
Source: The hacker news / Bleeping computer / Veeam security bulletin
Link: https://thehackernews.com/2024/09/veeam-releases-security-updates-to-fix.html
Link: https://www.veeam.com/kb4649
Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks
Cisco has released security updates for two critical security flaws impacting its Smart Licensing Utility that could allow unauthenticated, remote attackers to elevate their privileges or access sensitive information.
A brief description of the two vulnerabilities is below –
- CVE-2024-20439 (CVSS score: 9.8) – The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system
- CVE-2024-20440 (CVSS score: 9.8) – A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API
While these shortcomings are not dependent on each other for them to be successful, Cisco notes in its advisory that they “are not exploitable unless Cisco Smart Licensing Utility was started by a user and is actively running.”
Source: The hacker news / Bleeping computer / Securityweek / Infosecurity magazine / CISCO security advisory
Link: https://thehackernews.com/2024/09/cisco-fixes-two-critical-flaws-in-smart.html
Link: https://www.securityweek.com/cisco-patches-critical-vulnerabilities-in-smart-licensing-utility/
Link: https://www.infosecurity-magazine.com/news/cisco-critical-vulnerabilities/
Link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
Zyxel Patches Critical OS Command Injection Flaw in Access Points and Routers
Zyxel has released software updates to address a critical security flaw impacting certain access point (AP) and security router versions that could result in the execution of unauthorized commands.
Tracked as CVE-2024-7261 (CVSS score: 9.8), the vulnerability has been described as a case of operating system (OS) command injection.
“The improper neutralization of special elements in the parameter ‘host’ in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device,” Zyxel said in an advisory.
Source: The hacker news / Bleeping computer / Securityweek / Zyxel security advisory
Link: https://thehackernews.com/2024/09/zyxel-patches-critical-os-command.html
Link: https://www.securityweek.com/zyxel-patches-critical-vulnerabilities-in-networking-devices/
Unpatched AVTECH IP Camera Flaw Exploited by Hackers for Botnet Attacks
A years-old high-severity flaw impacting AVTECH IP cameras has been weaponized by malicious actors as a zero-day to rope them into a botnet.
CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a “command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE),” Akamai researchers Kyle Lefton, Larry Cashdollar, and Aline Eliovich said.
Details of the security shortcoming were first made public earlier this month by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), highlighting its low attack complexity and the ability to exploit it remotely.
“Successful exploitation of this vulnerability could allow an attacker to inject and execute commands as the owner of the running process,” the agency noted in an alert published August 1, 2024.
Source: The hacker news / Dark reading
Link: https://thehackernews.com/2024/08/unpatched-avtech-ip-camera-flaw.html
Link: https://www.darkreading.com/ics-ot-security/cctv-zero-day-targeted-by-mirai-botnet-campaign
Apache fixes critical OFBiz remote code execution vulnerability
Apache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers.
OFBiz is a suite of customer relationship management (CRM) and enterprise resource planning (ERP) business applications that can also be used as a Java-based web framework for developing web applications.
Tracked as CVE-2024-45195 and discovered by Rapid7 security researchers, this remote code execution flaw is caused by a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks.
“An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server,” security researcher Ryan Emmons explained on Thursday in a report containing proof-of-concept exploit code.
The Apache security team patched the vulnerability in version 18.12.16 by adding authorization checks. OFBiz users are advised to upgrade their installations as soon as possible to block potential attacks.
Source: Bleeping computer
VMware Patches High-Severity Code Execution Flaw in Fusion
Virtualization software technology vendor VMware on Tuesday pushed out a security update for its Fusion hypervisor to address a high-severity vulnerability that exposes uses to code execution exploits.
The root cause of the issue, tracked as CVE-2024-38811 (CVSS 8.8/10), is an insecure environment variable, VMware notes in an advisory. “VMware Fusion contains a code execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the ‘Important’ severity range.”
According to VMware, the CVE-2024-38811 defect could be exploited to execute code in the context of Fusion, which could potentially lead to complete system compromise.
“A malicious actor with standard user privileges may exploit this vulnerability to execute code in the context of the Fusion application,” VMware says.
The company has credited Mykola Grymalyuk of RIPEDA Consulting for identifying and reporting the bug. The vulnerability impacts VMware Fusion versions 13.x and was addressed in version 13.6 of the application.
There are no workarounds available for the vulnerability and users are advised to update their Fusion instances as soon as possible, although VMware makes no mention of the bug being exploited in the wild.
Source: Securityweek / Broadcom security advisory
Link: https://www.securityweek.com/vmware-patches-high-severity-code-execution-flaw-in-fusion/
BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks
The BlackByte ransomware group continues to leverage tactics, techniques and procedures (TTPs) that have formed the foundation of its tradecraft since its inception, continuously iterating its use of vulnerable drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor.
In recent investigations, Talos IR has also observed BlackByte using techniques that depart from their established tradecraft, such as exploiting CVE-2024-37085 – an authentication bypass vulnerability in VMware ESXi – shortly after it was disclosed and using a victim’s authorized remote access mechanism rather than deploying a commercial remote administration tool like AnyDesk.
Talos IR observed a new iteration of the BlackByte encryptor that appends the file extension “blackbytent_h” to encrypted files, drops four vulnerable driver files compared to the previously observed three, and uses victim Active Directory credentials to self-propagate.
Talos also assesses that the BlackByte group is more active than its data leak site may imply, where only 20 to 30 percent of successful attacks result in an extortion post.
Source: CISCO Talos intelligence group
The true cost of cybercrime for your business
As cybercriminals continue to refine their methods, blending traditional strategies with new technologies, the financial toll on individuals and organizations has reached alarming levels. Businesses are also grappling with mounting cybercrime costs from ransomware and DDoS attacks, which can inflict hundreds of thousands of dollars in damage within minutes.
These statistics highlight a growing concern: as cybercrime costs rise and threats become more complex and widespread, they impact organizations of all sizes.
Source: Helpnet security
Link: https://www.helpnetsecurity.com/2024/09/06/the-true-cost-of-cybercrime-for-your-business/
Getting “in tune” with an enterprise: Detecting Intune lateral movement
Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting lateral movement and code execution.
This research will give a background on Intune, how it is being used within organizations and show how to use this cloud-based platform to deploy custom Windows applications to achieve code execution on user devices. Additionally, this research includes the public release of new Microsoft Sentinel rules to help defenders detect the usage of Intune for lateral movement and defensive hardening guidance for the Intune platform.
Source: IBM Security intelligence
Link: https://securityintelligence.com/x-force/detecting-intune-lateral-movement/