Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs
Microsoft on Tuesday revealed that two security flaws impacting Windows NT LAN Manager (NTLM) and Task Scheduler have come under active exploitation in the wild.
The security vulnerabilities are among the 90 security bugs the tech giant addressed as part of its Patch Tuesday update for November 2024. Of the 90 flaws, four are rated Critical, 85 are rated Important, and one is rated Moderate in severity. Fifty-two of the patched vulnerabilities are remote code execution flaws.
The fixes are in addition to 31 vulnerabilities Microsoft resolved in its Chromium-based Edge browser since the release of the October 2024 Patch Tuesday update. The two vulnerabilities that have been listed as actively exploited are below –
- CVE-2024-43451 (CVSS score: 6.5) – Windows NTLM Hash Disclosure Spoofing Vulnerability
- CVE-2024-49039 (CVSS score: 8.8) – Windows Task Scheduler Elevation of Privilege Vulnerability
“This vulnerability discloses a user’s NTLMv2 hash to the attacker who could use this to authenticate as the user,” Microsoft said in an advisory for CVE-2024-43451, crediting ClearSky researcher Israel Yeshurun with discovering and reporting the flaw.
It’s worth noting that CVE-2024-43451 is the third flaw after CVE-2024-21410 (patched in February) and CVE-2024-38021 (patched in July) that can be used to reveal a user’s NTLMv2 hash and has been exploited in the wild this year alone.
Source: The hacker news / Bleeping computer / Krebs on security / Dark reading / Securityweek / CISCO Talos intelligence group / SANS internet storm center
Link: https://thehackernews.com/2024/11/microsoft-fixes-90-new-vulnerabilities.html
Link: https://krebsonsecurity.com/2024/11/microsoft-patch-tuesday-november-2024-edition/
Link: https://www.darkreading.com/cloud-security/2-zero-day-bugs-microsoft-nov-update-active-exploit
Link: https://www.securityweek.com/microsoft-confirms-zero-day-exploitation-of-task-scheduler-flaw/
Link: https://blog.talosintelligence.com/november-patch-tuesday-release/
Link: https://isc.sans.edu/diary/Microsoft%20November%202024%20Patch%20Tuesday/31438
High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables
Cybersecurity researchers have disclosed a high-severity security flaw in the PostgreSQL open-source database system that could allow unprivileged users to alter environment variables, and potentially lead to code execution or information disclosure.
The vulnerability, tracked as CVE-2024-10979, carries a CVSS score of 8.8.
Environment variables are user-defined values that can allow a program to dynamically fetch various kinds of information, such as access keys and software installation paths, during runtime without having to hard-code them. In certain operating systems, they are initialized during the startup phase.
“Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g., PATH),” PostgreSQL said in an advisory released Thursday.
Source: The hacker news
Link: https://thehackernews.com/2024/11/high-severity-flaw-in-postgresql-allows.html
CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that two more flaws impacting the Palo Alto Networks Expedition software have come under active exploitation in the wild.
To that end, it has added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary updates by December 5, 2024.
The security flaws are listed below –
- CVE-2024-9463 (CVSS score: 9.9) – Palo Alto Networks Expedition OS Command Injection Vulnerability
- CVE-2024-9465 (CVSS score: 9.3) – Palo Alto Networks Expedition SQL Injection Vulnerability
Successful exploitation of the vulnerabilities could allow an unauthenticated attacker to run arbitrary OS commands as root in the Expedition migration tool or reveal its database contents.
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2024/11/cisa-flags-critical-palo-alto-network.html
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
The FBI, the NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days.
A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks’ exposure to potential attacks.
“In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets,” the cybersecurity agencies warned.
Source: Bleeping computer / CISA gov news / Dark reading / Securityweek
Link: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a
Patch Tuesday: Critical Flaws in Adobe Commerce, Photoshop, InDesign, Illustrator
Enterprise software maker Adobe on Tuesday rolled out fixes for a wide swathe of critical security flaws across product lines, including code execution issues in the Adobe Commerce software suite.
As part of its regular Patch Tuesday rollout, Adobe documented a total of 48 security bugs and called urgent attention to critical-severity bugs in the Adobe Commerce and Magento Open Source platforms, the InDesign and Photoshop suites, and the Illustrator and Substance 3D Painter products.
Adobe stressed the importance of fixing the Adobe Commerce bug, which carries a CVSS severity score of 7.8 and exposes e-commerce shops to code execution attacks.
The bug, tagged as CVE-2024-49521, impacts versions 3.2.5 and earlier of the Commerce Services Connector (deployed as Saas) and Adobe strongly urges users to update to version 3.2.6 to secure installations.
Source: Securityweek
SAP Patches High-Severity Vulnerability in Web Dispatcher
nterprise software maker SAP on Tuesday announced the release of eight new and two updated security notes as part of its November 2024 security updates.
Marked as ‘high priority’, the second most severe rating in SAP’s playbook, the most important of these notes resolves a high-severity vulnerability in Web Dispatcher, the appliance that distributes incoming requests to the adequate SAP instances.
In its advisory, SAP describes the security defect, which is tracked as CVE-2024-47590 (CVSS score of 8.8), as a cross-site scripting (XSS) bug.
According to enterprise security firm Onapsis, the flaw can be exploited by unauthenticated attackers by creating a malicious page to execute content in the victim’s browser. The vulnerability can be exploited for both XSS and server-side request forgery (SSRF) attacks, leading to remote code execution on the server.
“This can lead to a full compromise of confidentiality, integrity, and availability. The vulnerability only affects customers who have the Admin UI of SAP Web Dispatcher enabled,” Onapsis explains.
SAP customers are advised to apply the security note to address the issue, but can also mitigate the risk by disabling the Admin UI, either through file deletion or profile parameter changes, or by completely removing the administrative role from all users.
Source: Securityweek
Link: https://www.securityweek.com/sap-patches-high-severity-vulnerability-in-web-dispatcher/
Strela Stealer: Today’s invoice is tomorrow’s phish
As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe – primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation’s effectiveness. Hive0145 is likely to be a financially motivated initial access broker (IAB), active since late 2022 and potentially the sole operator of Strela Stealer. The continuous operational pace of Hive0145’s campaigns highlights an increased risk to potential victims across Europe.
Source: IBM Security intelligence
Link: https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/