May 2024 Threat Tracking: Global CVE Disclosures Continue to Heat up

May 2024 made April’s record breaking CVE mountain into a mole-hill. The previous record for most CVEs published in a month grew by 36.9%. In total, a staggering 5061 vulnerabilities were added in May 2024. Considering the potentially high cost of a data breach, security teams need to stay in the loop with current cybersecurity trends, and the latest vulnerabilities. In this month’s threat tracker post, we will review several high profile enterprise software vendors suffering from newly discovered vulnerabilities in bulk and cover some of the latest known exploited vulnerabilities.

But first, we relay some news about one of our own – Christian Kuersteiner, a member of Greenbone’s vulnerability test development team, who’s responsible disclosure means that fewer vulnerabilities exist in the wild for attackers to take advantage of.

Greenbone’s Own Facilitating Responsible Disclosure

In May, Christian Kuersteiner, a software developer on the Greenbone team disclosed a vulnerability he had discovered in the Telerik Report Server. Telerik Report Server is a proprietary centralized Windows-based platform for managing and distributing reports. Rated as CVSS 5.5, the vulnerability could allow an unauthorized attacker to gain access to sensitive admin configuration data [CWE-200], and has since been published as CVE-2024-4837.

We asked Christian to describe what responsible security researchers do upon finding a bug. Here is what he had to say:

“Greenbone’s goal is to keep our customers safe. So naturally, we try to report vulnerabilities we find directly to the vendor with the details so they can provide fixes to their customers before attackers can take advantage. The people from Progress / Telerik and BugCrowd were very fast in responding, acknowledging, and fixing the vulnerability. The vulnerability was fixed, and a public advisory released within one week after reporting.”
Christian Kuersteiner, Security Researcher and Vulnerability Test Developer at Greenbone

In this instance, Christian’s contribution exemplifies how the bug reporting, aka responsible disclosure, process is meant to work. A vendor’s internal disclosure process triggers when a security researcher informs them of a bug. Since honorable software engineers are not the only people who may discover the bug, it could become a doorway for bad actors to gain a foothold on a network to steal data or deploy ransomware. In many cases, the damage extends to the general public as in the recent Change Healthcare breach.

Vendors are advised to follow best practices by posting a security.txt file [RFC-9116] at the root of their company domain, including a SECURITY.md file in public GitHub repositories, and enabling an email address such as security@example.com [RFC-2142] for receiving security related information.

Our story ends here on a positive note. Telerik has quickly released a security update that fixes the vulnerability. Users should update their instance of Report Server to version 2024 Q2 (10.1.24.514) or later to protect against CVE-2024-4837. Finally, CVE-2024-4837 can be detected by Greenbone with both an active check and a version detection test.

Cisco Reports 21 New Vulnerabilities – 10 High Severity; 2 Actively Exploited

May was a rough month for Cisco products with respect to vulnerabilities. A total of 21 new vulnerabilities were disclosed across a variety of Cisco products. Of these, ten were high severity. This follows on intel from late April, when 2 vulnerabilities in Cisco products were added to CISA’s known exploited vulnerabilities (KEV) catalog. Cisco Talos reported that these recent vulnerabilities are part of a nation-state cyber espionage campaign dubbed “ArcaneDoor” targeting perimeter network devices that began in January 2024.

• CVE-2024-20353 (CVSS 8.6 High): A denial of service (DoS) vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software caused by incomplete error checking when parsing an HTTP header, may allow an attacker remotely exploit a vulnerable system. CVE-2024-20353 is known to be actively exploited.
• CVE-2024-20359 (CVSS 6.0 High): A vulnerability in Cisco ASA and Cisco FTD Software allows an authenticated, local attacker to execute arbitrary code with root-level privileges after uploading a malicious file from flash memory and reloading the system to alter its configuration. CVE-2024-20359 is known to be actively exploited.
• CVE-2024-20356 (CVSS 8.7 High): A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) allows an attacker with admin access to the web-based management interface the ability to perform command injection attacks with system level privileges on the affected device. This potentially allows an attacker to perform actions outside the intended scope of the management interface to install malware or a rootkit. Furthermore, while CVE-2024-20356 has not been added to CISA’s KEV catalog yet, proof-of-concept (PoC) exploit code is publicly available.

Greenbone is able to identify impacted versions of Cisco’s ASA [1][2], Cisco FTD Software [3][4] and Cisco IMC [5] as well as other recently disclosed vulnerabilities in Cisco products.

GitLab Community and Enterprise Actively Exploited

First publicly disclosed in January 2024, a weakness in GitLab Community and Enterprise editions tracked as CVE-2023-7028 (CVSS 10 Critical) was tagged as actively exploited by CISA on May 1st, 2024. Remediating known actively exploited critical vulnerabilities should be top priority for enterprise IT security teams. In total, 13 new vulnerabilities affecting GitLab were disclosed in May 2024.

CVE-2023-7028 results from a failure to properly implement access controls [CWE-284] and allows an attacker to trigger password reset emails to be sent to an arbitrary email address. Exploitation allows an attacker to access administrator accounts on GitLab’s Community Edition (CE) and Enterprise Edition (EE), a web-based DevOps lifecycle tool and Git repository manager.

CVE-2023-7028 is present in all major versions of GitLab from 16.1 through to 16.7 that do not have the most recent patches installed. At least one publicly available PoC exploit, and a detailed technical description mean this vulnerability should be categorized as trivial to exploit going forward.

CVE-2024-4835 also stood out from the pile of May vulnerabilities in GitLab. With a CVSS of 8.0, CVE-2024-4835 is a cross-site scripting (XSS) vulnerability VS web-based code editor affecting GitLab in all versions of 15.11 though 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging CVE-2024-4835, an attacker can craft a malicious page to exfiltrate sensitive user information.

35 New Adobe CVEs Stand Out Against The May Landscape

In May, Adobe disclosed a total of 45 vulnerabilities across various products. Out of these, a stunning 32 were classified as high severity with a CVSS score of 7.8 or above. All the high severity vulnerabilities are exploited by tricking a victim into opening a malicious file and may result in arbitrary code execution on behalf of an attacker.

These vulnerabilities are prime candidates for use in social engineering attacks such as malspam, phishing, spear phishing, and drive-by-download campaigns by major cybercrime groups, especially initial access brokers (IAB) to gain unauthorized initial access to victim’s computers and internal networks. Users are urged to update their software to the latest versions to mitigate the risks and more generally to be very cautious of any software not procured from the original vendor, and of opening any documents from untrusted sources.

Here is a summary of affected products:

• Adobe Acrobat Reader: Acrobat Reader received a total of 11 new vulnerabilities. Of these, 9 were classified as high severity, each carrying a CVSS of 7.8. These vulnerabilities affect Adobe Acrobat Reader versions 20.005.30574, 24.002.20736, and earlier.
• Adobe Framemaker: Adobe Framemaker received 8 new vulnerabilities, 5 of which are high severity. The affected versions include Adobe Framemaker 2020.5, 2022.3, and earlier.
• Adobe Animate: Animate saw 7 vulnerabilities disclosed in May, with 5 classified as high severity. The vulnerabilities affect Animate versions 24.0.2, 23.0.5, and earlier.

A Typhoon Of Critical CVEs Hit ArubaOS

In May, HPE Aruba Networking disclosed a total of 28 vulnerabilities for its ArubaOS operating system. A staggering 16 of these were assessed as CVSS 9.8 high severity or above. ArubaOS has only one previously disclosed CVE so far in 2024, which was released in March making this month’s disclosure an anomaly. ArubaOS is considered a leader in WLAN management, security appliances including intrusion detection and prevention systems. As an indication of ArubaOS’s market share, Aruba Networking, a Hewlett-Packard subsidiary, posted revenue of $7.2B USD in Q2-2024.

The affected products include various services and protocols accessed via the PAPI protocol. Among the most affected components of ArubaOS, the command line interface (CLI) service and Central Communications service stood out, both with multiple high-severity vulnerabilities that could potentially offer attackers arbitrary code execution. Users are advised to apply the latest updates and follow the vendor’s resolution guide to mitigate affected products.

Greebone includes vulnerability tests to identify vulnerable ArubaOS instances, allowing IT security teams to identify, prioritize, and remediate these vulnerabilities by installing the security updates.

Apache ActiveMQ 6.x Deemed Insecure By Design

In late 2023, we covered an actively exploited CVSS 9.8 Critical vulnerability in Apache ActiveMQ. ActiveMQ is a message broker service that allows processes in a distributed architecture to share information in a queued list.

In May 2024, ActiveMQ came under fire again. This time its default configuration was assigned CVE-2024-32114 (CVSS 8.5 High), an unauthenticated exposure in the ActiveMQ management API’s Jolokia JMX REST API and Message REST API. The vulnerability allows attackers to freely interact with the broker to produce or consume messages (via the Jolokia JMX REST API) or purge or delete destinations (via the Message REST API).

Greenbone can detect CVE-2024-32114 by identifying vulnerable versions of ActiveMQ. To mitigate, users are recommended to add a security constraint to the default conf/jetty.xml configuration file to require authentication or upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.

According to CISA’s Security By Design principles and the EU’s tough new Cyber Resilience Act, products must be delivered with a secure default configuration as vendors, even open-source software vendors, are asked to take more responsibility for security outcomes imposed by their products.

Ivanti Fixes Multiple Vulnerabilities in Avalanche MDM System

Ivanti has previously been featured in Greenbone’s security advisories. Just last month, our April 2024 Threat Tracking reviewed how The MITRE Corporation suffered a breach via two previously disclosed Ivanti vulnerabilities in Ivanti Connect Secure VPN. Ivanti is now the subject of another critical vulnerability in its Avalanche Mobile Device Management (MDM) system.

Avalanche is designed to help organizations secure and manage their mobile devices, including smartphones, tablets, and other mobile endpoints. Tracked as CVE-2024-29204 with a CVSS of 9.8 Critical, the vulnerability is a heap overflow [CWE-122] in Avalanche’s WLAvalancheService component that could allow an unauthenticated remote attacker to execute arbitrary commands. All versions of Ivanti Avalanche before 6.4.3 are affected, and Greenbone’s Enterprise feed includes a version detection test to identify vulnerable instances.

Summary

May 2024 saw a significant rise in disclosed vulnerabilities, surpassing April’s record by 36.9% with a total of 5061 CVEs. In this month’s summary report, we have highlighted how one of Greenbone’s own developers participated in the responsible disclosure process to ensure vulnerabilities are identified and patched.

This month, high severity vulnerabilities were reported across many enterprise software and hardware products including various Cisco products, GitLab, Adobe’s suite of creative design products, HP’s ArubaOS, Apache ActiveMQ, and Ivanti’s Avalanche MDM system. Organizations must stay vigilant by staying current with vulnerability intelligence and making their best efforts to identify, prioritize, and patch exploitable weaknesses in their IT infrastructure.