Vulnerability disclosures took a summer vacation in July; only 3,135 new CVES were published, down almost 40% from May 2024’s record setting month. Last month we talked about cybersecurity on the edge, referring to the increasing number of attacks against perimeter network devices. That post’s title also hinted that globally, IT may be skirting catastrophic failure. Greenbone’s CMO Elmar Geese compiled a nice assessment of CrowdStrike’s failed update that crashed Windows systems around the world on Friday, July 19th.
Back in 2021, Gartner predicted that rampant cyber attacks would be causing death and mayhem by 2025. The bad news is we are ahead of Gartner’s schedule, but the further bad news is that we didn’t need a cyber attack to get there. In this month’s threat tracking news, we will review some of the top actively exploited vulnerabilities and critical risks introduced in July 2024.
Ransomware Distributed via VMware Vulnerability
This month, two vulnerabilities in VMware’s ESXi hypervisor and vCenter Server products were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog and one, CVE-2024-37085 in ESXi, was observed distributing Akira and Black Basta ransomware. VMware’s virtualization solutions are critical to the global IT ecosystem. In the past, the vendor has claimed over 80 percent of virtualized workloads operate on its technology including all the Fortune 500 and Fortune Global 100 enterprises.
CVE-2024-37085 (CVSS 6.8 Medium) was discovered by Microsoft who revealed that ESXi is wildly insecure by design, granting full administrative access to any user in an Active Directory (AD) domain group named “ESX Admins” by default without proper validation. Just in case you can’t believe what you just read, I’ll clarify: any user in an arbitrary AD group named “ESX Admins” is granted full admin rights on an ESXi instance – by design. We should all be aghast and thunderstruck.
Considering CVE-2024-37085 is being leveraged for ransomware attacks, be reminded that maintaining secured backups of production ESXi hypervisor configurations and virtual machines, and conducting table-top and functional exercises for incident response can help ensure a swift recovery from a ransomware attack. Closing security gaps by scanning for known vulnerabilities and applying remediation can help prevent ransomware attacks from being successful in the first place.
CVE-2022-22948 (CVSS 6.5 Medium), also actively exploited, is another insecure-by-design flaw in VMware products, this time vCenter Server caused by improper default file permissions [CWE-276] allowing the disclosure of sensitive information.
Greenbone can actively detect vulnerable versions of VMware ESXi and vCenter Server with separate vulnerability tests for CVE-2024-37085 [1] and CVE-2022-22948 [2] since it was first disclosed in 2022.
New Batch of Cisco CVEs Includes one Actively Exploited plus two Critical Severity
In July 2024, 12 total vulnerabilities, two of critical and three of high severity, were disclosed in 17 different Cisco products. CVE-2024-20399 in Cisco NX-OS is being actively exploited and was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CISA also referenced CVE-2024-20399 in a secure-by-design alert released in July. The alert advises software vendors to inspect their products for OS (operating system) command injection vulnerabilities [CWE-78]. Greenbone includes a remote version check for the actively exploited CVE-2024-20399.
Here is a summary of the most impactful CVEs:
- CVE-2024-20399 (CVSS 6.7 Medium): A command-injection vulnerability in Cisco NX-OS’s Command-Line Interface (CLI) allows authenticated administrative users to execute commands as root on the underlying OS due to unsanitized arguments being passed to certain configuration commands. CVE-2024-20399 can only be exploited by an attacker who already has privileged access to the CLI. Greenbone includes a remote version check for CVE-2024-20399.
- CVE-2024-20419 (CVSS 10 Critical): The authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) allows an unauthenticated, remote attacker to change the password of any user, including administrators, via malicious HTTP requests. Greenbone includes a remote version detection test for CVE-2024-20419.
- CVE-2024-20401 (CVSS 10 Critical): A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the device via e-mail attachments if file analysis and content filters are enabled. CVE-2024-20401 allows attackers to create users with root privileges, modify the device configuration, execute arbitrary code, or disable the device completely. Greenbone is able to detect vulnerable devices so defenders can apply Cisco’s recommended mitigation.
Other CVEs disclosed for flagship Cisco products in July 2024 include:
ServiceNow Actively Exploited for Data Theft and RCE
As July closed, two critical vulnerabilities in ServiceNow – CVE-2024-4879 and CVE-2024-5217, were added to CISA’s KEV list. Both CVEs are rated CVSS 9.8 Critical. ServiceNow was also assigned a third on the same day, July 10th; CVE-2024-5178 (CVSS 6.8 Medium). The trio are being chained together by attackers to achieve unauthenticated Remote Code Execution (RCE). Data from over 100 victims is reportedly being sold on BreachForums; a cybercrime platform for exchanging stolen data.
ServiceNow is a leading IT service management (ITSM) platform featuring incident management, problem management, change management, asset management, and workflow automation, and extending into general business management tools such as human resources, customer service, and security operations. ServiceNow is installed either as a Software as a Service (SaaS) or self-hosted by organizations themselves. Shodan reports roughly 20,000 exposed instances online, and Resecurity has observed attacks against private sector companies and government agencies globally.
Greenbone included vulnerability tests (VTs) [1][2] for all three CVEs before active exploitation was alerted by CISA. Hotfixes are available [3][4][5] from the vendor and self-hosting customers should apply them with urgency.
Critical Vulnerability in Adobe Commerce and Magento eCommerce Platforms
Adobe Commerce and Magento versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by CVE-2024-34102 (CVSS 9.8 Critical), resulting from improper restriction of XML External Entity Reference (‘XXE’) [CWE-611]. An attacker could exploit the weakness without user interaction by sending a malicious XML file to read sensitive data from within the platform.
CVE-2024-34102 is being actively exploited and a basic proof-of-concept exploit code is available on GitHub [1]. Malicious exploit code [2] for the CVE has also been removed from GitHub due to the platform’s policies against malware, but attackers are actively sharing it via dark-web forums and hacker channels on Telegram. Also, the CVE’s Exploit Prediction Scoring System (EPSS) score increased prior to its induction into CISA KEV, giving credit to EPSS as an early warning metric for vulnerability risk.
Magento is an open-source PHP-based eCommerce platform for small to medium-sized businesses. Acquired by Adobe in 2018, Adobe Commerce is essentially the enterprise version of Magento Open Source with additional features for larger businesses. Being an e-commerce platform, there’s risk that attackers may be able to steal payment card information or other sensitive personal information from a website’s customers in addition to inducing costly downtime due to lost sales for the site owner.
Greenbone includes an active check and version detection vulnerability tests (VTs) for identifying vulnerable versions of this high risk vulnerability.
GeoServer Actively Exploited for Remote Code Execution
A CVSS 9.8 Critical CVE was found in GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2. GeoServer is an open-source application for sharing, editing, and displaying geospatial data. Tracked as CVE-2024-36401, the vulnerability is being actively exploited and can lead to arbitrary Remote Code Execution (RCE). Exploit code is publicly available [1][2] compounding the risk. CERT-EU has issued an alert for all EU institutions, agencies, and member states. Greenbone includes remote detection tests to identify CVE-2024-36401 allowing users of affected GeoServer products to be notified.
The vulnerability, classified as “Dependency on Vulnerable Third-Party Component” [CWE-1395], lies in the GeoTools component – an open-source Java library that serves as the foundation for various geospatial projects and applications, including GeoServer. Therefore, similarly to how Log4Shell impacted an unknown number of applications using the Log4j 2.x library, the same is true for GeoTools. Various OGC (Open Geospatial Consortium) request parameters (including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests) forfeit RCE since the GeoTools library API unsafely passes property/attribute names to the commons-jxpath library which has the capability to execute arbitrary code [CWE-94].
Users should update to GeoServer versions 2.23.6, 2.24.4, or 2.25.2 which contain a patch for the issue. For those who cannot update, removing the ‘gt-complex-<version>.jar’ file will eliminate the vulnerable code, but may break functionality if the gt-complex module is required.
Summary
July 2024 saw a decline in vulnerability disclosures, yet significant threats emerged. Notably, CVE-2024-37085 in VMware’s ESXi was observed being exploited for ransomware attacks, due to insecure design flaws. Cisco’s new vulnerabilities include CVE-2024-20399, actively exploited for command injection, and two critical flaws in its products. ServiceNow’s CVEs, including CVE-2024-4879 and CVE-2024-5217, are being used to distribute ransomware and steal data. Adobe Commerce’s CVE-2024-34102 and GeoServer’s CVE-2024-36401 also pose severe risks. Organizations must prioritize patching, vulnerability management, and incident response to mitigate these threats.