After experts noticed a rapid increase in cyberattacks on local authorities and government agencies in 2023, the horror stories don’t stop in 2024. The pressure to act is enormous, as the EU’s NIS2 Directive will come into force in October and makes risk and vulnerability management mandatory.

“The threat level is higher than ever,” said Claudia Plattner, President of the German Federal Office for Information Security (BSI), at Bitkom in early March. The question is not whether an attack will be successful, but only when. The BSI’s annual reports, for example the most recent report from 2023, also speak volumes in this regard. However, according to Plattner, it is striking how often local authorities, hospitals and other public institutions are at the centre of attacks. There is “not a problem with measures but with implementation in companies and authorities”, said Plattner. One thing is clear: vulnerability management such as Greenbone’s can provide protection and help to avoid the worst.

US authorities infiltrated by Chinese hackers

In view of the numerous serious security incidents, vulnerability management is becoming more important every year. Almost 70 new security vulnerabilities have been added every day in recent months. Some of them opened the door to attackers deep inside US authorities, as reported in the Greenbone Enterprise Blog:

According to the media, US authorities have been infiltrated by Chinese hacker groups such as the probably state-sponsored “Volt Typhoon” for years via serious security gaps. The fact that Volt Typhoon and similar groups are a major problem was even confirmed by Microsoft itself in a blog back in May 2023. But that’s not all: German media reported that Volt Typhoon is taking advantage of the abundant vulnerabilities in VPN gateways and routers from FortiNet, Ivanti, Netgear, Citrix and Cisco. These are currently considered to be particularly vulnerable.

The fact that the quasi-monopolist in Office, groupware, operating systems and various cloud services also had to admit in 2023 that it had the master key for large parts of its Microsoft cloud let stolen destroyed trust in the Redmond software manufacturer in many places. Anyone who has this key doesn’t need a backdoor for Microsoft systems any longer. Chinese hackers are also suspected in this case.

Software manufacturers and suppliers

The supply chain for software manufacturers has been under particular scrutiny by manufacturers and users not only since log4j or the European Cyber Resilience Act. The recent example of the attack on the XZ compression algorithm in Linux also shows the vulnerability of manufacturers. In the case of the “#xzbackdoor”, a combination of pure coincidence and the activities of Andres Freund, a German developer of open source software for Microsoft with a strong focus on performance, prevented the worst from happening.

An abyss opened up here: It was only thanks to open source development and a joint effort by the community that it came to light that actors had been using changing fake names with various accounts for years with a high level of criminal energy and with methods that would otherwise be more likely to be used by secret services. With little or no user history, they used sophisticated social scams, exploited the notorious overload of operators and gained the trust of freelance developers. This enabled them to introduce malicious code into software almost unnoticed. In the end, it was only thanks to Freund’s interest in performance that the attack was discovered and the attempt to insert a backdoor into a tool failed.

US officials also see authorities and institutions as being particularly threatened in this case, even if the attack appears to be rather untargeted and designed for mass use. The issue is complex and far from over, let alone fully understood. One thing is certain: the usernames of the accounts used by the attackers were deliberately falsified. We will continue to report on this in the Greenbone blog.

European legislators react

Vulnerability management cannot prevent such attacks, but it provides indispensable services by proactively warning and alerting administrators as soon as such an attack becomes known – usually before an attacker has been able to compromise systems. In view of all the difficulties and dramatic incidents, it is not surprising that legislators have also recognised the magnitude of the problem and are declaring vulnerability management to be standard and best practice in more and more scenarios.

Laws and regulations such as the EU’s new NIS2 directive make the use of vulnerability management mandatory, including in the software supply chain. Even if NIS2 only actually applies to around 180,000 organisations and companies in the critical infrastructure (KRITIS) or “particularly important” or “significant” companies in Europe, the regulations are fundamentally sensible – and will be mandatory from October. The EU Commission emphasises that “operators of essential services” must “take appropriate security measures and inform the competent national authorities of serious incidents”. Important providers of digital services such as search engines, cloud computing services and online marketplaces must fulfil the security and notification requirements of the directive.”

Mandatory from October: A “minimum set of cyber security measures”

The “Directive on measures for a high common level of cybersecurity across the Union (NIS2)” forces companies in the European Union to “implement a benchmark of minimum cybersecurity measures”, including risk management, training, policies and procedures, also and especially in cooperation with software suppliers. In Germany, the federal states are to define the exact implementation of the NIS2 regulations.

Do you have any questions about NIS2, the Cyber Resilience Act (CRA), vulnerability management in general or the security incidents described? Write to us! We look forward to working with you to find the right compliance solution and give your IT infrastructure the protection it needs in the face of today’s serious attacks.

To make our ecological progress even more sustainable, we keep up to date with regular internal training courses on energy efficiency. In this way, we are helping to make the world even “greener” outside of Greenbone.

It doesn’t get any greener? Not at all! We have just completed certification of our environmental management system in accordance with ISO 14001. And we have realised: There is always room for getting “greener” – you just have to be committed and willing to drive this commitment forward in measurable progress.

Greenbone passes ISO 14001 Certification.

The international standard ISO 14001 defines requirements that companies can use to achieve environmental goals and fulfil legal obligations. Because the environmental niche is different for every organisation, the standard does not specify absolute values and targets, but it does emphasise integration into quality management, C-level responsibility for environmental management and the elimination of ambiguity regarding environmental targets.

Targets, objectives, key figures: A dry framework for green growth

The current German version of the standard, DIN EN ISO 14001:2015, places particular emphasis on “environmental performance improvement” and its measurement using appropriate indicators. The ecological objectives thus relate to the upstream and downstream environmental impact of products and services as well as the consideration of opportunities and risks in day-to-day business. The whole process is to be set up as part of a continuous improvement process (CIP) so that the effects of each new measure can be monitored and adapted accordingly. With this certification, we are proud to be able to announce another important step towards a company that is not only “green” on the outside, in the company logo, but also on the inside.

Back in autumn 2023, when the “Environmental Management System” was introduced, it was clear to us: we may not be able to save the world, but every step in this direction is important to us! So, step by step, we started by collecting all aspects that could have an impact on the environment. After ranking the factors and prioritising them, eleven areas emerged in which Greenbone can become ecologically effective and active: Starting with electricity consumption, cooling servers, heating offices and dispatching goods, through to waste separation and the energy efficiency of our appliances.

And again and again: measure…

As a company that emphasises the realisation and clear presentation of objectives, Greenbone is already certified according to ISO 9001:2015 (quality management) and ISO 27001:2017 (information security) as well as within the framework of TISAX for the Information Security Management System (ISMS). For ISO 14001, we have concretised our objectives in clearly defined key performance indicators (KPIs) in order to make them available for subsequent measurements. This allows us to readjust existing measures and introduce further improvements. What initially sounds dry is already bearing its first “green” fruits

  • Our electricity has been supplied entirely from renewable energy sources since the company was founded. Total consumption – including clients and servers – is set to be reduced by a further 3% in the near future.
  • Whenever we purchase new equipment, we pay particular attention to sustainability and energy efficiency.
  • Since 2020, we have only used electric cars as company vehicles.
  • We have switched to digital payroll accounting.
  • The server room is regularly checked for potential savings.
  • We also prioritise environmental protection on a small scale: Waste is only collected centrally and packaging material is reused as a matter of principle.

To make our ecological progress even more sustainable, we keep up to date with regular internal training courses on energy efficiency. In this way, we are helping to make the world even “greener” outside of Greenbone.

For several years in a row, the Californian manufacturer Fortinet has been in the public focus due to serious security problems. Known for its secure firewall, VPN and intrusion detection devices, the cyber security expert was again forced to announce several highly critical security vulnerabilities in February 2024.

Staying informed and applying patches promptly is what companies need to proactively protect themselves against such attacks. Products such as Greenbone’s Enterprise Appliances play a central role in this and are meant to help admins. All the vulnerabilities mentioned in this blog post are covered by tests from the Greenbone Enterprise Feed: active procedures check whether the exploit is possible, and versioning tests will deliver results about the success of patch management.

87,000 passwords: Fortinet wins “Vulnerability of the Year 2022”

In 2019, CVE-2018-13379 (CVSS 9.8) allowed over 87,000 passwords for the Fortinet VPN to be read from the devices. In the following years, this vulnerability was exploited so successfully that in 2022 it was awarded the dubious title of “most exploited vulnerability of 2022“. The US authorities reacted and urged all of their clients to be more aware of the problem: Both U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) warned about the fact that many customers did not apply patches promptly. Again, lack of foresight turned out to be one of the main reasons. Patching, so the agencies, would have prevented many of successful attacks.

2023: Unwanted guests in critical networks

What makes it worse, is the fact that Fortinet devices are mostly being used in security-critical areas. Unpatched and equipped with serious vulnerabilities, such devices have become the focus of attackers in recent years, especially by state actors. In 2023, for example, Chinese hacker groups successfully infiltrated Dutch military networks via a vulnerability in the FortiOS SSL VPN from December 2022 that actually had already been patched for a while (CVE-2022-42475, CVSS 9.3).

Even though the network was only used for research and development according to the Military Intelligence and Security Service (MIVD), the attacks published at the beginning of February made it clear how easy it is for attackers to penetrate even highly protected networks. Even worse so, the corresponding backdoor “Coathanger” allows attackers to gain permanent access to devices once they have been hacked, all thanks to the vulnerability 2022-42475, which allows the execution of arbitrary code.

February 2024: Warnings of further vulnerabilities, maximum severity

Unfortunately, the story does not end here: Fortinet also had to admit another serious vulnerability, beginning of February 2024: CVE-2024-21762 (CVSS score: 9.6) allows unauthorized attackers to execute arbitrary code via specially adapted requests. A long list of versions of the Fortinet operating system FortiOS and FortiProxy are affected. The manufacturer advises upgrading or deactivating the SSL VPN and warns of both the severity of the vulnerability and the fact that it is already being massively exploited by attackers.

Fortinet seemed to have some organizational issues, too. Just as bad as the above sounded CVE-2024-23108 and CVE-2024-23109, published just a few days later, which also allow unauthenticated attackers to execute arbitrary code. However, these CVEs have to be taken with a grain of salt: The fact that two CVEs from the same manufacturer received a 10.0 on the threat severity scale on the same day is probably unique and raised some experts’ eyebrows. Apart from that, the confusing communication from the vendor was not really likely to establish or further trust, similarly to the strange story of toothbrush-based attacks told by a Fortinet employee, reaching the mass media at the same time.

Fatal combination – vulnerability management can help

As always, Fortinet published patches promptly, but customers also have to install them. Again, the combination of serious security vulnerabilities, lack of awareness and the absence of patches showed its full impact: Only a few days later the US government pushed out another advisory from CISA, NSA and FBI about Volt Typhoon, a Chinese state hacker group. The US government had evidence that these attackers have permanently nested in critical infrastructure of US authorities for many years via such vulnerabilities – the associated risks should not be underestimated, according to the warning.

The security by design required there also includes the constant monitoring of one’s own servers, computers and installations with vulnerability tests such as those of Greenbone Enterprise Appliances. Those who constantly monitor their networks (not just Fortinet devices) with the vulnerability tests of a modern vulnerability scanner can inform their administrators as quickly as possible if known CVEs in an infrastructure are waiting for patches, reducing the attack surface.

In February 2024, Microsoft issued a security alert for a total of 73 security vulnerabilities. The batch included 6 critical severity vulnerabilities, 52 rated as high severity, and 15 as medium severity vulnerabilities. 30 of them are remote code execution vulnerabilities [T1210] and 16 are privilege escalation [TA0004] exploits. From that group, three stand out as being actively exploited; CVE-2024-21410 (CVSS 9.8 Critical), CVE-2024-21412 (CVSS 8.1 High), and CVE-2024-21351 (CVSS 7.6 High).

15 of the 73 CVEs affected Microsoft WDAC OLE DB provider for SQL, 8 were reported in Microsoft Dynamics, a business productivity cloud service that integrates with Microsoft 365, and the Windows kernel had 6 CVEs reported and patched. The full list of vulnerabilities can be found on the official Microsoft advisory report for February 2024.

CVE-2024-21410 in Microsoft Exchange Actively Exploited

The CVE-2024-21410 (CVSS 9.8 Critical) security flaw is an authentication replay attack [CWE-294] on Microsoft Exchange Servers that use the Net-NTLMv2 protocol. The vulnerability allows attackers with the ability to capture a victim’s Net-NTLMv2 credentials to escalate privileges on the system for unauthenticated access. Since CVE-2024-21410 is a pass-the-hash [CWE-836] vulnerability it is considered low complexity to exploit by any attacker with stolen credentials. As such, CVE-2024-21410 represents a high risk to the confidentiality and integrity of an organization’s internal email communication and other data contained in an Exchange Server instance such as contact lists, shared resources or schedules.

CVE-2024-21410 is reported as actively exploited by CISA’s known exploited vulnerabilities (KEV) database. Although no formal attribution has been assigned to the recent attacks, some insider noted that Russian-backed threat actor APT28 is active in exploiting NTLM and is known for attack techniques including Access Token Manipulation [T1134] and Token Impersonation/Theft [T1134.001] for unauthorized access against email servers.

28,500 Microsoft Exchange servers have been identified as vulnerable, while a report from security research firm Shadowserver aggressively estimates that up to 97,000 IPs are potentially affected. Greenbone provides both a local security check (LSC) and remote version checks for identifying Microsoft Exchange servers impacted by CVE-2024-21410.

Here is a description of CVE-2024-21410 and how it is being exploited:

  • CVE-2024-21410 (CVSS 9.8 Critical): An attacker could target an Net-NTLMv2 client such as Outlook from within a compromised endpoint with a credential-leak exploit, via a compromised network position using a tool such as Responder, or via an Adversary in The Middle (AiTM) position by capturing unencrypted network traffic. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim and to perform operations on the Exchange server on the victim’s behalf. Notably, CVE-2024-21410 does not require the captured Net-NTLMv2 hash to be cracked since it can be replayed directly for exploitation.

What Is NTLM Authentication Protocol?

NTLM (NT LAN Manager) authentication protocol is a proprietary protocol developed by Microsoft dating back to the Windows NT operating system, which was released in 1993. NTLM was replaced as the default authentication protocol in Windows 2000 by Kerberos. The Net-NTLMv1 and Net-NTLMv2 protocols employ the user’s base password, stored as a hash (called the NTHash) in a challenge response authentication handshake to verify an authorized user. A detailed description of the algorithms used in Net-NTLMv1 and Net-NTLMv2 can be found on the medium platform.

Net-NTLMv2 (NT LAN Manager version 2) is an improvement over the older NTLM protocol, offering better security features against certain types of attack. Net-NTLMv2 is still supported by various Microsoft products and services within Windows-based networks. However, due to the potential for simple replay attacks using stolen credentials [CWE-294], NTLM has already been directly issued a CVE (CVE-2021-31958) itself and its use presents serious security risk to unauthorized access. Also, considering that Microsoft officially acknowledged the security risks of NTLM in 2021, it should broadly be considered as a vulnerable protocol and it should be replaced with a more secure public-key based authentication wherever it is in use.

Some of the key products that still support the use of Net-NTLMv2: include all Windows operating systems, Active Directory (AD), Microsoft Exchange Server, Microsoft SQL Server, Internet Information Services (IIS), SMB Protocol, Remote Desktop Services, and other third-party applications.

Mitigating CVE-2024-21410

The 2024 H1 Cumulative Update 14 (CU14) for Exchange Server 2019 has been released by Microsoft allowing operators of the affected versions to patch their vulnerable product. The CU14 update enables Extended Protection for Authentication (EPA) by default which had otherwise required manual setup.

If installing CU14 is not feasible or for administrators of Exchange Server 2016, the Exchange Extended Protection documentation and ExchangeExtendedProtectionManagement.ps1 script can be used to enable EPA for Exchange Servers. Microsoft also points to its own workaround techniques for mitigating pass-the-hash attacks in reference to mitigating the risk of CVE-2024-21410.

Pivoting From CVE-2024-21410 to CVE-2024-21378

It’s also probable that attackers who can gain unauthorized access to a vulnerable Microsoft Exchange server could continue their exploit chain by leveraging another vulnerability disclosed in the February 2024 group; CVE-2024-21378 (CVSS 8.0 High) to cause high impact to endpoints running Microsoft Outlook 2016 client or Microsoft Office 365 (2016 Click-to-Run). CVE-2024-21378 is a remote code execution vulnerability that requires user interaction. Also, a prerequisite for exploiting CVE-2024-21378 is authenticated access to a Microsoft Exchange server or other Microsoft LAN service allowing an attacker to compromise users on the same domain controller via delivery of a malicious file. Furthermore, CVE-2024-21378 can be exploited simply by previewing the malicious file.

Greenbone can identify systems affected by CVE-2024-21378 with local security checks for Microsoft Outlook 2016 and Microsoft Office 365 (2016 Click-to-Run).

CVE-2024-21351 Windows SmartScreen Security Bypass

CVE-2024-21351 (CVSS 7.6 High) is a remote code execution (RCE) vulnerability in the Windows SmartScreen security feature. Exploiting CVE-2024-21351 could expose sensitive data and compromise file integrity and availability. This requires human interaction. The victim must click to open a malicious file delivered by the attacker. CVE-2024-21351 was added to CISA’s catalog of known exploited vulnerabilities (KEV) on February 13, 2024 along with CVE-2024-21412.

CVE-2024-21412 Internet Shortcut Files Security Bypass

CVE-2024-21412 (CVSS 8.1 High) is a vulnerability in the security feature of Internet Shortcut Files that allows an unauthenticated attacker to distribute a specially crafted file intended to circumvent visible security measures. While the attacker cannot compel a user to access content under their control, they must persuade the user to actively click on the file link to initiate the exploit.

Mitigating CVE-2024-21351 and CVE-2024-21412

CVE-2024-21351 and CVE-2024-21412 can be patched by installing Microsoft’s February 2024 cumulative patch. Known as “Patch Tuesday”, Microsoft issues cumulative patches on the second Tuesday of each month. Since Windows 7 is past end-of-life support from Microsoft, patches will not be issued to remediate these vulnerabilities. Affected versions of Microsoft Windows that will receive patches include:

  • Microsoft Windows Server 2022 & 2019
  • Microsoft Windows 11 version 21H2, 22H2 & 23H2 for x64-based Systems
  • Microsoft Windows 10 Versions 1809, 21H2 & 22H2 for 32-bit and x64-based Systems

Six high severity vulnerabilities in Atlassian Confluence have been disclosed over the past few months making it imperative for its users to upgrade with urgency. Of these, the most severe, CVE-2023-22527 has been added to CISA’s KEV (Known Exploited Vulnerabilities). Collectively, the recently disclosed vulnerabilities range in severity from CVSS 7.5 (High) to 10 (Critical). Greenbone vulnerability manager is able to detect all vulnerabilities with active checks and version detection tests including the most critical, CVE-2023-22527.

CVE-2023-22527 can be exploited by an attacker to achieve unauthenticated remote code execution (RCE). Impacted products include Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3 as well as 8.4.5 which no longer receives backported fixes according to Atlassian’s Security Bug Fix Policy. CVE-2023-22527 is tracked internally through Atlassian’s Jira portal as CONFSERVER-93833 and via a published advisory, and was reported as part of Atlassian’s Bug Bounty program by a contributor with the handle m1sn0w.

The remaining five vulnerabilities can be all exploited remotely without user-interaction, having impacts ranging from only Denial of Service (DoS) (CVE-2023-3635) to high impact to Confidentiality, Integrity, and Availability (CIA). The majority, including several high severity RCE vulnerabilities, were introduced in version 7.13.0 of Confluence Data Center and Server. Customers operating affected products on publicly exposed IP addresses are at increased risk of exploitation.

In total, Confluence has been the subject of 9 CISA KEV alerts for active exploitation. 3 of those have been in recent months; since October 2023:

  • January 24th, 2024: CISA added CVE-2023-22527 to its KEV catalog
  • November 7th, 2023: CISA added CVE-2023-22518 to its KEV catalog
  • December 5th, 2023: CISA added CVE-2023-22515 to its KEV catalog

A recent report based on analysis of publicly available Shodan data from the vulnerability and exploit research group VulnCheck, estimated that more than 235,000 internet-facing Confluence honeypots exist on public-facing IP addresses, while the true number of real internet-facing Confluence servers is closer to 4,000.

Summary Of Vulnerabilities in Atlassian Confluence

Here is a brief summary of all recently disclosed vulnerabilities in Atlassian Confluence:

  • CVE-2023-22527 (CVSS 10 Critical): A template injection vulnerability [CWE-284] on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Most recent supported versions of Confluence Data Center and Server are not affected. After initial disclosure, Atlassian raised the CVSS score of CVE-2023-22527 from 9.1 to the highest possible score of 10.
  • CVE-2024-21673 (CVSS 8.8 High): Allows an authenticated attacker to expose restricted assets [CWE-284] remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without user interaction. The vulnerability was introduced in version 7.13.0 (released August 2021) of Confluence Data Center and Server.
  • CVE-2023-22526 (CVSS 8.8 High): Allows an authenticated attacker to execute arbitrary code remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without user interaction.
  • CVE-2024-21672 (CVSS 8.8 High): Allows an authenticated attacker to execute arbitrary code remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without use interaction. The vulnerability was introduced in version 2.1.0 (released December 2005) of Confluence Data Center and Server meaning it affects virtually all versions.
  • CVE-2023-3635 (CVSS 7.5 High): A DoS vulnerability in the Okio client Java library component used in Confluence X. GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer potentially leading to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
  • CVE-2024-21674 (CVSS 7.5 High): Allows an authenticated attacker to expose restricted assets [CWE-284] remotely to cause high impact to system Confidentiality without user interaction, but no impact to Integrity or Availability. The vulnerability was introduced in version 13.0 (released August 2021) of Confluence Data Center and Server.

Mitigation Of Vulnerabilities in Atlassian Confluence

There are no reported workarounds to protect against these vulnerabilities. The most severe, CVE-2023-22527, only impacts older versions of Confluence Data Center and Server. Atlassian’s general recommendation for all other CVEs listed above is to download and upgrade to the newest version of Confluence Data Center and Server. However, if users are unable to do so, Atlassian’s mitigation advice is different for each CVE.

Atlasian has also outlined version specific mitigations for CVE-2024-21673, CVE-2023-22526, CVE-2023-3635, and CVE-2024-21674. Customers who are unable to upgrade to the most recent version of Confluence Data Center and Server can upgrade to a minor version which has been patched.

  • Customer’s using Confluence Data Center and Server 7.19: Upgrade to version 19.18, or any higher 7.19.x release
  • Customer’s using Confluence Data Center and Server 8.5: Upgrade to version 5.5 or any higher 8.5.x release
  • Customer’s using Confluence Data Center and Server 8.7: Upgrade to version 7.2 or any higher 8.7.x release

Summary

In January 2024, 1 critical severity vulnerability was disclosed impacting Atlassian Confluence Data Center and Server following in the footsteps of 5 more recently disclosed high impact CVEs. The most critical, CVE-2023-22527 is known to be exploited in the wild making it imperative for users of affected products to upgrade with urgency. Public facing instances of Confluence are most at risk with an estimated 4,000 instances as of February 2nd, 2024.

A series of flaws in Ivanti’s Connect Secure VPN is being actively exploited by attackers. Both the German BSI and the US government’s Cybersecurity and Infrastructure Security Agency (CISA) have spread a warning. CISA has even issued an Emergency Directive ordering all Federal Civilian Executive Branch (FCEB) agencies to apply patches immediately.

Thousands of publicly accessible Ivanti systems worldwide are at risk, many of which are located in Germany, the flaws are being actively exploited. Because Ivanti’s devices have been included in Greenbone’s vulnerability tests in the Enterprise Feed for several years, we were able to warn our customers as early as January 10 and have been continuously building tests for the most recent vulnerabilities. Nevertheless, Ivanti customers need to be alert and take action – the patches from Ivanti need a factory reset on the devices.

Remote Code Execution and Authentification Bypass

Since December, the American security expert Volexity had found two serious security vulnerabilities (CVE-2023-46805 and CVE-2024-21887, both published on January 12, 2024) in devices with Ivanti Connect Secure VPN. Products affected included Ivanti Connect Secure (formerly Ivanti Pulse Secure), Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA).

According to Ivanti’s official statement, the vulnerabilities allowed remote attackers to bypass authentication mechanisms, execute their own code without authorization and take control of systems. The manufacturer urgently advises its customers to implement the workarounds and continues to update communication in an article in the forum.

Patches were shipped end of January which also included fixes for three other severe vulnerabilities, that Ivanti had to warn about in late January and early February. (CVE-2024-21893, CVE-2024-21888 and CVE-2024-22024). These three security issues come at high risk, include server-side request forgery, privilege escalation and an XML external entity (XXE) vulnerability.

According to the vendor, security patches for all flaws have been delivered on February 1. Users that applied the February patch and who have made a factory reset should not require another one now.

Greenbone customers have been warned, but administrators need to take action

Due to the widespread use of Ivanti devices in Germany, Greenbone has been including tests for Ivanti Connect Secure for several years. While other available tests only check the version numbers of the software used, Greenbone’s vulnerability checks use extended functions and thus achieve a significant higher level of accuracy in reporting.

However, even though our products warn Greenbone customers faster and more accurately about potential vulnerabilities in Avanti devices, users still need to take action to apply all the measures recommended by the manufacturer. For example, it is quite possible that attackers have already exploited the vulnerability before it was published. Therefore, all customers must use the Integrity Checker provided by Ivanti to ensure the integrity of their installation.

The five security vulnerabilities in Ivanti VPN Gateway appliances according to NIST:

  • CVE-2023-46805 (CVSS 8.2 High): The authentication bypass vulnerability [CWE-287] in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows an attacker to access restricted resources by bypassing control checks.
  • CVE-2024-21887 (CVSS 9.1 High): The command injection vulnerability [CWE-77] in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows administrators to send specially crafted requests and execute arbitrary commands on the appliance.
  • CVE-2024-21893 (CVSS 8.2 High): A server-side request forgery vulnerability [CWE-918] in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
  • CVE-2024-21888 (CVSS 8.8 High): A privilege escalation vulnerability [CWE-265] in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to administrator level.
  • CVE-2024-22024 (CVSS 8.3 High): An XML external entity or XXE vulnerability [CWE-643] in the SAML components of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Immediate Actions

The patches were initially released on January 22. Until users can download and install the official patches from Ivanti, they should follow these steps:

Two security vulnerabilities in Sharepoint – both from last year – are currently causing trouble for Sharepoint administrators. Because attackers are increasingly exploiting a combination of the two vulnerabilities, the Cybersecurity Infrastructure Security Agency CISA is now also issuing a warning. Affected customers of the Greenbone Enterprise Feed have been warned since June 2023.

Tracking-News: Critical Vunerability in MS Sharepoint

Remote Privilege Execution

The two vulnerabilities CVE-2023-29357 and CVE-2023-24955 together allow attackers to remotely gain administrator rights in a company’s SharePoint server. Details of the attack were published back in September 2023 at the Pwn2Own conference in Vancouver 2023 and can be found on the Singapore Starlabs blog, for example.

Massive attacks have now led to CISA recently issuing a warning about these vulnerabilities and including CVE-2023-29357 in its catalog of known exploited vulnerabilities. However, Greenbone has already had authenticated version checks for both CVEs since around June 2023 and an active check for CVE-2023-29357 since October 2023. Customers of the enterprise products have been receiving these CVEs as a threat for several months – in authenticated and unauthenticated scan mode.

Microsoft advises its customers on its website to update to the SharePoint Server 2019 version of June 13, 2023, (KB5002402), which fixes five critical vulnerabilities, including the first CVE mentioned by CISA. Furthermore, all administrators should install the antivirus software AMSI and activate Microsoft Defender in the SharePoint server. Otherwise, attackers could bypass authentication with fake authentication tokens and gain administrator rights.

Recognising and detecting vulnerabilities in the company at an early stage is important, as the many reports of damaging vulnerabilities show. Greenbone products can take on a lot of work here and ensure security – as a hardware- or virtual appliance or as a cloud service. The Greenbone Enterprise Feed, which feeds all Greenbone security products, receives daily updates and therefore covers a high percentage of risks.

5 Known Juniper Junos Vulnerabilities Being Actively Exploited

CISA has added 5 CVEs relating to Juniper Junos (aka Junos OS), to its Known Exploited Vulnerabilities (KEV) catalog. The full exploit chain involves combining several lower-severity CVEs to achieve pre-authentication remote code execution (RCE). The 5 CVEs range in severity from CVSS 9.8 Critical to CVSS 5.3 Medium. Greenbone is equipped with vulnerability tests to identify affected systems.

Understanding the timeline of events should help network defenders grasp how rapidly cyber threats can escalate. In this case a proof-of-concept (PoC) was published just 8 days after the vendor Juniper released its security advisory. Security researchers observed active exploitation just 12 days after the disclosure. Still, it was not until several months later that CISA acknowledged active exploitation. Greenbone Enterprise vulnerability feed added detection tests [1][2] for all impacted versions of the two affected product lines (EX Series Series Ethernet Switches and SRX Series Series Services Gateways) on August 18, 2023, immediately after they were disclosed.

Here is a brief description of each CVE:

  • CVE-2023-36844 (CVSS 5.3 Medium): A PHP External Variable Modification [CWE-473] vulnerability exists in J-Web, a tool used for remote configuration and management of Junos OS. The vulnerability allows an unauthenticated, network-based attacker to modify sensitive PHP environment variables. CVE-2023-36844 allows chaining to other vulnerabilities that lead to unauthenticated RCE.
  • CVE-2023-36845 (CVSS 9.8 Critical): A PHP External Variable Modification vulnerability [CWE-473] in J-Web allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request that sets the variable PHPRC an attacker is able to modify the PHP execution environment to inject and execute code.
  • CVE-2023-36846 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity with a specific request to user.php via J-Web. Without authentication, an attacker is able to upload arbitrary files [CWE-434] which allows chaining to other vulnerabilities including unauthenticated RCE.
  • CVE-2023-36847 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a malicious request to installAppPackage.php via J-Web an attacker is able to upload arbitrary files [CWE-434] without authentication, which may allow chaining to other vulnerabilities that lead to RCE.
  • CVE-2023-36851 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a specific request to webauth_operation.php that doesn’t require authentication, an attacker is able to upload arbitrary files via J-Web [CWE-434], leading to a loss of integrity for a certain part of the file system and chaining to other vulnerabilities.

Understanding The Attack Trajectory

Several of the CVEs listed above are classified as Missing Authentication for Critical Function [CWE-306] vulnerabilities meaning that various functions of the J-Web device management web application do not implement proper authentication checks.

Here is a summary of how these vulnerabilities were chained together for unauthenticated RCE:

The J-Web application is written in PHP which, as the watchTowr researchers noted, is known for its usability at the cost of security. In the case of CVE-2023-36846, J-web’s `webauth_operation.php` file implemented a different method for authentication than the rest of the application. This file instead invokes the `sajax_handle_client_request()` function and submits the value of ‘false’ as the `doauth` parameter, resulting in no authentication being performed. The aforementioned `sajax_handle_client_request()` function is designed to execute J-web’s built-in functions by specifying them as a $_POST variable, including the `do_upload()` function, used to upload files.

CVE-2023-36845 is a vulnerability in the Junos web server that allows system environment variables to be set via the `name` field of an HTTP POST request when a`Content-Type: multipart/form-data` header is used. Two exploits matching the description of CVE-2023-36845 were previously disclosed for the GoAhead IoT web server and tracked as CVE-2017-17562 and CVE-2021-42342, indicating that the Junos web server likely implements the GoAhead proprietary web-server.

Executing the uploaded file is possible by setting the PHPRC environment variable, using it to load an unauthorized PHP configuration `php.ini` file also uploaded via CVE-2023-36846 that contains a malicious `auto_prepend_file` setting directing PHP to execute the first uploaded file every time a page is loaded. Here is the complete example chain

Mitigation Of Recent Juniper Junos Vulnerabilities

The 5 new CVEs affect Juniper Networks Junos OS on EX Series Series Ethernet Switches and SRX Series Series Services Gateways. Specifically Junos OS version 20.4 and prior, 21.1, 21.2, 21.3, 21.4, 22.1, 22.2, 22.3, 22.4 and 23.2 on the EX and SRX Series appliances.

The best mitigation option is to install the security patches to Junos OS. If you cannot install the official provided security patches, completely disabling the J-Web interface, or configuring firewalls with an accept list to restrict access to only trusted hosts can prevent exploitation. In general, strictly limiting access to critical servers and network appliances to only client IP addresses that require access can prevent exploitation of similar yet undiscovered remotely exploitable zero-day vulnerabilities.