Cyble’s weekly vulnerability report for August 21-27 found the highest number of exposed vulnerable assets in nearly three months, since a widespread PHP vulnerability was found in early June.
Cyble researchers found more than 529,000 exposed SonicWall firewalls with the 9.3-rated CVE-2024-40766 improper access control vulnerability, and nearly 412,000 exposed Fortinet devices with the critical CVE-2022-42475 and CVE-2023-27997 heap-based buffer overflow vulnerabilities. While the FortiOS vulnerabilities date from late 2022 and mid-2023, Cyble recently detected a threat actor selling exploit code for the vulnerabilities on an underground forum, raising the urgency for users to patch the vulnerabilities.
In all, the week’s top vulnerabilities totaled just under 1 million vulnerable exposures, the highest number since the 9.8-rated CVE-2024-4577 PHP vulnerability in early June exposed a similar number of assets.
But this week has also demonstrated that a vulnerability needn’t have a high CVSS criticality score or a large number of exposed assets. CVE-2024-39717, an unrestricted file upload vulnerability in Versa Director servers with just 33 vulnerable exposures detected by Cyble and a 7.2 rating, was exploited in attacks by China-linked threat actors on ISPs, MSPs and an unknown number of downstream customers.
In all, Cyble researchers investigated 17 vulnerabilities this week, plus additional ICS vulnerabilities and dark web exploits. The researchers focused on three in particular – in products by SonicWall, Traccar and Fortra – as meriting high-priority attention from security teams.
Additionally, Cyble warned that the 9.8-severity Incorrect Authorization vulnerability in affected versions of Apache OFbiz (CVE-2024-38856) could face “mass exploitation due to its nature, the availability of Proof of Concepts (POC) in the public domain, and the wide internet exposure of the impacted product.”
Here are three high-priority vulnerabilities in greater detail.
This Improper Access Control vulnerability impacts SonicWall SonicOS Management Access, a web-based interface used to configure, manage, and monitor SonicWall network security appliances. It allows administrators to control firewall settings, VPNs, and other security features. This vulnerability allows an unauthenticated attacker to gain unauthorized access to the management interface, which can lead to the manipulation of firewall settings, exposure of sensitive network information, and potentially lead to firewall crashes.
Internet Exposure? Yes
Patch Available? Yes
This critical severity Information Disclosure vulnerability impacting Fortra FileCatalyst Workflow 5.1.6 Build 139 (and earlier), is potentially on the brink of active exploitation, as exploitation of the vulnerability relies on the default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow that is published in a vendor knowledgebase article. The vulnerability grants an unauthenticated attacker remote access to the database, up to and including data manipulation/exfiltration from the database and admin user creation, though their access levels are still sandboxed.
Internet Exposure? Yes
Patch Available? Yes
These two related path traversal vulnerabilities affect Traccar 5. Traccar is a popular open-source GPS tracking system used by people both for personal use and businesses for fleet management. An unauthenticated attacker can exploit these vulnerabilities if the “guest registration” is enabled (the default setting), which could lead to Remote Code Execution (RCE).
Internet Exposure? Yes
Patch Available? Yes
Cyble researchers also observed several other vulnerabilities being discussed in underground forums and channels, raising the profile of these six vulnerabilities among attackers.
To protect against these vulnerabilities and exploits, organizations should implement the following cybersecurity best practices:
1. Implement the Latest Patches
To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
2. Implement a Robust Patch Management Process
Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
3. Implement Proper Network Segmentation
Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
4. Incident Response and Recovery Plan
Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
5. Monitoring and Logging Malicious Activities
Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
6. Keep Track of Security Alerts
Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
7. Visibility into Assets
Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment.
8. Strong Password Policy
Change default passwords immediately and enforce a strong password policy across the organization. Implement multi-factor authentication (MFA) to provide an extra layer of security and significantly reduce the risk of unauthorized access.