Key Takeaways

• Cyble researchers investigated 17 vulnerabilities and six dark web exploits in the week of August 21-27.
• The researchers identified three vulnerabilities in particular – in products by SonicWall, Traccar and Fortra – as meriting high-priority attention.
• Cyble vulnerability scanners detected nearly 1 million web-facing assets exposed to the week’s top vulnerabilities and dark web exploits, with SonicWall and Fortinet devices accounting for more than 941,000 exposed vulnerabilities.
• Cyble researchers also warned that a 9.8-severity Incorrect Authorization vulnerability in affected versions of Apache OFbiz is at risk of mass exploitation.

Overview

Cyble’s weekly vulnerability report for August 21-27 found the highest number of exposed vulnerable assets in nearly three months, since a widespread PHP vulnerability was found in early June.

Cyble researchers found more than 529,000 exposed SonicWall firewalls with the 9.3-rated CVE-2024-40766 improper access control vulnerability, and nearly 412,000 exposed Fortinet devices with the critical CVE-2022-42475 and CVE-2023-27997 heap-based buffer overflow vulnerabilities. While the FortiOS vulnerabilities date from late 2022 and mid-2023, Cyble recently detected a threat actor selling exploit code for the vulnerabilities on an underground forum, raising the urgency for users to patch the vulnerabilities.

In all, the week’s top vulnerabilities totaled just under 1 million vulnerable exposures, the highest number since the 9.8-rated CVE-2024-4577 PHP vulnerability in early June exposed a similar number of assets.

But this week has also demonstrated that a vulnerability needn’t have a high CVSS criticality score or a large number of exposed assets. CVE-2024-39717, an unrestricted file upload vulnerability in Versa Director servers with just 33 vulnerable exposures detected by Cyble and a 7.2 rating, was exploited in attacks by China-linked threat actors on ISPs, MSPs and an unknown number of downstream customers.

In all, Cyble researchers investigated 17 vulnerabilities this week, plus additional ICS vulnerabilities and dark web exploits. The researchers focused on three in particular – in products by SonicWall, Traccar and Fortra – as meriting high-priority attention from security teams.

Additionally, Cyble warned that the 9.8-severity Incorrect Authorization vulnerability in affected versions of Apache OFbiz (CVE-2024-38856) could face “mass exploitation due to its nature, the availability of Proof of Concepts (POC) in the public domain, and the wide internet exposure of the impacted product.”

The Week’s Top Vulnerabilities: SonicWall, Traccar and Fortra

Here are three high-priority vulnerabilities in greater detail.

CVE-2024-40766: SonicWall SonicOS Management Access

This Improper Access Control vulnerability impacts SonicWall SonicOS Management Access, a web-based interface used to configure, manage, and monitor SonicWall network security appliances. It allows administrators to control firewall settings, VPNs, and other security features. This vulnerability allows an unauthenticated attacker to gain unauthorized access to the management interface, which can lead to the manipulation of firewall settings, exposure of sensitive network information, and potentially lead to firewall crashes.

Internet Exposure? Yes

Patch Available? Yes

CVE-2024-6633: Fortra FileCatalyst Workflow

This critical severity Information Disclosure vulnerability impacting Fortra FileCatalyst Workflow 5.1.6 Build 139 (and earlier), is potentially on the brink of active exploitation, as exploitation of the vulnerability relies on the default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow that is published in a vendor knowledgebase article. The vulnerability grants an unauthenticated attacker remote access to the database, up to and including data manipulation/exfiltration from the database and admin user creation, though their access levels are still sandboxed.

Internet Exposure? Yes

Patch Available? Yes

CVE-2024-31214 & CVE-2024-24809: Traccar 5

These two related path traversal vulnerabilities affect Traccar 5. Traccar is a popular open-source GPS tracking system used by people both for personal use and businesses for fleet management. An unauthenticated attacker can exploit these vulnerabilities if the “guest registration” is enabled (the default setting), which could lead to Remote Code Execution (RCE).

Internet Exposure? Yes

Patch Available? Yes

Vulnerabilities and Exploits Discussed in the Underground

Cyble researchers also observed several other vulnerabilities being discussed in underground forums and channels, raising the profile of these six vulnerabilities among attackers.

• A Telegram channel administrator shared a POC for CVE-2024-28000, a critical incorrect privilege assignment vulnerability in LiteSpeed Technologies’ LiteSpeed plugin that allows privilege escalation.
• A threat actor on an underground forum was selling exploit code for two heap-based buffer overflow vulnerabilities, CVE-2022-42475 and CVE-2023-27997, impacting FortiOS. The same TA also discussed a hardcoded credential vulnerability, CVE-2024-28987, impacting SolarWinds Web Help Desk (WHD) software. This vulnerability allows remote, unauthenticated users to access internal functionality and modify data.
• Another TA shared an alleged PoC for CVE-2024-3183, a vulnerability found in FreeIPA. When a Kerberos TGS-REQ is encrypted using the client’s session key, it can allow an attacker to run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt.
• Cyble observed another TA offering exploit code for CVE-2024-38063, a critical Windows TCP/IP remote code execution vulnerability discussed in last week’s report.

Our Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following cybersecurity best practices:

1. Implement the Latest Patches

To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.

2. Implement a Robust Patch Management Process

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

3. Implement Proper Network Segmentation

Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.

4. Incident Response and Recovery Plan

Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

5. Monitoring and Logging Malicious Activities

Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

6. Keep Track of Security Alerts

Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.

7. Visibility into Assets

Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment.

8. Strong Password Policy

Change default passwords immediately and enforce a strong password policy across the organization. Implement multi-factor authentication (MFA) to provide an extra layer of security and significantly reduce the risk of unauthorized access.

Related