Key Takeaways

• This week, the U.S. Cyber Security and Infrastructure Agency (CISA) incorporated seven vulnerabilities to its Known Exploited Vulnerability (KEV) catalog based on evidence of active exploitation.  
• The team at Cyble Research and Intelligence Labs analyzed multiple high- and critical-severity CVEs impacting products and software used worldwide. One such vulnerability is CVE-2024-38812, which impacts the VMware vCenter Server and can be remotely exploited without any user interaction. 
• CRIL also assessed a high probability of certain vulnerabilities that attackers can use in malicious campaigns, including data breaches and supply chain attacks. Namely, CVE-2024-29847, which impacts Ivanti Endpoint Manager, CVE-2024-45694, an arbitrary code exaction vulnerability impacting D-Link wireless routers, and CVE-2024-45409, which impacts GitLab CE/EE instance.
• CRIL’s dark web monitoring sensors observed 15 instances on underground forums and Telegram channels, where vulnerability and Proof of Concepts (POC) discussions were taking place. Some of the notable ones are: CVE-2024-8504, CVE-2024-8503, CVE-2024-29847, CVE-2024-38014, VMware Workstation client, TOTOLINK routers and TP Link Archer C6U/C6 routers.

Overview

This Weekly Vulnerability Intelligence Report explores vulnerability updates between September 11 and September 17. The Cyble Research and Intelligence Labs team investigated 24 vulnerabilities this week, among other disclosed vulnerabilities, to present critical, high, and medium degree insights.

The Week’s Top Vulnerabilities

CVE-2024-45409: Improper Verification of Cryptographic Signature in GitLab Community Edition (CE) and Enterprise Edition (EE)

The critical SAML authentication bypass vulnerability impacting self-managed installations of the GitLab Community Edition (CE) and Enterprise Edition (EE). Security Assertion Markup Language (SAML) is a single sign-on (SSO) authentication protocol that allows users to log in across different services using the same credentials. An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system. 

CVSS Score: 10

Internet Exposure: No 

Patch Available: Yes 

CVE-2024-38812: Heap-based Buffer Overflow in VMware vCenter Server

The critical heap-overflow vulnerability impacts the VMware vCenter Server, a centralized management platform for VMware vSphere environments that provides a single interface to manage and monitor multiple ESXi hosts and the virtual machines running on them. A malicious actor with network access to the vCenter Server may trigger this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution. 

CVSS Score: 9.8

Internet Exposure: Yes

Patch Available: Yes 

CVE-2024-29847: Deserialization of Untrusted Data in Ivanti Endpoint Manager

The critical vulnerability impacts Ivanti Endpoint Manager is a comprehensive solution designed for managing and securing endpoints across various operating systems and devices. It integrates Unified Endpoint Management (UEM) capabilities, allowing IT teams to oversee a diverse range of devices from a single platform. Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6 or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. 

CVSS Score: 9.8

Internet Exposure: Yes 

Patch Available: Yes 

CVE-2024-6671, CVE-2024-6670: SQL Injection in Progress WhatsUp Gold

The criticalSQL Injection vulnerabilities impact Progress WhatsUp Gold, a comprehensive network monitoring software designed to provide visibility and control over network devices, servers, applications, and virtual environments. It allows IT teams to monitor performance metrics and ensure the health of their infrastructure, whether deployed on-premises or in the cloud. The exploitation of the vulnerabilities allows an unauthenticated attacker to retrieve the user’s encrypted password. 

Recently, researchers disclosed that attackers are leveraging publicly available exploit code to exploit critical vulnerabilities.  

CVSS Score: 9.8 respectively

Internet Exposure: Yes 

Patch Available: Yes 

CVE-2024-45694: Stack-based Buffer Overflow in D-Link Routers

Impact Analysis: The critical stack-based buffer overflow vulnerability impacts the web service of certain models of D-Link wireless routers. Unauthenticated, remote attackers can exploit this vulnerability to execute arbitrary code on the device. 

CVSS Score: 9.8

Internet Exposure: No

Patch Available: Yes

CVE-2024-6678: Authentication Bypass by Spoofing in GitLab Community Edition (CE) and Enterprise Edition (EE)

Impact Analysis: The high severity vulnerability impacts GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2. The exploitation of the vulnerability allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances, leading to the disruption of automated workflows of targeted organizations. 

CVSS Score: 8.8

Internet Exposure: No 

Patch Available: Yes 

Vulnerabilities and Exploits Discussed in the Underground

CRIL observed multiple instances of vulnerability discussions and the promulgation of proof-of-concepts (POCs) in underground forums and channels.

• On a Telegram channel named ‘Proxy Bar,’ the administrator shared POCs for several critical and high-severity vulnerabilities, including CVE-2024-8504 (OS Command Injection), CVE-2024-8503 (SQL injection), CVE-2024-40711 (RCE in Veeam Backup and Replication software) and CVE-2024-38080 (Privilege Escalation in Windows Hyper-V).
• On the Telegram channel CyberDilara, the administrator shared a POC for CVE-2024-38014, A high severity vulnerability in the Windows Installer that allows for elevation of privileges.
• Hackers Factory also shared a POC for CVE-2024-28000, a critical privilege escalation vulnerability affecting the LiteSpeed Cache plugin for WordPress, which allows unauthorized users to gain Administrator-level access to a WordPress site.
• TA tikila claimed to have three a 0-day vulnerabilities affecting VMware Workstation, TOTOLINK routers, and TP-Link Archer C6U/C6 routers.

Cyble’s Recommendations

• Stay Up-to-Date with Patches

Make it a priority to update all your systems with the latest vendor patches. Vulnerabilities get exploited quickly, and having a schedule for regular updates ensures you’re not left exposed. Apply critical patches as soon as they’re released—don’t delay.

• Streamline Your Patch Management

Building a solid patch management process is key. It starts with knowing what’s in your system, followed by assessing, testing, and deploying patches in an orderly fashion. Automating this process can save time and prevent human error.

• Segment Networks for Better Protection

Don’t put all your eggs in one basket. Segregating your network can safeguard your most critical assets by limiting their exposure. Use firewalls, VLANs, and tight access controls to ensure only authorized users have access.

• Have a Response Plan Ready

When incidents happen—and they will—having a well-rehearsed incident response plan is a lifesaver. It should clearly define how you’ll detect, react to, and recover from threats. Regularly test and update this plan to ensure it’s aligned with the latest risks.

• Monitor and Log Activities 

You can’t fix what you can’t see. Monitoring and logging malicious activity is crucial. Use SIEM solutions to collect and analyze logs in real-time, helping you catch threats before they escalate.

• Stay Informed on Security Alerts

Stay ahead of threats by subscribing to security alerts from vendors and authorities. Make sure to evaluate the impact of these alerts on your organization and act swiftly.

• Test for Vulnerabilities

Conduct regular Vulnerability Assessments and Penetration Testing (VAPT) to expose weak points in your defenses. Pair these exercises with audits to confirm you’re following security protocols.

• Know Your Assets

Keeping a current inventory of internal and external assets, like hardware and software, is essential. Asset management tools can help maintain visibility, so you stay on top of everything in your network.

• Strengthen Password Security

Weak passwords are an open door for hackers. Start by changing default passwords immediately and enforcing a strong password policy across your organization. Coupling that with multi-factor authentication (MFA) adds an extra layer of protection, making it harder for unauthorized users to gain access.

Related