Key Takeaways

• Cyble researchers investigated 19 vulnerabilities in the week ended Oct.1 and flagged eight of them as high priority.
• Cyble also observed 10 exploits discussed on dark web and cybercrime forums, including an OpenSSH vulnerability with 8 million exposures and claimed zero days in Apple and Android.
• Threat actors are also discussing vulnerabilities in products from SolarWinds, Microsoft, Zimbra, WordPress, and Fortinet on underground forums.
• Cyble urges security teams to fix these vulnerabilities and to implement nine additional best practices.

Overview

Cyble Research & Intelligence Labs (CRIL) investigated 19 vulnerabilities from Sept. 25 to Oct. 1 and flagged eight of them in four products for security teams to prioritize.

CRIL researchers also observed 10 exploits discussed on dark web and cybercrime forums, one of which – an OpenSSH vulnerability – is present in more than 8 million web-facing hosts detected by Cyble sensors. Vulnerabilities in products from SolarWinds, Microsoft, Apple, Zimbra, WordPress and Fortinet are also under active discussion on cybercrime forums – including claimed zero days in Apple and Android messaging.

Here are the vulnerabilities and dark web exploits of greatest concern to security teams this week, followed by Cyble’s recommendations.

The Week’s Top IT Vulnerabilities

CVE-2024-41925 & CVE-2024-45367: ONS-S8 Spectra Aggregation Switch

Impact Analysis: Both of these critical vulnerabilities impact the ONS-S8 Spectra Aggregation Switch, a network management device developed by Optigo Networks for deploying passive optical networking (PON) in intelligent buildings.

CVE-2024-41925is classified as a PHP Remote File Inclusion (RFI) problem stemming from incorrect validation or sanitation of user-supplied file paths, while CVE-2024-45367 is a weak authentication problem arising from improper password verification enforcement on the authentication mechanism.

CISA released a warning for both vulnerabilities, citing low attack complexity and the product’s use in critical infrastructure.

Internet Exposure? No

Patch Available? Versions 1.3.7 and earlier are affected. Optigo recommends additional controls such as a unique management VLAN and either a dedicated NIC, firewall with allow list or a secure VPN connection.

CVE-2024-0132: NVIDIA Container Toolkit

Impact Analysis: This high-severity Time-of-check Time-of-Use (TOCTOU) vulnerability impacts the NVIDIA Container Toolkit, a suite of tools designed to facilitate the development and deployment of GPU-accelerated applications within containerized environments. The vulnerability allows an attacker to perform container escape attacks and gain full access to the host system, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Internet Exposure? No

Patch Available? Yes

CVE-2024-34102: Adobe Commerce

Impact Analysis: This 9.8-severity Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability impacts Adobe Commerce, formerly known as Magento, a comprehensive eCommerce platform that provides businesses with the tools to create and manage both B2B and B2C online stores. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities, resulting in arbitrary code execution. Researchers recently observed multiple Adobe Commerce and Magento stores compromised by actors leveraging the vulnerability, and the vulnerability is also being discussed on cybercrime forums (see the Underground section below).

Internet Exposure? Yes

Patch Available? Yes

CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: CUPS Vulnerabilities

Impact Analysis: These recently disclosed vulnerabilities – CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters) – impact CUPS (Common UNIX Printing System), a modular printing system designed for Unix-like operating systems. It enables computers to function as print servers, allowing them to accept print jobs from client machines, process these jobs, and send them to the appropriate printers.

Under certain conditions, attackers can chain the set of vulnerabilities in multiple components of the CUPS open-source printing system to execute arbitrary code remotely on vulnerable machines.

Internet Exposure? No

Patch Available? See the CVE listings for details:

• CVE-2024-47076
• CVE-2024-47175
• CVE-2024-47176
• CVE-2024-47177

Vulnerabilities and Exploits on Underground Forums

Cyble researchers observed a high number of vulnerabilities and exploits discussed in Telegram channels and cybercrime forums. Because these vulnerabilities are under active discussion by threat actors, they merit close attention by security teams.

CVE-2024-28987: A critical vulnerability in SolarWinds Web Help Desk (WHD) software caused by hardcoded developer login credentials.

CVE-2024-38200: A critical vulnerability affecting multiple versions of Microsoft Office that arises from improper handling of certain document properties within Microsoft Office applications. It could potentially expose sensitive information such as NTLM hashes.

CVE-2023-32413: A security vulnerability identified as a race condition that affects various Apple operating systems. It arises from improper synchronization when multiple processes access shared resources concurrently, which can lead to unexpected behavior in the system.

CVE-2024-43917: A critical SQL Injection vulnerability affecting the TI WooCommerce Wishlist plugin for WordPress, specifically in versions up to 2.8.2.

CVE-2024-45519: A critical Remote Code Execution (RCE) vulnerability was discovered in the postjournal service of the Zimbra Collaboration Suite, a widely used email and collaboration platform. Cyble researchers also issued a separate report on the Zimbra vulnerability, and CISA added it to the agency’s Known Exploited Vulnerabilities catalog.

CVE-2024-8275: A critical SQL injection vulnerability in the Events Calendar Plugin for WordPress, affecting all versions up to and including 6.6.4. The vulnerability arises from insufficient input validation in specific functions.

CVE-2024-6387: A threat actor (TA) offered a list of IP addresses that are potentially affected by this vulnerability, which is also known as RegreSSHion. It is a critical remote code execution (RCE) vulnerability in OpenSSH, a widely used suite of secure networking utilities. Cyble’s Odin vulnerability search service shows more than 8 million web-facing hosts exposed to this vulnerability.

CVE-2024-34102: A TA offered to sell a critical security vulnerability affecting Adobe Commerce and Magento, specifically versions 2.4.6 and earlier. The vulnerability stems from improper handling of nested deserialization, which allows remote attackers to execute arbitrary code through crafted XML documents that exploit XML External Entities (XXE) during the deserialization process.

FortiClient: A TA on BreachForums advertised exploits weaponizing vulnerabilities present in Fortinet’s FortiClient EMS 7.4/7.3, which results in SQL Injection and Remote Code Execution. The TA is selling the exploits for USD $30,000.

Apple and Android Zero Day: A TA on BreachForums is advertising a 0-day exploit present in Apple’s iMessage and Android’s text messaging. The vulnerability results in Remote Code Execution (RCE). The TA is selling the binary for the exploit for USD $800,000.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

1. Implement the Latest Patches

To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.

2. Implement a Robust Patch Management Process

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

3. Implement Proper Network Segmentation

Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.

4. Incident Response and Recovery Plan

Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

5. Monitoring and Logging Malicious Activities

Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

6. Keep Track of Security Alerts

Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.

7. Penetration Testing and Auditing

Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

8. Visibility into Assets

Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment.

9. Strong Password Policy

Change default passwords immediately and enforce a strong password policy across the organization. Implement multi-factor authentication (MFA) to provide an extra layer of security and significantly reduce the risk of unauthorized access.

Related