Overview

The Cyble Research & Intelligence Labs (CRIL) has released its Weekly Vulnerability Insights Report, highlighting a series of critical vulnerabilities reported between November 27, 2024, and December 3, 2024.

This week’s findings focus on various vulnerabilities that pose risks to organizations, ranging from open-source applications to widely used enterprise software. The analysis includes vulnerabilities that have been actively exploited or are likely to be exploited in the near future, with some already accompanied by proof-of-concept (PoC) exploit code.

One of the most noteworthy vulnerabilities identified in this week’s report is CVE-2024-11680, which impacts ProjectSend, an open-source file-sharing application. This vulnerability is categorized as a critical vulnerability in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-11680 along with two other vulnerabilities to its catalog.

Throughout this week, CRIL has extensively analyzed vulnerabilities in products from major vendors like Progress Software, Veeam, Microsoft, and QNAP, as well as open-source software like 7-Zip.

CISA’s KEV Catalog: Active Exploitation and Critical Vulnerabilities

As part of its efforts to inform the public about vulnerabilities that are actively exploited, CISA has added three vulnerabilities to its Known Exploited Vulnerabilities Catalog between November 27 and December 3, 2024.

Among these is CVE-2024-11680, a critical flaw in ProjectSend that involves improper authentication, allowing attackers to bypass security and potentially gain unauthorized access. This vulnerability has been assigned a CVSSv3 score of 9.8, making it a high-priority issue for organizations using the software.

Additionally, CVE-2024-11667, a path traversal vulnerability in Zyxel firewalls, also made it to the KEV catalog. Although not as critical as CVE-2024-11680, this vulnerability is still high-risk, affecting multiple models of Zyxel Firewalls with a CVSSv3 score of 7.5. This issue could allow attackers to access sensitive files on vulnerable systems.

Furthermore, CVE-2023-45727, an XML External Entity (XXE) vulnerability in North Grid’s Proself software, was included as well. Exploitation of this vulnerability can allow attackers to launch XXE attacks remotely, exposing systems to potential data breaches.

Major Vulnerabilities Identified

Several other vulnerabilities have been identified as critical threats in this week’s report. Among them:

1. CVE-2024-8785 – A Remote Code Execution (RCE) vulnerability in WhatsUp Gold, a network monitoring software by Progress Software Corporation. This vulnerability allows unauthenticated remote attackers to exploit the NmAPI.exe service to manipulate the Windows registry, potentially resulting in system compromise. With the availability of PoC exploit code, the risk of this vulnerability being weaponized is particularly high.
2. CVE-2024-42448 and CVE-2024-42449 – Both vulnerabilities affect the Veeam Service Provider Console (VSPC), a cloud-based platform used for managing and monitoring data protection services. These vulnerabilities could allow for Remote Code Execution (RCE) and the exposure of sensitive information like NTLM hashes. Veeam has released patches, but organizations are urged to patch their systems immediately to prevent exploitation.
3. CVE-2024-11477 – An RCE vulnerability in the popular file archiver 7-Zip. This flaw arises from Zstandard Decompression in versions prior to 24.07 and could be exploited in email-based phishing campaigns that use malicious compressed files as delivery mechanisms. Given the high use of 7-Zip in both personal and organizational settings, this vulnerability is a major concern.
4. CVE-2024-49019 – A high-severity elevation of privilege vulnerability in Microsoft’s Active Directory Certificate Services. This flaw allows attackers to gain elevated permissions by exploiting misconfigurations in certificate templates. CVE-2024-49019 affects millions of Windows-based systems, and with exploit codes already circulating, it poses a significant risk.
5. CVE-2024-38077 – A critical vulnerability affecting the Windows Remote Desktop Licensing Service, which allows Remote Code Execution (RCE). This vulnerability is particularly dangerous as it impacts multiple versions of Windows, making it a prime target for attackers.

Online Threats on Underground Forums

One of the more concerning findings in the Weekly Vulnerability Report is the presence of active discussions and exploit sharing on underground forums and Telegram channels. These forums are often frequented by cybercriminals who share PoC exploit codes for various vulnerabilities. This week, researchers from CRIL tracked several discussions related to the following vulnerabilities:

• CVE-2024-44285 – A use-after-free vulnerability found in Apple’s operating systems, including iOS, iPadOS, and watchOS. Exploiting this flaw could lead to unexpected termination of the system or even kernel memory corruption.
• CVE-2024-11320 – An arbitrary code execution (RCE) vulnerability affecting Pandora FMS. This vulnerability can be exploited via the LDAP authentication mechanism, potentially giving attackers full access to vulnerable systems.
• CVE-2024-44308 – A critical vulnerability in JavaScriptCore, part of the WebKit engine used by Apple’s Safari browser. This flaw could lead to RCE when users visit malicious websites.
• CVE-2024-0012 – An authentication bypass vulnerability in Palo Alto Networks’ PAN-OS, affecting several versions of the software. This flaw allows attackers to bypass authentication and gain administrative privileges, providing them with full control over affected devices.

Recommendations and Mitigations

Following these vulnerabilities, CRIL offers several key recommendations to help organizations mitigate potential security risks:

1. Organizations should ensure they are applying the latest patches released by vendors to address vulnerabilities like CVE-2024-11680 and others identified in this report. Patching critical vulnerabilities immediately can prevent attacks from exploiting these weaknesses.
2. A comprehensive patch management process is essential. This includes testing, deployment, and verification of patches to ensure that systems remain secure.
3. Critical systems should be isolated from less secure areas of the network to reduce exposure to potential attacks. Using firewalls and access control measures can help limit the impact of a breach.
4. Organizations should implement monitoring systems such as SIEM (Security Information and Event Management) to detect suspicious activities across their networks.
5. Regular training on security best practices, particularly for dealing with phishing emails and malicious attachments, can help reduce the risk of exploitation through social engineering.

Conclusion

The Weekly Vulnerability Report from Cyble Research & Intelligence Labs provides essential insights into the vulnerabilities impacting critical systems and software. With high-risk vulnerabilities such as CVE-2024-11680, CVE-2024-8785, and CVE-2024-49019 in play, it is crucial for organizations to stay proactive in applying patches, monitoring for potential attacks, and reinforcing their overall security posture.

With PoC exploit code already circulating for many of these vulnerabilities, the window of opportunity for attackers to exploit these flaws is rapidly closing, making immediate action imperative. By following the best practices and recommendations provided in this report, organizations can better protect themselves.

Related