This is the continuation of Zeroday vulnerabilities in 2024. Let’s delve deeply into the continuation of zero-day vulnerabilities of 2024, providing a comprehensive analysis.
Ivanti Zeroday vulnerabilities
1. CVE-2023-46805: Authentication Bypass Vulnerability
Description: This vulnerability affects the web component of Ivanti Connect Secure (versions 9.x, 22.x) and Ivanti Policy Secure. It allows a remote attacker to bypass authentication controls, thereby gaining unauthorized access to restricted resources. This flaw arises from inadequate validation in the authentication process, which attackers can exploit by crafting specific requests.
Impact:
- Unauthorized Access: Attackers can gain unauthorized entry into systems, accessing sensitive information and critical functions.
- Data Breaches: Potential exposure of confidential data, including personal and organizational information, could occur.
- Operational Disruption: Unauthorized access may lead to the manipulation or disruption of services, impacting normal business operations.
Severity: With a CVSS score of 8.2, this vulnerability is rated as high severity, indicating a significant risk of exploitation and potential damage.
Exploitation: Attackers can exploit this vulnerability by sending specially crafted requests to the affected systems, bypassing the authentication mechanism and gaining unauthorized access. This can be done remotely without requiring any prior authentication or user interaction, making it highly dangerous.
2. CVE-2024-21887: Command Injection Vulnerability
Description: This critical vulnerability affects the web components of Ivanti Connect Secure (versions 9.x, 22.x) and Ivanti Policy Secure. It allows an authenticated administrator to execute arbitrary commands on the appliance by sending specially crafted requests. The flaw exists due to insufficient input validation in command handling, which attackers can exploit to run unauthorized commands.
Impact:
- Remote Command Execution: Attackers can execute commands remotely, potentially gaining control over the system.
- Data Theft: The ability to exfiltrate sensitive data and information.
- System Manipulation: Potential to alter system configurations and disrupt operations.
Severity: With a CVSS score of 9.1, this vulnerability is classified as critical, reflecting its ease of exploitation and severe impact on the affected systems.
Exploitation: Attackers can exploit this vulnerability by sending specially crafted requests that include malicious commands. These commands are executed on the system, allowing attackers to gain control and perform unauthorized actions This can lead to data theft, system manipulation, and further exploitation of the network.
3. CVE-2024-21893: Server-Side Request Forgery (SSRF) Vulnerability
Description: This vulnerability affects the SAML component of Ivanti Connect Secure (versions 9.x, 22.x), Ivanti Policy Secure (versions 9.x, 22.x), and Ivanti Neurons for ZTA. It allows attackers to perform SSRF attacks by crafting malicious requests to access restricted internal resources without authentication. The flaw stems from insufficient validation of user-supplied input in the SAML component, enabling attackers to manipulate request headers and parameters.
Impact:
- Internal Resource Access: Unauthorized access to internal services and resources, potentially leading to further exploitation.
- Data Exfiltration: Potential for sensitive data extraction and exposure.
- Network Reconnaissance: Attackers can gather information about the internal network structure and services, facilitating more targeted attacks.
Severity: This vulnerability is of high severity, highlighting the significant risk posed by unauthorized access and data exposure.
Exploitation: Attackers can exploit this vulnerability by sending specially crafted requests that manipulate the SAML component. These requests can access internal resources without authentication, allowing attackers to gather information, exfiltrate data, and perform further attacks on the network.
4. CVE-2024-21888: Privilege Escalation Vulnerability
Description: This vulnerability affects the web components of Ivanti Connect Secure (versions 9.x, 22.x) and Ivanti Policy Secure (versions 9.x, 22.x). It allows a user to elevate their privileges to that of an administrator by exploiting specific flaws in the authentication and authorization mechanisms.
Impact:
- Elevated Privileges: Attackers can gain higher-level access, allowing them to perform administrative actions and manipulate system settings.
- System Control: The potential to control and manipulate the system fully, leading to significant operational disruptions.
- Increased Damage: Higher-level access increases the potential for data theft, system disruption, and further exploitation.
Severity: Rated as high severity, this vulnerability poses a substantial threat due to the ease of privilege escalation and the significant impact on system security.
Exploitation: Attackers can exploit this vulnerability by leveraging flaws in the authentication and authorization mechanisms to elevate their privileges. Once they gain higher-level access, they can perform administrative actions, manipulate system settings, and further compromise the system.
5. CVE-2024-22024: XML External Entity (XXE) Vulnerability
Description: This vulnerability affects the SAML component of Ivanti Connect Secure (versions 9.x, 22.x), Ivanti Policy Secure (versions 9.x, 22.x), and ZTA gateways. It allows attackers to exploit XXE flaws to access restricted resources without authentication. The issue arises from improper handling of XML input in the SAML component, enabling attackers to inject malicious XML data and trigger unintended behaviors.
Impact:
- Sensitive File Access: Attackers can read sensitive files on the server, leading to potential data breaches.
- Network Reconnaissance: Gathering information about internal network configurations and services, facilitating further exploitation.
- Data Exfiltration: Potential extraction and exposure of sensitive data, increasing the risk of data breaches.
Severity: Classified as high severity, this vulnerability underscores the significant risk posed by unauthorized access and data exposure.
Exploitation: Attackers can exploit this vulnerability by injecting malicious XML data into the SAML component. This can trigger unintended behaviors, such as accessing sensitive files, gathering information about the internal network, and exfiltrating data.
CyberPanel Zero-Day Vulnerabilities
1. CVE-2024-51567: Authentication Bypass Vulnerability
Description: This critical vulnerability allows attackers to bypass authentication mechanisms and gain unauthorized access to the system. It results from inadequate validation of authentication credentials, enabling attackers to exploit the system by sending specially crafted requests.
Impact:
- Unauthorized access to sensitive data.
- Potential data breaches.
- Operational disruptions and manipulation of system functions.
Severity: Rated at 10/10 on the CVSS scale, indicating an extremely critical threat due to the ease of exploitation and potential impact.
Exploitation: Attackers can send specially crafted requests that bypass authentication checks, granting them access to restricted areas of the system without the need for valid credentials.
2. CVE-2024-51568: Command Injection Vulnerability
Description: This vulnerability allows authenticated administrators to execute arbitrary commands on the system. The flaw lies in the inadequate validation of user inputs, which can be manipulated to run unauthorized commands.
Impact:
- Remote command execution.
- Data theft and unauthorized data manipulation.
- Potential for full system compromise.
Severity: With a CVSS score of 9.1, this vulnerability is classified as critical due to the high risk and potential for significant damage.
Exploitation: Attackers can send specially crafted requests that contain malicious commands. These commands are executed on the system, allowing attackers to control the system and perform unauthorized actions.
3.CVE-2024-51378: Remote Code Execution (RCE) Vulnerability
Description: This vulnerability allows unauthenticated attackers to execute remote code on the system. It is a result of inadequate input validation in the getresetstatus endpoint.
Impact:
- Complete system takeover.
- Unauthorized access and control.
- Potential deployment of ransomware or other malicious software.
Severity: Rated at 9.8 on the CVSS scale, indicating a critical threat.
Exploitation: Attackers can exploit this vulnerability by sending specially crafted requests to the getresetstatus endpoint, enabling them to execute arbitrary code remotely.
GeoVision Zero-Day Vulnerabilities
1. CVE-2024-11120: Command Injection Vulnerability
Description: This pre-authentication vulnerability allows attackers to execute arbitrary commands on vulnerable GeoVision devices without requiring authentication. The flaw arises from insufficient input validation.
Impact:
- Remote command execution.
- Full system control and manipulation.
- Potential for launching Distributed Denial of Service (DDoS) or cryptomining attacks.
Severity: Rated at 9.8 on the CVSS scale, highlighting the critical nature of this threat.
Exploitation: Attackers can inject and execute arbitrary system commands by sending specially crafted requests, gaining control over the device and its functions.
2.CVE-2024-11121: Data Exfiltration Vulnerability
Description: This vulnerability allows attackers to access and exfiltrate sensitive data from GeoVision devices. The flaw lies in the improper handling of data access controls.
Impact:
- Unauthorized access to sensitive information.
- Potential data breaches and exposure of confidential data.
Severity: With a CVSS score of 9.0, this vulnerability represents a high threat level due to the ease of exploitation and the potential for significant data loss.
Exploitation: Attackers can exploit this vulnerability to access and extract sensitive data by sending specially crafted requests that bypass existing access controls.
Hitron Zero-day Vulnerabilities
1.CVE-2024-22768 to CVE-2024-22772: Command Injection Vulnerability
Severity: Medium (CVSS v3 score: 7.4)
Affected Models: Hitron DVR models including HVR-4781, HVR-8781, LGUVR-4H, LGUVR-8H, and LGUVR-16H.
Description: These vulnerabilities arise from improper input validation in the management interface of the DVRs. Attackers can exploit these vulnerabilities to execute OS command injections.
Exploitation: Attackers can exploit these vulnerabilities using default admin credentials. Active exploitation has been observed in the wild.
Impact: Successful exploitation allows attackers to gain control over the device, execute arbitrary commands, and potentially take over the DVR system.
2.CVE-2024-23842: XSS vulnerability
Severity: Medium (CVSS v3 score: 7.4)
Affected Model: Hitron CODA-4582.
Description: This vulnerability allows a remote attacker within Wi-Fi proximity to conduct a DOM-based stored cross-site scripting (XSS) attack.
Exploitation: Attackers can exploit this vulnerability by delivering a malicious payload via a POST request to the management interface.
Impact: Attackers can launch denial of service (DoS) attacks or steal sensitive information.
Citrix Zeroday Vulnerabilities
1.CVE-2024-8534: Memory Corruption Vulnerability
Severity: High (CVSS v3 score: 8.1)
Affected Product: Citrix NetScaler.
Description: This is a memory safety vulnerability that can lead to memory corruption.
Exploitation: Attackers can exploit this vulnerability to cause denial of service (DoS), making the device crash or become unresponsive.
Impact: Exploitation can result in denial of service (DoS), causing the device to crash or become unresponsive.
2.CVE-2024-8535: Race condition Vulnerability
Severity: Medium (CVSS v3 score: 7.4)
Affected Product: Citrix NetScaler.
Description: A race condition vulnerability that allows authenticated users to access unintended capabilities.
Exploitation: Attackers can exploit this vulnerability by initiating actions that trigger the race condition.
Impact: This could lead to unauthorized access and potential privilege escalation.
3.CVE-2024-6286: Privilege Escalation Vulnerability
Severity: High (CVSS v3 score: 8.0)
Affected Product: Citrix Workspace app for Windows.
Description: A local privilege escalation vulnerability.
Exploitation: A low-privileged user can exploit this vulnerability to gain SYSTEM privileges.
Impact: A low-privileged user can exploit this vulnerability to gain SYSTEM privileges, which could lead to complete system compromise.
4.CVE-2024-8068 and CVE-2024-8069: Remote Code Execution and Privilege Escalation
Severity: Critical (CVSS v3 score: 9.8)
Affected Product: Citrix Recording Manager.
Description: These vulnerabilities allow for unauthenticated remote code execution (RCE) and privilege escalation.
Exploitation: Attackers can exploit these vulnerabilities without authentication to execute arbitrary code and escalate privileges.
Impact: Exploitation can lead to a complete takeover of the system, allowing attackers to execute arbitrary codes and escalate privileges.
Oracle Zero-Day Vulnerabilities
1.CVE-2024-21287: Remote file disclosure
Description: This vulnerability, identified in Oracle Agile Product Lifecycle Management (PLM) Framework version 9.3.6, allows remote file disclosure without requiring authentication.
Exploitation: This means an attacker can exploit this vulnerability over a network without needing a username or password.
Impact: The impact of this vulnerability is significant as it compromises sensitive information and can lead to data breaches.
Severity: The CVSS score of 7.5 indicates a high severity, and Oracle has released patches to address this issue.
Mozilla Zero-Day Vulnerabilities
1. CVE-2024-9680: Use after free vulnerability
Description: Discovered by ESET researchers on October 8, 2024, this use-after-free vulnerability in Firefox’s animation timeline feature allows for remote code execution.
Impact: This type of vulnerability lets attackers execute arbitrary code on a user’s system, potentially leading to full control of the device.
Severity: The critical CVSS score of 9.8 indicates a severe threat.
Samsung Exynos Zero-Day Vulnerability
1.CVE-2024-44068: Use after free vulnerability
Description:
In 2024, a critical zero-day vulnerability identified as CVE-2024-44068 was discovered in multiple Samsung Exynos processors, including the Exynos 9820, 9825, 980, 990, 850, and W920 series. This vulnerability originates from a Use-After-Free (UAF) condition in the m2m_scaler driver, which handles essential media processing tasks like JPEG decoding and image scaling.
Impact:
The severity of this vulnerability is high. It allows attackers to execute arbitrary code with elevated privileges, potentially leading to complete system compromise. The exploitation of the m2m_scaler driver’s improper memory management can give attackers control over the device, making it a significant threat.
Severity:
The vulnerability has been assigned a CVSS score of 8.1, indicating a high-severity issue. This score reflects the potential for attackers to achieve kernel-level privileges and execute malicious code, posing a serious risk to affected devices.
Exploitation:
Attackers can exploit this vulnerability by manipulating IOCTL calls, which are used for input/output control operations. The flaw occurs when the driver incorrectly handles page reference counting for PFNMAP pages, resulting in I/O virtual pages potentially mapping to freed physical pages. This allows attackers to execute arbitrary code within a privileged camera server process, disguising their activities by renaming processes to appear legitimate.
Mitigation:
To address this issue, Samsung released a security patch in their October 2024 Security Maintenance Release (SMR-Oct-2024). Users of affected devices are strongly advised to update their firmware immediately to protect against potential exploitation.
Qualcomm Zero-Day Vulnerability
1.CVE-2024-43047: Use after free vulnerability
Description:
In 2024, a critical zero-day vulnerability identified as CVE-2024-43047 was discovered affecting several Qualcomm chipsets, including the Snapdragon 8 Gen 1. This vulnerability arises from a Use-After-Free (UAF) condition in Qualcomm’s Digital Signal Processor (DSP) service, which is responsible for handling various multimedia processing tasks. The flaw allows attackers to exploit memory management errors, leading to unauthorized access and control over the device.
Impact:
The impact of this vulnerability is severe. Exploiting this flaw allows attackers to execute arbitrary code with elevated privileges, potentially leading to a complete system compromise. Attackers can gain deep access to the device, enabling them to spy on users, steal sensitive information, and even control the device remotely. The ability to exploit this vulnerability without user interaction makes it particularly dangerous.
Severity:
The vulnerability has been assigned a CVSS score of 7.8, indicating a high-severity issue. This score reflects the substantial risk posed by the flaw, given the potential for attackers to gain kernel-level access and execute malicious code that can severely compromise affected devices.
Exploitation:
The vulnerability was actively exploited in a spyware campaign known as NoviSpy. This campaign targeted journalists, activists, and government dissidents, leveraging the vulnerability to install spyware on their devices. Attackers utilized a zero-click attack mechanism, exploiting features like Voice-over-Wi-Fi (VoWiFi) and Voice-over-LTE (VoLTE) to execute the attack without user interaction. Forensic tools, such as those from Cellebrite, were reportedly used to unlock devices and install the spyware covertly.
Mitigation:
Qualcomm responded to this threat by releasing a security patch in their September 2024 Security Maintenance Release. Users of affected devices are strongly advised to update their firmware immediately to protect against potential exploitation.
ScienceLogic SL1 Zeroday vulnerability
1.CVE-2024-9537: Remote Code Execution
Description
The vulnerability stems from an unspecified third-party component packaged with SL1. This flaw allows attackers to execute remote code execution (RCE) on affected systems, potentially giving them unauthorized access to sensitive data.
Impact
The impact of this vulnerability is severe, with a CVSS score of 9.8, indicating a critical threat. Attackers exploiting this vulnerability can gain deep access to the system, compromising the integrity and confidentiality of the data managed by SL1.
Severity
With a CVSS score of 9.8, this vulnerability is considered critical. It poses a significant risk to organizations using ScienceLogic SL1, as it allows attackers to execute arbitrary code remotely.
Exploitation
The vulnerability was actively exploited in the wild, with reports indicating that it was used in a cyberattack on Rackspace, a cloud computing provider. The attackers leveraged the flaw to gain unauthorized access to Rackspace’s internal performance monitoring systems.
Mitigation
ScienceLogic has released patches for affected versions of SL1, including versions 12.1.3+, 12.2.3+, and 12.3+, as well as updates for older versions like 10.1.x, 10.2.x, 11.1.x, 11.2.x, and 11.3.x. Organizations using SL1 are strongly advised to apply these patches immediately to mitigate the risk of exploitation.
Kingsoft WPS Zero-Day Vulnerabilities
CVE-2024-7262 and CVE-2024-7263
Description:
In 2024, two critical zero-day vulnerabilities, identified as CVE-2024-7262 and CVE-2024-7263, were discovered in Kingsoft WPS Office for Windows. These vulnerabilities were exploited by the South Korea-aligned cyber espionage group APT-C-60.
- CVE-2024-7262: This vulnerability is a remote code execution (RCE) flaw caused by improper validation and sanitization of custom protocol handlers (
ksoqing://). Attackers exploited this vulnerability by embedding malicious hyperlinks in documents. When a user clicks on these hyperlinks, arbitrary code is executed, allowing attackers to take control of the system. - CVE-2024-7263: This is another RCE vulnerability found in the
promecefpluginhost.exeplugin. It arises from improper path validation, which allows attackers to execute arbitrary code by bypassing security checks.
Impact:
The impact of these vulnerabilities is severe, as they allow attackers to gain unauthorized access to affected systems, execute arbitrary code, and potentially install backdoors like SpyGlace. This can lead to data theft, surveillance, and a full system compromise.
Severity:
Both vulnerabilities have been assigned high-severity ratings due to their significant impact and ease of exploitation. CVE-2024-7262 has a CVSS score of 9.8, reflecting its critical nature. CVE-2024-7263 also has a high severity rating, posing a serious threat to affected systems.
Exploitation:
The vulnerabilities were actively exploited by the APT-C-60 group to target users in East Asia. The attackers used malicious spreadsheet documents (MHTML files) containing hidden hyperlinks. When users clicked on these links, the embedded malicious code was executed. The group utilized these vulnerabilities to deploy the SpyGlace backdoor, which facilitated surveillance and data exfiltration.
Mitigation Strategies
To mitigate these vulnerabilities, organizations should:
- Apply Patches and Updates: Ensure that all affected systems are updated to the latest versions that include patches for these vulnerabilities. Regularly check for updates and apply them promptly to address security flaws.
- Implement Strong Authentication: Use multi-factor authentication (MFA) to enhance security and reduce the risk of unauthorized access. Ensure that authentication mechanisms are robust and regularly reviewed to maintain effectiveness.
- Regular Security Assessments: Conduct regular security assessments, including penetration testing and vulnerability scanning, to identify and remediate vulnerabilities. Implement continuous monitoring to detect potential threats and respond promptly.
- Monitor Network Activity: Continuously monitor network traffic for unusual activities that may indicate exploitation attempts. Use intrusion detection and prevention systems to alert and respond to suspicious activities, enhancing overall network security.
- Follow Security Advisories: Stay informed about security advisories from CyberPanel and GeoVision, and follow their guidance for mitigating these vulnerabilities. Establish a process for promptly addressing security alerts and advisories to ensure a proactive approach to security management.
This brings the end of this security coverage. Thanks for visiting TheCyberThrone. If you like us, please follow us on Facebook, Twitter, Instagram
