Google has released an emergency security update for its Chrome browser. The update includes a patch released four days earlier for a vulnerability which Google say is already being exploited.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

Click Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

Technical details on the vulnerabilities

If you have already updated to version 124.0.6367.201/.202 for Mac and Windows or 124.0.6367.201 for Linux, this will provide protection against the first vulnerability. The patch Google issued four days ago covered this actively exploited vulnerability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited CVE patched in this update is:

CVE-2024-4671 a use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Use after free (UAF) is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, by exploiting the vulnerability, the attacker can escape the sandbox that should contain any threats to the browser.

Exploitation is possible by getting the target to open a specific, specially crafted webpage, so the vulnerability is suitable for exploitation as a drive-by attack.

CVE-2024-4761: An out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

V8 is Google’s open-source high-performance JavaScript and WebAssembly engine and is part of the Chromium project. Among others it runs the JavaScript code included in webpages.

Again, exploitation is possible by getting the target to open a specific, especially crafted webpage, which makes the vulnerability suitable for exploitation as a drive-by attack.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The April 2024 Patch Tuesday update includes patches for 149 Microsoft vulnerabilities and republishes 6 non-Microsoft CVEs. Three of those 149 vulnerabilities are listed as critical, and one is listed as actively exploited by Microsoft. Another vulnerability is claimed to be a zero-day by researchers that have found it to be used in the wild.

Let’s first have a look at the two zero-days. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs for these two vulnerabilities are:

CVE-2024-26234 (CVSS score 6.7 out of 10): a proxy driver spoofing vulnerability that Microsoft listed as “Exploitation detected” hours after it initially listed it as non-exploited.

In fact, the patch is a revocation of a Microsoft Windows Hardware Compatibility Publisher signature that was used to sign a file which contained a backdoor using an embedded proxy server to monitor and intercept network traffic on an infected Windows machine. Apparently, the software, designed to remote-control phones, was used to make them act like online bots, collectively liking posts, following people on social media, and posting comments.

CVE-2024-29988 (CVSS score 8.8 out of 10): a SmartScreen prompt security feature bypass vulnerability. Microsoft still has this listed as “Exploitation More Likely” and acknowledges the fact that functional exploit code is available. Which means that the exploit code works in most situations where the vulnerability exists.

One reason for the contradiction could be that the exploitation requires some form of user interaction. It requires an attacker to get the victim to click on a link or open a file. If the victim falls for that, the bug allows the attacker to bypass the SmartScreen security feature in Windows that’s supposed to alert users to any untrusted websites or other threats.

Researchers said that attackers are using the weakness to send targets exploits in a zipped file which bypasses the Mark of the Web (MotW) warnings, a warning message users should see when trying to open a file downloaded from the internet.

A few applications that deserve some of your attention if you’re using them are SQL Server (38 vulnerabilities), and Windows Remote Access Connection Manager (9).

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

The Android Security Bulletin for April 2024 contains details of security vulnerabilities for patch level 2024-04-05 or later.

Google also updated Chrome to patch a zero-day vulnerability.

SAP has released its April 2024 Patch Day updates.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Google has released an update to Chrome which includes seven security fixes. Version 123.0.6312.86/.87 of Chrome for Windows and Mac and 123.0.6312.86 for Linux will roll out over the coming days/weeks.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

After the update, the version should be 123.0.6312.86, or later

Technical details

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix.

There is one critical vulnerability that looks like it might be of interest to cybercriminals.

CVE-2024-2883: Use after free (UAF) vulnerability in Angle in Google Chrome prior to 123.0.6312.86 could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Angle is a browser component that deals with WebGL (short for Web Graphics Library) content. WebGL is a JavaScript API for rendering interactive 2D and 3D graphics within any compatible web browser without the use of plug-ins.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, it can lead to heap corruption.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

Chromium vulnerabilities are considered critical if they “allow an attacker to read or write arbitrary resources (including but not limited to the file system, registry, network, etc.) on the underlying platform, with the user’s full privileges.”

So, to sum this up, in this case an attacker could create a specially crafted HTML page–which can be put online as a website–that exploits the vulnerability, potentially leading to a compromised system.

My suggestion: don’t wait for the update, get it now.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Mozilla released version 124.0.1 of the Firefox browser to Release channel users (the default channel that most non-developers run) on March 22, 2024. The new version fixes two critical security vulnerabilities. One of the vulnerabilities affects Firefox on desktop only, and doesn’t affect mobile versions of Firefox.

Windows users that have automatic updates enabled should have the new version available as soon or shortly after they open the browser.

Version number should read 124.0.1 or higher

Other users can update their browser by following these instructions:

• Click the menu button (3 horizontal stripes) at the right side of the Firefox toolbar, go to Help, and select About Firefox. The About Mozilla Firefox window will open.
• Firefox will check for updates automatically. If an update is available, it will be downloaded.
• You will be prompted when the download is complete, then click Restart to update Firefox.

To change the way in which Firefox installs updates, you can:

• Click the menu button (3 horizontal stripes) and select Settings.
• In the General panel, go to the Firefox Updates section.
• Here you can adjust the settings to your liking.

The vulnerabilities

The vulnerabilities were found during the Pwn2Own Vancouver 2024 hacking competition. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in this update are:

CVE-2024-29943: an attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.

An out-of-bounds read or write can occur when a program has access outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution or disclosure of information. This can happen when the size of the data is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data.

CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox. This vulnerability affects Firefox < 124.0.1 and Firefox ESR < 115.9.1.

Firefox ESR (Extended Support Release) is offered for organizations, including schools, universities, businesses, and others who need extended support for mass deployments.

An event handler is a program function that is executed by the application or operating system when an event is executed on the application.

Programming languages are built on the concept of classes and objects to organize programs into simple, reusable pieces of code. A privileged object is a function or piece of code with elevated permissions.

Together, the two vulnerabilities allowed the researcher to achieve a sandbox escape of Firefox. The sandbox is employed to protect against malicious content entering the system through the browser.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Ivanti has issued patches for two vulnerabilities. One was discovered in the Ivanti Standalone Sentry, which impacts all supported versions 9.17.0, 9.18.0, and 9.19.0. Older versions are also at risk. The other vulnerability impacts all supported versions of Ivanti Neurons for ITSM—2023.3, 2023.2 and 2023.1, as well as unsupported versions which will need an upgrade before patching.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-41724 (CVSS score 9.6 out of 10), which allows an unauthenticated threat actor to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network.

This vulnerability was reported to Ivanti by the NATO Cyber Security Centre. Ivanti says it’s not aware of any customers being exploited by this vulnerability at the time of disclosure. The attack option is limited because an attacker without a valid Transport Layer Security (TLS) client certificate enrolled through Ivanti Endpoint Manager Mobile (EPMM) cannot directly exploit this issue on the internet.

Ivanti says its customers can access the patch (9.17.1, 9.18.1 and 9.19.1) via the standard download portal.

CVE-2023-46808 (CVSS score 9.9 out of 10) which allows an authenticated remote user to perform file writes to ITSM server. Successful exploitation can be used to write files to sensitive directories which may allow attackers to execute commands in the context of a web application’s user.

The patch has been applied to all Ivanti Neurons for ITSM Cloud landscapes. On-premise customers are advised to act immediately to ensure they are fully protected. Ivanti says it is not aware of any customers being exploited by this vulnerability prior to public disclosure.

The patch is available on the Ivanti Neurons for ITSM downloads page for each respective 2023.X version. This will require upgrading to 2023.X to apply the patch.

The vulnerabilities have a 2023 CVE because of a reservation made towards the end of 2023, when they were first found and reported. It is Ivanti’s policy that when a CVE is not under active exploitation to disclose the vulnerability when a fix is available, so that customers have the tools they need to protect their environment.

Get patching!

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates to address vulnerabilities in several products:

• Adobe Experience Manager
• Adobe Premiere Pro
• Adobe ColdFusion
• Adobe Bridge
• Adobe Lightroom
• Adobe Animate

The Android Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

SAP has released its March 2024 Patch Day updates.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

VMWare has issued secuity fixes for its VMware ESXi, Workstation, Fusion, and Cloud Foundation products. It has even taken the unusual step of issuing updates for versions of the affected software that have reached thier end-of-life, meaning they would normally no longer be supported.

This flaws affect customers who have deployed VMware Workstation, VMware Fusion, and/or VMware ESXi by itself or as part of VMware vSphere or VMware Cloud Foundation.

A virtual machine (VM) is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and the VM (the guest system).

VMWare’s decision to offer fixes for end-of-life software is because the vulnerabilities patched in these updates are escape flaws that allow a computer program to breack of the confines of a VM and affect the host operating system. Specifically, an attacker with privileged access, such as root or administrator, on a guest VM can access the hypervisor on the host.

Besides instructions about how to update the affected products, the advisory lists possible workarounds that would block an attacker from exploiting the vulnerabilities. Since three of the vulnerabilities affect the USB controller, applying the workarounds will effectively block the use of virtual or emulated USB devices. For guest operating systems that do not support using a PS/2 mouse and keyboard, such as macOS, this means they will effectively be unable to use a mouse and keyboard.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2024-22252 and CVE-2024-22253 are use-after-free vulnerabilities in the XHCI and UHCI USB controllers of VMware ESXi, Workstation, and Fusion. A malicious actor with local administrative privileges on a virtual machine can exploit the issues to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation of either is contained within the VMX sandbox, but on Workstation and Fusion this may lead to code execution on the machine where Workstation or Fusion is installed.

The VMX process is a process that runs in the kernel of the VM and is responsible for handling input/output (I/O) to devices that are not critical to performance. The VMX is also responsible for communicating with user interfaces, snapshot managers, and remote consoles.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2024-22254 is an out-of-bounds write vulnerability in VMWare ESXi. A malicious actor with privileges within the VMX process can trigger an out-of-bounds write leading to an escape of the sandbox.

A sandbox environment is another name for an isolated VM in which potentially unsafe software code can execute without affecting network resources or local applications.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data being written to memory is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written

CVE-2024-22255 is an information disclosure vulnerability in the UHCI USB controller of VMware ESXi, Workstation, and Fusion. A malicious actor with administrative access to a VM may be able to exploit this issue to leak memory from the VMX process.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

JetBrains issued a warning on March 4, 2024 about two serious vulnerabilities in TeamCity server. The flaws can be used by a remote, unauthenticated attacker with HTTP(S) access to a TeamCity on-premises server to bypass authentication checks and gain administrative control of the TeamCity server.

TeamCity is a build management and continuous integration and deployment server from JetBrains that allows developers to commit code changes into a shared repository several times a day. Each commit is followed by an automated build to ensure that the new changes integrate well into the existing code base and as such can be used to detect problems early.

Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts. Which, depending on the use-case of your projects, could make for a suitable attack vector leading to a supply chain attack.

The two vulnerabilities are CVE-2024-27198, an authentication bypass vulnerability with a CVSS score of 9.8, and CVE-2024-27199, a path traversal issue with a CVSS score of 7.3. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-27198 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by March 28, 2024 in order to protect their devices against active threats.

These two vulnerabilities allow an attacker to create new administrator accounts on the TeamCity server which have full control over all TeamCity projects, builds, agents and artifacts.

Exploitation code is readily available online and has already been integrated in offensive security tools like the MetaSploit framework.

So, it doesn’t come as a surprise that researchers are now reporting abuse of the vulnerabilities.

Bleeping Computer reports that attackers have already compromised more than 1,440 instances, while a scan for vulnerable instances by Shadowserver showed that the US and Germany are the most affected countries.

If running JetBrains TeamCity on-prem – make sure to patch for latest CVE-2024-27198 (remote auth bypass) & CVE-2024-27199 vulns NOW!

We started seeing exploitation activity for CVE-2024-27198 around Mar 4th 22:00 UTC. 16 IPs seen scanning so far.https://t.co/zZ0iU5MD8S

— Shadowserver (@Shadowserver) March 5, 2024

The vulnerabilities affect all TeamCity on-premises versions through 2023.11.3 and were fixed in version 2023.11.4. Customers of TeamCity Cloud have already had their servers patched, and according to JetBrains they weren’t attacked.

To update your server, download the latest version (2023.11.4) or use the automatic update option within TeamCity. 

JetBrains has also made a security patch plugin available for customers who are unable to upgrade to version 2023.11.4. There are two security patch plugins, one for TeamCity 2018.2 and newer and one for TeamCity 2018.1 and older. See the TeamCity plugin installation instructions for information on installing the plugin.

If your server is publicly accessible over the internet, and you are unable to immediately mitigate the issue you should probably make your server inaccessible until you can.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

On February 20, Joomla! posted details about four vulnerabilities it had fixed in its Content Management System (CMS), and one in the Joomla! Framework that affects the CMS.

Joomla! is an open-source CMS that’s been around since 2005, and has been one of the most popular CMS platforms by market share for much of that time. Many companies, from small outfits to large enterprises, use a CMS in some form to manage their websites. There are lots of advantages to using a popular CMS, but if you do you should keep an eye out for updates. And this looks like an important one.

Just last month, a vulnerability patched in February 2023 was added to CISA’s catalog of known exploited vulnerabilities, suggesting a lack of patching urgency by some Joomla! owners. Let’s see if we can avoid duplicating that scenario.

To make this happen, Joomla! CMS users should upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3. The latest releases that include the fixes are available for download. Links can be found on the release news page. The latest versions can always be found on the latest release tab. The extended long term support (elts) versions can be found on the dedicated elts site.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We’ll list them below,  but the descriptions of the vulnerabilities require some explaining.

• CVE-2024-21722: The multi-factor authentication (MFA) management features did not properly terminate existing user sessions when a user’s MFA methods have been modified. This suggest that logged-in users could stay logged in if an administrator changed their MFA method. This is a problem if you are changing the MFA method because you suspect there has been unauthorized access.
• CVE-2024-21723: Inadequate parsing of URLs could result into an open redirect. An open redirect vulnerability occurs when an application allows a user to control how an HTTP redirect behaves. Phishers love open redirects on legitimate sites because the URLs look like they go to the legitimate site, when in fact they redirect to another site.
• CVE-2024-21724: Inadequate input validation for media selection fields lead to Cross-site scripting (XSS) vulnerabilities in various extensions. XSS is a type of vulnerability that allows an attacker to inject malicious code into a site’s content. Input validation should stop that injection.
• CVE-2024-21725: Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components. According to Joomla! this is the vulnerability with the highest exploitation probability. A website user could input data in the email address field that would cause a XSS vulnerability because it was not properly escaped. Email addresses need to be escaped because otherwise they could be interpreted as HTML code.
• CVE-2024-21726: Inadequate content filtering leads to XSS vulnerabilities in various components. This is the vulnerability in the Joomla! Framework. Apparently there has been an oversight in the filtering code which can cause XSS vulnerabilities in several components. Researchers found that attackers can exploit this issue to gain remote code execution by tricking an administrator into clicking on a malicious link.

These researchers also urged users to update their CMS:

“”While we won’t be disclosing technical details at this time, we want to emphasize the importance of prompt action to mitigate this risk.”

Secure your CMS

There are a few obvious and easy-to-remember rules to keep in mind if you want to use a CMS without compromising your security. They are as follows:

• Choose a CMS from an organization that actively looks for and fixes security vulnerabilities.
• If it has a mailing list for informing users about patches, join it.
• Enable automatic updates if the CMS supports them.
• Use the fewest number of plugins you can, and do your due diligence on the ones you use.
• Keep track of the changes made to your site and its source code.
• Secure accounts with two-factor authentication (2FA).
• Give users the minimum access rights they need to do their job.
• Limit file uploads to exclude code and executable files, and monitor them closely.
• Use a Web Application Firewall (WAF).

If your CMS is hosted on your own servers, be aware of the dangers that this setup brings and keep it separated from other parts of your network.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

ConnectWise is warning self-hosted and on-premise customers that they need to take immediate action to remediate a critical vulnerability in its ScreenConnect remote desktop software. This software is typically used in data-centers and for remote assistance. Together ConnectWise’s partners manage millions of endpoints (clients).

A Shadowserver scan revealed approximately 3,800 vulnerable ConnectWise ScreenConnect instances on Wednesday, most of them in the US.

~3800 vulnerable ConnectWise ScreenConnect instances (authentication bypass using an alternate path or channel (CVSS 10) & path traversal (CVSS 8.4)) https://t.co/tPi9ALNVab

IP data in:https://t.co/qxv0Gv5ELc

~93% instances of ScreenConnect seen on 2024-02-20 still vulnerable: https://t.co/CRpEHutjFS pic.twitter.com/hiwPqnouby

— Shadowserver (@Shadowserver) February 21, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog. ConnectWise has shared three IP addresses that were recently used by threat actors:

• 155.133.5.15
• 155.133.5.14
• 118.69.65.60

These IP addresses are all blocked by ThreatDown and Malwarebytes solutions.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The flaw added to the CISA Catalog is CVE-2024-1709, an authentication bypass vulnerability with a CVSS score of 10 that could allow an attacker administrative access to a compromised instance. With administrative access it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE).

Affected versions are ScreenConnect 23.9.7 and prior. Cloud partners don’t need to take any actions. ScreenConnect servers hosted in on screenconnect.com and hostedrmm.com have been updated to remediate the issue. 

Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch. ConnectWise will also provide updated versions of releases 22.4 through 23.9.7 for the critical issue, but strongly recommends that partners update to ScreenConnect version 23.9.8.

For instructions on updating to the newest release, please reference this doc: Upgrade an on-premise installation – ConnectWise.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

As it turns out, there was another actively exploited vulnerability included in Microsoft’s patch Tuesday updates for February.

When Microsoft said in its update guide for CVE-2024-21410 that the vulnerability was likely to be exploited by attackers, they weren’t kidding. Soon after they changed the status to “Exploitation Detected”.

Today, I was alerted to the fact after spotting a warning by the German Federal Office for Information Security (BSI) about the same vulnerability, Something the BSI does not do lightly.

The Exchange vulnerability is listed in the Common Vulnerabilities and Exposures (CVE) database as CVE-2024-21410, an elevation of privilege vulnerability with a CVSS score of 9.8 out of 10.

Microsoft’s description of the vulnerability is a bit more revealing:

“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.”

In a Windows network, NTLM (New Technology LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. An attacker being able to impersonate a legitimate user could prove to be catastrophic.

Microsoft Exchange Servers, and mail servers in general, are central communication nodes in every organization and as such they are attractive targets for cybercriminals. Being able to perform a pass-the-hash attack would provide an attacker with a paved way into the heart of the network.

As part of the update, Microsoft has enabled Extended Protection for Authentication (EPA) by default with the Exchange Server 2019 Cumulative Update 14 (CU14). Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets (for example Outlook).

If you are running Exchange Server 2019 CU13 or earlier and you have previously run the script that enables NTLM credentials Relay Protections then you are protected from this vulnerability. However, Microsoft strongly suggests installing the latest cumulative update.

Last year, Microsoft introduced Extended Protection support as an optional feature for Exchange Server 2016 CU23.

If you are unsure whether your organization has configured Extended Protection, you can use the latest version of the Exchange Server Health Checker script. The script will provide you with an overview of the Extended Protection status of your server.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday. Among these vulnerabilities are two zero-days that are reportedly being used in the wild.

The two zero-day vulnerabilities have already been added to the Cybersecurity & Infrastructure Security Agency’s catalog of  Known Exploited Vulnerabilities, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by March 5, 2024, in order to protect their devices.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in this round of updates are:

CVE-2024-21351 (CVSS score 7.6 out of 10): a Windows SmartScreen security feature bypass vulnerability. The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both. An authorized attacker must send the user a malicious file and convince the user to open it.

CVE-2024-21412 (CVSS score 8.1 out of 10): an Internet Shortcut Files security feature bypass vulnerability. An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.

The bypassed security feature in both cases is the Mark of the Web (MOTW), the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet. When a file is downloaded, Windows adds a ZoneId in the form of an Alternate Data Stream to the file which is responsible for the warning message(s).

Another vulnerability worth keeping an eye on is CVE-2024-21413 (CVSS score 9.8 out of 10): a Microsoft Outlook remote code execution (RCE) vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and to gain high privileges, which include read, write, and delete functionality. Microsoft notes that the Preview Pane is an attack vector. The update guide for this vulnerability lists a number of required updates before protection is achieved.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates to address vulnerabilities in several products:

• Adobe Commerce and Magento
• Adobe Substance 3D Painter
• Adobe Acrobat and Reader
• Adobe FrameMaker Publishing Server
• Adobe Audition 
• Adobe Substance 3D Designer

The Android Security Bulletin for February contains details of security vulnerabilities for patch level 2024-02-05 or later.

Ivanti has urged customers to patch yet another critical vulnerability.

SAP has released its February 2024 Patch Day updates.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

The Cybersecurity & Infrastructure Security Agency (CISA) has added a vulnerability in Roundcube Webmail to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by March 4, 2024, in order to protect their devices against active threats. We urge other Roundcube Webmail users to take this seriously too.

Roundcube is a web-based IMAP email client. Internet Message Access Protocol (IMAP) is used for receiving email. It allows users to access their emails from multiple different devices, and it’s why when you read an email on your laptop it’s marked as “read” on your phone too. Reportedly, there are over 132,000 Roundcube servers accessible over the internet. Most of them situated in the US and China.

The affected versions are Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. An update to patch the vulnerability with version 1.6.3 has been available since September 15, 2023. The current version, 1.6.6 at the time of writing, does not have the vulnerability either.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in these updates is:

CVE-2023-43770, which is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information.

XSS vulnerabilities occur when input coming into web applications is not validated and/or output to the browser is not properly escaped before being displayed. Persistent, or stored XSS, is a type of vulnerability which occurs when the untrusted or unverified user input is stored on a target server.

This means that a persistent XSS attack is possible when the attacker exploits a vulnerable website or web application to inject malicious code, and this code is stored on a server so it will later automatically be served to other users who visit the web page.

In this case it appears that attackers can send plain text emails to Roundcube users with XSS links in them, but Roundcube does not sanitize the links, and, of course, stores the email, creating persistence.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

In a new blog post, Ivanti says that it has found another vulnerability and urges customers to “immediately take action to ensure you are fully protected”.

This vulnerability only affects a limited number of supported versions–Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3.

Please read between the lines that there could be unsupported versions which will never see a patch for this vulnerability.

A patch is available now for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7).

Customers can access the patch via the standard download portal (login required). The instructions are somewhat complicated, to say the least. Due to all the different versions that are available, it is imperative to carefully read the instructions.

Customers can read this KB article for detailed instructions on how to apply the mitigation and apply the patch as each version becomes available. Please ensure you are following the KB article to receive updates. If you have questions or require further support, please log a case and/or request a call in the Success Portal.

Important to note:

• Customers who applied the patch released on January 31 or February 1, and completed a factory reset of their appliance, do not need to factory reset their appliances again.
• And once customers applied this newly released patch, they do not need to apply the mitigation or the patches released on January 31 and February 1. 

The vulnerability

The vulnerability, listed as CVE-2024-22024 with a CVSS score of 8.3 out of 10, allows an attacker to access certain restricted resources without authentication.

An XML external entity injection (XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and/or to interact with any back-end or external systems that the application itself can access.

Ivanti found the XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways.

Since Ivanti claims that the vulnerability came up during internal code reviews, it is unlikely that an exploit already exists, but this type of vulnerability is usually easy to exploit, so chances are, this will not take long.

Although we have seen a pretty convincing claim that they did not find it themselves:

According to Ivanti they are unaware of any evidence of customers being exploited by CVE-2024-22024.

Only a week ago all, FCEB agencies received intructions to disconnect vulnerable Ivanti products before the weekend. This because besides the Ivanti vulnerabilities actively exploited in massive numbers we wrote about on January 11, 2024, alerts went off about two new high severity flaws on January 31, 2024.

All in all, since January 10, five vulnerabilities have been reported in Ivanti products. And at least three of them are subject to active exploitation.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.