Trending vulnerability digest September 2024

Three vulnerabilities (CVE-2024-38014, CVE-2024-38217, CVE-2024-43461) were discovered in Microsoft solutions, two with high severity and one with medium. One of the vulnerabilities can result in the maximum elevation of system privileges (SYSTEM). After gaining full control of the system, attackers can follow through on their attack goals. Exploitation of the other two vulnerabilities allows attackers to execute arbitrary code (remote code execution, RCE), but requires the victim to first visit a malicious page or open a malicious file. All three vulnerabilities in Microsoft products affect users of outdated versions of Windows.

The exploitation of critical vulnerabilities in Veeam and VMware can allow remote, unauthenticated attackers to execute arbitrary code on the server. By using RCE, attackers can gain complete control over the system or its individual components, inject malware, disrupt host operations, or steal confidential data. 

A medium severity cross-site scripting vulnerability in the Roundcube email web client allows remote, unauthenticated attackers to execute arbitrary JavaScript code in a user's browser, but first requires users to carry out a target action.

Lastly, the exploitation of a critical SQL injection vulnerability in a WordPress plugin lets unauthenticated attackers execute arbitrary SQL queries, potentially leading to the breach or modification of sensitive data or service disruptions.

According to The Verge, the following Microsoft vulnerabilities can affect approximately one billion devices. Any users with outdated versions of Windows are potentially at risk.

Windows Installer Elevation of Privilege Vulnerability

CVE-2024-38014 (CVSS 7.8, high severity)

The vulnerability in the Windows Installer component comes from flaws in access control. When exploited, a local attacker without any privileges can obtain SYSTEM level privileges. After gaining full control of the system, they can then follow through on the attack target, as a high level of privileges allows them to operate as a local administrator and install malware, modify or delete important files, and gain access to confidential data.

Potential number of victims: all Windows users (including Windows Server) who haven't installed the latest security updates.

Signs of exploitation: Microsoft notes cases of the vulnerability's exploitation. CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog.

Publicly available exploits: unavailable in open sources.

Windows Mark of the Web Security Feature Bypass Vulnerability

CVE-2024-38217 (CVSS 5.4, medium severity)

If a user opens a malicious file, attackers can exploit this vulnerability to bypass the SmartScreen security feature in Windows to interfere with the Mark of the Web (MotW) functionality. The Mark of the Web marks files downloaded from untrusted sources to ensure that additional security measures (Windows Defender SmartScreen checks and Protected Mode in Microsoft Office) are activated when opened.

Successful exploitation of this vulnerability could allow attackers to distribute malware disguised as legitimate installers. As a result, users may open dangerous files without realizing the risks because Windows security features are not activated. Exploitation requires the user to perform certain actions. 

Potential number of victims: all Windows users (including Windows Server) who haven't installed the latest security updates.

Signs of exploitation: Microsoft notes cases of the vulnerability's exploitation. CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog. Elastic Security Labs discovered that attackers have been exploiting the vulnerability since at least 2018.

Publicly available exploits: the PoC was published with open access.

Windows MSHTML Platform Spoofing Vulnerability

CVE-2024-43461 (CVSS 8.8, high severity)

Successful exploitation of this vulnerability lets attackers hide the true extension of files downloaded in Internet Explorer. This helps attackers trick users by sending them malicious attachments disguised as legitimate files that can lead to the theft of their personal data or money, system failures, and the risk of further attacks on the device and network. Exploitation of the vulnerability requires the user to carry out certain actions, as the victim must visit a malicious page or open a malicious file.

Potential number of victims: all Windows users (including Windows Server) who haven't installed the latest security updates.

Signs of exploitation: Microsoft notes cases of the vulnerability's exploitation. CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog. ZDI reported exploitation of the vulnerability in zero-day attacks by Void Banshee to deploy an infostealer.

Publicly available exploits: the PoC was published with open access.

Remediation methods: security updates can be downloaded from official Microsoft pages about each vulnerability: CVE-2024-38014, CVE-2024-38217, CVE-2024-43461.

Remote code execution vulnerability in Veeam Backup & Replication

CVE-2024-40711 (CVSS 9.9, critical severity)

The vulnerability is caused by an error in the deserialization¹ of untrusted data. Exploitation of the vulnerability allows remote, unauthenticated attackers to execute arbitrary code on the server. Ultimately, attackers can gain control of the server and steal confidential data, download malware, and compromise the infrastructure.

Number of potential victims: all Veeam Backup Enterprise Manager users with versions 12.1.2.172 and below.

Signs of exploitation: Vulnera reports the use of the vulnerability in attacks by the Cuba ransomware gang and FIN7

Publicly available exploits: available on GitHub.

Remediation methods: security updates can be downloaded from the official Veeam page about CVE-2024-40711.

VMware vCenter and VMware Cloud Foundation remote code execution vulnerability

CVE-2024-38812 (CVSS 9.8, critical severity)

This vulnerability is caused by a buffer overflow error in the DCE Remote Procedure Call (RPC) protocol. Exploitation allows remote, unauthenticated attackers to execute arbitrary code on the server by sending a specially formed network packet. As a result, the attacker can gain complete control of the system to follow through on attack goals.

Number of potential victims: all users of vCenter Server 7.0–7.0 U3s and 8.0–8.0 U3b, and users of VMware Cloud Foundation version 4 and 5. According to Shadowserver, there are over 1,900 vCenter hosts online.

Signs of exploitation: Broadcom does not confirm any successful exploitations of the vulnerability, but AttackerKB confirms the opposite. 

Publicly available exploits: available in open sources.

Remediation methods: update the software in accordance with the recommendations.

Roundcube Webmail email client vulnerability 

CVE-2024-37383 (CVSS 6.1, medium severity)

This vulnerability in the SVG Handler component of the mail client is due to the lack of validation for SVG animation attribute values. Exploitation allows remote, unauthenticated attackers to execute arbitrary JavaScript code in the user's browser. When successfully exploited, the attacker can potentially gain access to a user's account, hijack sessions, steal sensitive data, or carry out unauthorized actions on behalf of the victim. Exploitation of the vulnerability requires the victim to first open a malicious email.

Number of potential victims: according to Shadowserver there are over 882,000 Roundcube Webmail hosts operating online.

Signs of exploitation: no confirmed cases of exploitation.

Publicly available exploits: not available in open sources.

Remediation methods: update Roundcube Webmail versions 1.5 and lower to version 1.5.7 or higher, and version 1.6 to version 1.6.7 or higher.

SQL injection vulnerability in The Events Calendar plugin for WordPress

CVE-2024-8275 (CVSS 9.8, critical severity)

The vulnerability is caused by the insufficient escaping of input data in the tribe_has_next_event() function. Exploitation allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can potentially access, modify, or delete sensitive data in a website's database, resulting in a data breach, unauthorized data manipulation, or service disruption. The vulnerable tribe_has_next_event() function isn't used by the plugin itself, so the vulnerability can only be exploited on websites where a call for this function was added manually.

Number of potential victims: over 700,000 sites use this plugin.

Signs of exploitation: no cases of exploitation confirmed in practice.

Publicly available exploits: available in open sources.

Methods of remediation: 

• If the vulnerable feature is used on a website, it should be removed or disabled before updating to a fixed version.
• Update The Events Calendar plugin to version 6.6.4.1 or higher.

Using popular solutions containing trending vulnerabilities can jeopardize any company. These security flaws are the most dangerous and require immediate remediation. In the MaxPatrol VM vulnerability management system, information about trending vulnerabilities is received within 12 hours of their detection to help eliminate the most dangerous threats quickly and protect company infrastructure. 

This digest provides examples of vulnerabilities that attackers have been exploiting recently. Information about them and publicly available exploits is accurate as of September 31, 2024.