CISA Adds Progress WhatsUp Gold and MSHTML Vulnerabilities to Known Exploited Vulnerabilities Catalog

/in

Key Takeaways


CISA has added vulnerabilities affecting the Microsoft Windows MSHTML Platform (CVE-2024-43461) and Progress WhatsUp Gold network monitoring solution (CVE-2024-6670) to its Known Exploited Vulnerabilities catalog.

Proofs of Concept and observed exploits of these vulnerabilities mean that users should update affected products as soon as possible.

Progress WhatsUp Gold was observed under exploit within hours after a Proof of Concept emerged, suggesting an urgent need to patch this 9.8-severity vulnerability.

Cyble researchers have detected 381 internet-exposed Progress WhatsUp Gold instances; patching these instances is critical.

Microsoft has patched two high-severity vulnerabilities chained together in Windows MSHTML platform spoofing attacks.

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerabilities affecting the Microsoft Windows MSHTML Platform and Progress WhatsUp Gold network monitoring solution to its Known Exploited Vulnerabilities catalog (KEV) after proofs of concept (PoCs) emerged, and security researchers observed active exploits of the vulnerabilities.

We’ll examine the vulnerabilities, the following steps for affected products, and the best practices that all organizations should follow.

CVE-2024-6670: Progress WhatsUp Gold

CVE-2024-6670 is a critical 9.8 severity SQL Injection vulnerability affecting versions of Progress WhatsUp Gold released before 2024.0.0.

The vulnerability in affected versions of the network monitoring software allows an unauthenticated attacker to retrieve the user’s encrypted password if the application is configured with only a single user.

Exploits began within hours after a Proof of Concept for the vulnerability was made available publicly on GitHub, even though a patch had been available for the vulnerability since mid-August, suggesting that some users were slow to update affected versions.

Trend Micro researchers detected remote code execution (RCE) attacks against WhatsUp Gold that exploited the Active Monitor PowerShell Script, leveraging CVE-2024-6670 and CVE-2024-6671, a companion vulnerability also rated 9.8.

Both vulnerabilities are patched starting with version 2024.0.0.

The Cyble ODIN scanner detected 381 internet-exposed Progress WhatsUp Gold instances, as shown in the figure below. Progress WhatsUp Gold is urged to upgrade as soon as possible and check for indicators of compromise in their environments.

CVE-2024-43461: Microsoft Windows MSHTML

CVE-2024-43461 is a high-severity (CVSS: 8.8) vulnerability in the Microsoft Windows MSHTML Internet Explorer browser engine platform containing a UI misrepresentation flaw that allows attackers to spoof web pages. This vulnerability was exploited in conjunction with CVE-2024-38112.

Microsoft has announced the retirement of Internet Explorer 11 and deprecated Microsoft Edge Legacy. However, MSHTML, EdgeHTML, and related scripting platforms remain supported. MSHTML is used in Internet Explorer mode in Microsoft Edge and other applications via WebBrowser control. WebView and some UWP apps utilize EdgeHTML. Updates for vulnerabilities in MSHTML and scripting platforms are included in IE Cumulative Updates, but EdgeHTML and Chakra updates are not.

CVE-2024-43461 was exploited in conjunction with CVE-2024-38112 before July 2024. A fix for CVE-2024-38112, released in July 2024, disrupted this attack chain. To ensure complete protection, customers should install both the July 2024 and September 2024 security updates.

Affected Windows products include:


Windows Server 2012

Windows Server 2012 R2

Windows Server 2008 R2

Windows Server 2008

Windows Server 2016

Windows 10

Windows Server 2022

Windows 11

Conclusion

The recent addition of these vulnerabilities to the CISA KEV database underscores their active exploitation. These vulnerabilities can lead to severe security breaches, including unauthorized access to sensitive information and effective spoofing of web pages. Owners of affected products are urged to update their systems with the latest patch released by the official vendor.

Cyble Recommendations

Cyble urges the following best practices:


Ensure that you install the latest security updates for all affected systems and regularly check for and apply updates to stay protected against known vulnerabilities.

Implement robust monitoring to detect any unusual activity that could indicate the exploitation of these vulnerabilities. This includes monitoring network traffic, system logs, and user behavior.

Review and strengthen your security configurations, including access controls and permissions. Ensure that applications are not unnecessarily exposed to the internet and that strong authentication mechanisms are in place.

Perform regular vulnerability assessments and penetration testing to identify and address potential security weaknesses before they can be exploited.

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification.

Implement proper network segmentation to avoid exposure of critical assets over the internet.

Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components.

The post CISA Adds Progress WhatsUp Gold and MSHTML Vulnerabilities to Known Exploited Vulnerabilities Catalog appeared first on Cyble.

Blog – Cyble – ​Read More

Apple Abandons Spyware Suit to Avoid Sharing Cyber Secrets

/in

Despite more US sanctions against spyware operators, Apple decided the cost in terms of disclosures about its own anti-spyware efforts was too great.

darkreading – ​Read More

AT&T to pay $13 million FCC settlement for 2023 data breach

/in

Post Content

The Record from Recorded Future News – ​Read More

The Mystery of Hezbollah’s Deadly Exploding Pagers

/in

At least eight people have been killed and more than 2,700 people have been injured in Lebanon by exploding pagers. Experts say the blasts point toward a supply chain compromise, not a cyberattack.

Security Latest – ​Read More

VMware Patches Remote Code Execution Flaw Found in Chinese Hacking Contest

/in

VMware warned that an attacker with network access could send a specially crafted packet to execute remote code. CVSS severity score 9.8/10.

The post VMware Patches Remote Code Execution Flaw Found in Chinese Hacking Contest appeared first on SecurityWeek.

SecurityWeek – ​Read More

80% of Critical National Infrastructure Companies Experienced an Email Security Breach in Last Year

/in

The scale of the potential disruption from a successful attack on CNI is all too tempting for cyber attackers.

Security | TechRepublic – ​Read More

US Hits Intellexa Spyware Maker With More Sanctions

/in

The US has imposed further sanctions on Intellexa, the maker of the Predator spyware, targeting individuals and entities associated with the company due to its opaque corporate structure designed to evade accountability.

Cyware News – Latest Cyber News – ​Read More

Intezer Raises $33M to Extend AI-Powered SOC Platform

/in

Intezer is looking to tap into booming market for AI-powered tooling to address the severe shortage of skilled cybersecurity professionals. 

The post Intezer Raises $33M to Extend AI-Powered SOC Platform appeared first on SecurityWeek.

SecurityWeek – ​Read More

CERT India reports vulnerabilities in multiple QNAP products

/in

Earlier today, CERT India (CERT-In) released an advisory announcing multiple vulnerabilities in various QNAP products. QNAP is best known for the Network-Attached Storage (NAS) systems used by firms with their enterprise environments. This batch of vulnerabilities primarily affects the QTS and QuTS Hero operating systems – both key parts of QNAP’s offerings.

The high-severity advisory describes the critical flaws that could potentially allow attacks to elevate privileges on a compromised device, execute code remotely, and even access sensitive data without authorization. The advisory goes on to detail the specific QNAP products affected, the range and type of vulnerabilities, and the steps affected users can take to secure themselves.

Affected QNAP Products

The vulnerabilities impact the following versions of QNAP’s QTS and QuTS hero systems:


QTS 5.1.0.2823 and prior versions.

QTS hero h5.1.0.2823 and prior.

QTS 4.5.4.2790 and prior.

QTS hero h4.5.4.2790 and prior.

QuTS h5.2.0.2782 and prior.

The affected versions of QNAP are used across multiple enterprise environments, necessitating swift and decisive action from system administrators to follow CERT-In’s guidance and apply the latest patches to ensure system security.

Vulnerability Overview

These vulnerabilities can be exploited remotely to carry out a plethora of malicious activities. Given the number and size of the affected users, it is imperative that these be patched immediately, or they could lead to the following consequences:


Exposure of Sensitive Information: Attackers might be able to remotely extract confidential data stored on affected NAS devices.

Bypassing Authorization Checks: These flaws potentially allow attackers to successfully bypass the authentication processes put in place by users.

Escalation of Privileges: Unauthorized users will be able to escalate their privileges within the system to further expand the scope of their nefarious activities.

Execution of Arbitrary Code: These vulnerabilities can potentially enable arbitrary code execution, causing significant damage since it would make it possible to inject malicious commands, potentially affecting the entire environment/system.

Detailed Description of Vulnerabilities

The cause for these vulnerabilities arises from several known issues that are detailed in CERT-In’s advisory. A brief summary has been provided below:


Boundary Errors: Flaws in boundary handling can allow attackers to manipulate the memory space.

Improper Input Validation: Inadequate validation of input allows attackers to introduce harmful data into the system.

OS Command Injection Vulnerability: This flaw allows malicious users to inject harmful commands into the operating system.

Improper Restriction of Authentication Attempts: Attackers can bypass rate-limiting measures or brute force their way into systems.

Heap-based Buffer Overflow: Memory corruption through buffer overflow can crash systems or open them up to exploitation. 

The aforementioned security weaknesses can allow hackers to corrupt memory, insert commands from a remote location, or employ brute force to infiltrate QNAP systems, greatly heightening the potential threat to data and operational stability.

CVEs tracked in the advisory

For easier tracking and reporting, CERT-In’s advisory has also listed the relevant Common Vulnerabilities and Exposures (CVEs) associated with the aforementioned flaws:


CVE-2023-34974

CVE-2023-34979

CVE-2023-39298

CVE-2024-21906

CVE-2024-32763

CVE-2024-32771

CVE-2024-38641

Every CVE is linked to a particular weakness that attackers could potentially exploit in different ways, such as injecting commands or gaining higher-level privileges. System administrators should review the specifics of these CVEs to acquire a more thorough idea of how these vulnerabilities might affect their system(s).

Potential Impact

If successfully exploited, these vulnerabilities can result in severe consequences, such as:


Data Breaches: Exposure to sensitive information could lead to significant reputational damage, especially for businesses that handle sensitive client data.

Service Downtime: Arbitrary code execution could lead to system crashes, disrupting business operations.

Unauthorized Access: Privilege escalation may allow attackers to gain admin rights, giving them complete control over the NAS systems.

Financial and Legal Ramifications: Depending on the type of information compromised, organizations could face financial losses, legal challenges, and regulatory penalties.

Next steps to secure systems and mitigate the impact of these vulnerabilities

To help mitigate the risk, QNAP rapidly patched several affected systems along with detailed instructions, the links for which can be found below. We highly recommend that system administrators download and install these patches as soon as possible prior to these vulnerabilities being exploited to compromise their organization’s systems.


QNAP Security Advisory QSA-24-28

QNAP Security Advisory QSA-24-32

QNAP Security Advisory QSA-24-33

Conclusion

Despite QNAP’s timely response in identifying and patching affected systems, such severe vulnerabilities with potentially devastating consequences highlight the need for cybersecurity personnel in organizations to take a proactive stance on system and platform security. If immediate corrective action is not taken, malicious actors may gain unauthorized access to critical systems, confidential data may be breached, and even the system may be compromised.

Employees are the first line of defense against cyber threats. Thus, fostering a culture of cyber-awareness and educating the workforce is a time-tested method to increase cyber-resilience by creating a habit of timely patch management, conducting frequent system audits, and implementing security best practices.

The post CERT India reports vulnerabilities in multiple QNAP products appeared first on Cyble.

Blog – Cyble – ​Read More