IT Vulnerability Report: Cleo, Windows Flaws Under Attack – Source:cyble.com

Cyble Research and Intelligence Labs (CRIL) researchers investigated 16 IT vulnerabilities and 11 dark web exploits in the week ended Dec. 10, including actively exploited vulnerabilities in Cleo managed file transfer (MFT) software and Microsoft Windows.

Other vulnerabilities analyzed by Cyble affect WordPress and Ivanti Cloud Services Appliances (CSA), while dark web exploits include claims of an exploitable zero-day vulnerability in Palo Alto Networks devices.

Here are the vulnerabilities highlighted by Cyble’s vulnerability intelligence unit as meriting high-priority attention by security teams.

The Top IT Vulnerabilities

CVE-2024-50623 hasn’t been rated by NVD yet, but researchers have discovered that this high-severity vulnerability in Cleo managed file transfer (MFT) software solutions is being actively exploited in remote code execution (RCE) data theft and corporate network attacks, and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on Dec. 13. The vulnerability affects Cleo Harmony, Cleo VLTrader, and Cleo LexiCom MFT products used for secure and efficient data exchange between organizations. The flaw leads to unrestricted file upload and download, which could lead to RCE attacks.

CVE-2024-49138 is another high-severity vulnerability awaiting NVD analysis, but this one was added to CISA’s KEV Catalog as soon as Microsoft released a patch for it in its December 2024 Patch Tuesday updates. The flaw in the Windows Common Log File System (CLFS) Driver has been exploited in the wild and can enable attackers to gain SYSTEM privileges.

CVE-2024-38193 is a high-severity elevation of privilege vulnerability affecting Windows Ancillary Function Driver for WinSock, commonly referred to as afd.sys. The critical system driver in the Windows operating system plays a vital role in managing network communications and handles the Winsock API, which is essential for TCP/IP networking. The vulnerability was observed to be actively exploited by North Korean hackers to install a rootkit on targets in August 2024. With a recently released public proof of-concept (PoC) code available, there could be a new wave of exploitation attempts.

CVE-2024-49041 is a medium-severity spoofing vulnerability identified in Microsoft Edge (Chromium-based). The vulnerability arises from the user interface performing incorrect actions in response to user requests, which can lead to spoofing attacks. This means that an attacker could potentially manipulate the UI to mislead users into taking actions that they did not intend.

CVE-2024-11205 is an 8.5-severity vulnerability affecting WPForms, a widely used WordPress plugin designed for creating various types of online forms quickly and easily. The flaw can lead to unauthorized data modification due to a missing capability check on the ‘wpforms_is_admin_page’ function in versions starting from 1.8.4 up to and including 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.

CVE-2024-11639 is a 10.0-severity critical authentication bypass vulnerability in Ivanti Cloud Services Appliance (CSA), an internet appliance that serves as a secure gateway for enterprise users to access internal network resources. The flaw lies in the admin web console of Ivanti CSA before 5.0.3, allowing a remote, unauthenticated attacker to gain administrative access.

CVE-2024-11680 is a 9.8-severity improper authentication vulnerability affecting ProjectSend, an open-source file-sharing application designed for secure and private file management, particularly aimed at facilitating interactions between businesses and their clients. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application’s configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. Threat Actors were observed discussing exploits of the vulnerability on the dark web (see next section).

Vulnerabilities and Exploits on Underground Forums

CRIL researchers observed multiple Telegram channels and cybercrime forums where threat actors (TAs) shared or discussed exploits weaponizing vulnerabilities. Cyble also observed a TA offering an exploit chain for an undisclosed vulnerability present in Palo Alto Networks devices. The TA quoted a price of USD $5K for the exploit. The other vulnerabilities discussed by TAs include:

CVE-2024-51378: A critical security vulnerability in CyberPanel versions prior to 1c0c6cb that allows remote attackers to bypass authentication, enabling them to execute arbitrary commands on the server.

CVE-2024-11680: A critical authentication vulnerability affecting ProjectSend versions prior to r1720. Remote, unauthenticated attackers can exploit the flaw by sending crafted HTTP requests to the options.php endpoint.

CVE-2024-38144: A critical security vulnerability in Microsoft Windows, specifically related to the Kernel Streaming WOW Thunk Service Driver, that allows for Elevation of Privilege attacks.

CVE-2024-10914: A critical command injection vulnerability in legacy D-Link NAS devices that allows unauthenticated attackers to inject arbitrary OS commands via HTTP GET requests, exploiting the cgi_user_add function in the account_mgr.cgi script.

CVE-2024-50483: A critical vulnerability affecting the Meetup plugin for WordPress versions up to and including 0.1 that is characterized as Authorization Bypass Through User-Controlled Key, which allows unauthenticated attackers to gain access to user accounts by exploiting improper verification processes during authentication.

CVE-2024-42327: A critical SQL injection vulnerability affecting Zabbix server versions 6.0.0 to 6.0.31, 6.4.0 to 6.4.16, and 7.0.

CVE-2023-6553: A TA shared a list of about 100,000 websites vulnerable to this critical Remote Code Execution vulnerability identified in the Backup Migration plugin for WordPress. The vulnerability affects all versions up to 1.3.7.

CVE-2024-35286, an SQL injection vulnerability, and CVE-2024-41713, a path traversal vulnerability, impact the NuPoint Unified Messaging (NPM) component and are critical vulnerabilities that could be exploited in sequence.

CVE 2024-11477: A critical vulnerability affecting versions of 7-Zip prior to 24.07 that allows for remote code execution due to an integer underflow in its Zstandard decompression feature. A TA quoted a price of USD $8K for the exploit.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

• To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
• Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
• Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
• Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents, including ransomware-resistant backups. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
• Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
• Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
• Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching exploitable vulnerabilities in important products, as well as vulnerabilities that could be weaponized as entry points for wider attacks. With increasing discussion of these exploits on dark web forums, organizations must stay vigilant and proactive.

Implementing strong security practices is essential to protecting sensitive data and maintaining system integrity. A comprehensive threat intelligence solution like Cyble can monitor for threats and leaks specific to your environment, allowing you to respond quickly to events and prevent them from becoming wider incidents.

Related