Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from February that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2024-0597
The SEO Plugin by Squirrly SEO for WordPress, identified as CVE-2024-0597, is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping, affecting all versions up to and including 12.3.15. This vulnerability allows authenticated attackers, who have administrator-level permissions, to inject arbitrary web scripts into pages. These scripts can execute whenever a user accesses an injected page, compromising the integrity and confidentiality of the user’s session. This issue particularly affects multi-site installations and installations where the unfiltered_html capability has been disabled. The National Vulnerability Database (NVD) assigns a CVSS base score of 4.8 (Medium severity), indicating a moderate level of risk, with a vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, implying that the attack can be conducted remotely with low attack complexity, requires high privileges, and involves some user interaction. Wordfence, the assigning CNA, slightly differs in assessment with a base score of 4.4 and a vector indicating a higher attack complexity. The technical cause of this vulnerability is primarily due to the improper neutralization of input during web page generation, classified under CWE-79. Notably, patches and detailed advisories have been released to address this vulnerability, as referenced by Wordfence advisory and the WordPress plugin changeset. It is crucial for administrators of affected WordPress installations to apply the recommended updates or mitigation steps promptly to protect against potential exploitation. Official sources, including the Wordfence advisory and the WordPress plugin repository, provide comprehensive guidance and solutions for mitigating this vulnerability.
CVE-2024-21410
The vulnerability identified as CVE-2024-21410, with a CVSS score of 9.8, signifies a critical privilege escalation flaw affecting Microsoft Exchange Server. This vulnerability allows an attacker to exploit leaked NTLM credentials from a client, such as Outlook, to relay against the Exchange server, thereby gaining the same privileges as the victim and performing operations on their behalf. This issue is particularly alarming because it is exploitable remotely with low attack complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating that no user interaction is required and it poses a high threat to confidentiality, integrity, and availability. The technical root cause lies in the handling of NTLM credentials, which can be relayed to compromise the server. Despite Microsoft’s prompt release of fixes during its Patch Tuesday updates, there has been active exploitation in the wild, emphasizing the urgency of applying these patches. The vulnerability is listed in CISA’s Known Exploited Vulnerabilities Catalog, mandating immediate mitigation actions per vendor instructions by March 7, 2024. Affected configurations include certain cumulative updates for Exchange Server 2016 and 2019. Given the criticality of this flaw, underscored by its inclusion in active exploitation catalogs and its potential for significant impact, organizations are advised to prioritize the application of Microsoft’s provided patches, specifically the enabling of Extended Protection for Authentication (EPA) as a mitigation measure. Detailed guidance and mitigation steps are available on Microsoft’s official security advisory page, and adherence to these recommendations is crucial for maintaining the security posture against such sophisticated threats.
CVE-2024-21413
CVE-2024-21413 has been identified as a critical remote code execution vulnerability in Microsoft Outlook, with a CVSS score of 9.8, indicating a severe level of threat. The vulnerability is exploitable remotely with low attack complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), requiring no user interaction, and has a wide impact on confidentiality, integrity, and availability. This flaw allows attackers to execute arbitrary code on a victim’s system by exploiting the incorrect parsing of “file://” hyperlinks in Outlook emails. By crafting a malicious email that includes a specially crafted “file://” hyperlink, attackers could potentially execute remote code under the context of the targeted user. This vulnerability affects various versions of Microsoft Outlook, including Microsoft 365 Apps, Office 2016, Office 2019, and Office Long Term Servicing Channel 2021, highlighting its widespread potential impact. Microsoft has acknowledged the vulnerability and provided a patch to address the issue, emphasizing the importance of applying the update to mitigate the risk. The discovery of this vulnerability underscores the critical nature of maintaining up-to-date software to protect against potential cyber threats. Given the severity and the potential for exploitation in phishing attacks or other malicious campaigns, organizations and individuals are urged to apply the provided patches promptly to safeguard their systems against potential exploitation. For more details, see Microsoft Security Update Guide.
CVE-2024-21762
CVE-2024-21762 has been identified as a critical vulnerability within Fortinet’s FortiOS and FortiProxy, affecting versions ranging widely from 6.0.0 through 7.4.2 in FortiOS, and 1.0.0 through 7.4.2 in FortiProxy, due to an out-of-bounds write issue. This flaw allows attackers to execute unauthorized code or commands by sending specifically crafted requests to the affected systems. With a CVSS score of 9.8, this vulnerability is classified as critical, demonstrating that it can be exploited remotely with low complexity and requires no privileges or user interaction. The impact is significant as it compromises the confidentiality, integrity, and availability of the system (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Fortinet has acknowledged the potential exploitation of this vulnerability in the wild and has released patches for various versions of FortiOS and FortiProxy to address this issue. Given its severity and the fact that it is listed in CISA’s Known Exploited Vulnerabilities Catalog, immediate action is required. Fortinet and cybersecurity agencies have highlighted the urgency of applying these mitigations to prevent potential exploits by malicious actors, including state-sponsored threat groups known for targeting critical infrastructure through vulnerabilities in systems like FortiOS. The vast range of affected versions underscores the wide potential impact of CVE-2024-21762 across numerous deployments of Fortinet’s products. Organizations are advised to upgrade to the fixed versions provided by Fortinet as soon as possible or to disable SSL VPN functionality if immediate patching is not feasible. Given the history of Fortinet vulnerabilities being exploited by various threat actors, the remediation of CVE-2024-21762 iscrucial for protecting against unauthorized access and potential compromise. For further action and details, refer to Fortinet’s official advisories on their FortiGuard Labs page.
CVE-2024-22245
CVE-2024-22245 details vulnerabilities within the deprecated VMware Enhanced Authentication Plug-in (EAP) that pose significant security risks, including arbitrary authentication relay and session hijack. These vulnerabilities could be exploited by a malicious actor who manages to deceive a domain user into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs), assuming the user has EAP installed in their web browser. The criticality of these vulnerabilities is underscored by a CVSS score of 9.6, provided by VMware, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. This score indicates that the vulnerabilities are critical, with the potential for high impacts on confidentiality, integrity, and availability, despite requiring some level of user interaction (UI:R). The attack can be conducted remotely (AV:N) with low attack complexity (AC:L), does not require privileges (PR:N), and has a scope change (S:C), amplifying its severity. VMware has acknowledged these vulnerabilities and likely provided advisories and solutions for affected users, as indicated by the VMware security advisory reference (VMSA-2024-0003). Given the nature of these vulnerabilities, users of the deprecated EAP are strongly advised to follow VMware’s guidance to mitigate the associated risks, which could include updating or removing the affected plug-in. For more information, visit VMware Security Advisories.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
