Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from October that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2024-30088
CVE-2024-30088 is a high-severity vulnerability in the Windows Kernel that allows for privilege escalation. Specifically, it can enable attackers with local access to elevate their privileges to gain higher-level access within the Windows environment. The vulnerability’s exploitation relies on a local attack vector, requiring attackers to already have some level of access to the targeted system. However, its impact on confidentiality, integrity, and availability is substantial, as successful exploitation could grant control over critical system components.
This vulnerability has drawn attention due to its use by advanced persistent threat (APT) groups, such as Iran’s APT34, also known as OilRig, who have reportedly leveraged it in targeted espionage campaigns against governmental and other sensitive entities. The issue has a CVSS v3 base score of 7.0 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its potential to significantly impact systems despite the higher complexity of exploitation.
Microsoft addressed this vulnerability in the June 2024 Patch Tuesday release. Organizations using Windows are strongly encouraged to ensure these updates are applied promptly to prevent exploitation by both APTs and other potential attackers. Further information on mitigating this threat can be found through Microsoft’s security update guide and other cybersecurity advisories.
CVE-2024-47575
CVE-2024-47575 is a critical vulnerability in Fortinet’s FortiManager, affecting versions across multiple releases: FortiManager 7.6.0, 7.4.0 to 7.4.4, 7.2.0 to 7.2.7, 7.0.0 to 7.0.12, and 6.4.0 to 6.4.14, as well as FortiManager Cloud versions 7.4.1 to 7.4.4, 7.2.1 to 7.2.7, 7.0.1 to 7.0.13, and 6.4.1 to 6.4.7. The vulnerability stems from missing authentication for a critical function, allowing attackers to execute arbitrary commands or code by sending specially crafted requests to affected systems.
This issue has a CVSS v3 base score of 9.8, reflecting the severity of the potential impact. Exploitation does not require user interaction or elevated privileges, meaning attackers can remotely compromise systems with ease, which makes it particularly dangerous. The vulnerability has been actively exploited in zero-day attacks since June 2024, with reports indicating its use by nation-state actors for espionage purposes. Threat actors are leveraging this flaw to target managed service providers (MSPs) and other critical infrastructure, seeking unauthorized access and control over FortiManager systems.
Fortinet has confirmed the existence of the vulnerability and released a security advisory urging all affected users to apply the latest patches to safeguard against potential exploitation. Security experts strongly recommend immediate updates to FortiManager deployments to mitigate risk, as well as monitoring for any unusual activity indicative of ongoing exploitation attempts.
CVE-2024-20481
CVE-2024-20481 affects the Remote Access VPN (RAVPN) service in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, allowing a remote, unauthenticated attacker to perform a denial of service (DoS) attack on vulnerable systems. This vulnerability results from resource exhaustion due to excessive VPN authentication requests sent to the affected devices. The consequence of a successful attack is a service disruption to the RAVPN service, potentially requiring a system restart to restore functionality.
This vulnerability has a CVSS v3 base score of 5.8, classifying it as medium severity. While other device functions outside of VPN services remain unaffected, the attack can still disrupt remote access capabilities, which are essential for many organizations. Cisco has advised that attackers leveraging password spray techniques in brute-force campaigns have targeted this vulnerability, as outlined by Cisco Talos and other security researchers.
To protect against this issue, Cisco recommends applying available patches and monitoring for unusual login attempts that may signal an attack. Network administrators are encouraged to deploy rate-limiting measures where possible and ensure VPN services are not exposed unnecessarily to the internet.
CVE-2024-43532
CVE-2024-43532 affects the Windows Remote Registry Service and is classified as a high-severity elevation of privilege vulnerability. The flaw allows a remote attacker with limited privileges to escalate access, potentially enabling actions such as modifying system configurations and accessing sensitive data.
With a CVSS v3 score of 8.8, this vulnerability arises from improper handling of permissions in the Remote Registry Service, which can lead to privilege escalation when exploited. Attackers leveraging this vulnerability can perform unauthorized registry edits, impacting system security and stability. This issue does not require user interaction, increasing the risk in environments where the Remote Registry Service is enabled.
To mitigate this risk, Microsoft recommends applying the available patch. Disabling the Remote Registry Service where it is not essential and monitoring for unusual access requests to the registry can also help reduce exposure. For organizations with strict security requirements, enhanced network segmentation and access controls are advised to limit potential exploitation pathways.
CVE-2024-38812
CVE-2024-38812 is a critical vulnerability affecting VMware’s vCenter Server. This flaw, related to a heap-overflow vulnerability in the implementation of the Distributed Computing Environment / Remote Procedure Calls (DCERPC) protocol, could allow a malicious actor with network access to vCenter Server to execute arbitrary code remotely. Exploitation is possible through a specially crafted network packet sent to the vCenter Server, potentially resulting in a complete system compromise.
This vulnerability has been assigned a CVSS v3 score of 9.8 due to its ease of exploitation, requiring no prior authentication, and its significant impact, including data exposure, system control, and service disruptions.
To address this issue, VMware has released patches to secure affected vCenter Server versions. However, the vulnerability’s critical nature and recent reports about difficulties in properly fixing the flaw underscore the need for organizations to verify patch applications and monitor for unusual network traffic targeting vCenter Servers. For environments where patching may be delayed, restricting network access to vCenter and implementing segmentation controls can help mitigate potential attacks.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
