Stay Safe

Cybersecurity Alerts

For your safety, we provide a curated list of crucial cybersecurity alerts to help safeguard your organization.

CVE-2024-3596 BlastRADIUS

Published: July 9th, 2024

Category: RADIUS

critical

Source

cve.org

Description

Updated:

July 11th, 2024

There is a critical new vulnerability known as the "BlastRADIUS" attack which could soon impact networks worldwide.  

In networks where RADIUS secure authentication is used this threat allows hackers to bypass normal authentication methods so they can masquerade as a privileged user.  This gives them total access to your entire network and the data it holds. Many corporate networks and even ISPs utilize RADIUS in their authentication methods, which makes this a very significant issue. 

BlastRADIUS gives the threat actor admin privileges on RADIUS devices without requiring the stealing of credentials or any password cracking.  While a public proof-of-concept (POC) has not yet been released, a private POC has been confirmed by researchers and we expect threat actors to begin to leverage this exploit soon.

Quick Points: 

  • Vulnerability ID: CVE-2024-3596 
  • Severity: Critical
  • Patch Status: See below for best practices and how to avoid this kind of attack. 

Immediate Action:  

Upgrading RADIUS clients alone is not sufficient.  Every server using RADIUS must be upgraded to address this exploit.  Additional action: 

  • Network administrators are advised to: 
    • Upgrade to RADIUS over TLS (RADSEC) 
    • Switch to multihop RADIUS deployments
    • Isolate RADIUS traffic using tunneling or VLANs 
  • Microsoft has released steps and best practices in KB5040268 on how you can secure your network for this attack as well. 

CVE-2024-39929: Exim Mail Server Vulnerability

Published: July 4th, 2024

Category: Exim

critical

Source

Mitre

Description

Updated:

July 9th, 2024

There is an emerging Exim mail server vulnerability. If you are running an Exim mail server, an attacker could deliver a ransomware payload right to a user’s mailbox with no filtering! This puts users at risk of receiving malicious attachments. Opening these attachments could lead to severe system disruptions, including complete server compromise. The Exim Vulnerability is exploited by bypassing extension-blocking protections. Attackers manipulate header filenames to evade the extension-based security measures meant to block malicious attachments. 

QUICK POINTS 

  • Exim Mail Server Vulnerability is Critical  
  • All Exim versions 4.97.1 and earlier are at risk
  • Mailboxes with extension-blocking protection mechanisms are the target
  • Successful exploitation by an attacker could lead to a full-scale system compromise 

IMMEDIATE ACTION 

To safeguard your infrastructure, please take the action steps outlined below: 

  • The #1 thing you can do at this time is to upgrade Exim to version 4.98!
  • Remind your employees to always remain vigilant and on guard when clicking attachments or links in emails. Be extra careful when the email is not from a trusted sender!
  • If you cannot upgrade Exim to 4.98 immediately, we advise that you restrict Exim server remote access to help prevent exploit attempts. 

CVE-2024-6387 OpenSSH Vulnerability

Published: July 1st, 2024

Category: OpenSSH

high

Source

Red Hat Inc.

Description

Updated:

July 14th, 2024

There is an OpenSSH regression flaw that can give attackers complete access to your network and data if exploited.  Known as RegreSSHion, this high-severity threat allows hackers to fully compromise systems by exploiting an unauthenticated remote execution weakness where OpenSSH fails to enforce proper input validation.  It’s estimated that up to 75% of networks have some machines with a vulnerable version of OpenSSH. 

RegreSSHion abuses a situation where an attacker exploits the timings of computer processes (called race condition) in OpenSSH to allow for unauthenticated attackers to run dangerous code remotely. This gives threat actors access to your previously secure network.   

SUPPLY CHAIN ALERT: OpenSSH servers aren’t the only software affected.  Many other pieces of software or hardware utilize OpenSSH in the background.  Check and validate your vendors to guard against being impacted by such an attack.  

QUICK POINTS 

  • More than 14 million OpenSSH servers are exposed to the internet with a major risk of remote code execution attack that grants full admin control to attackers
  • 40+ Cisco Products Are Also Vulnerable to RegreSSHion Vulnerability
  • Push Available Patches ASAP & Continually Update OpenSSH and Cisco Products
  • The difficulty for attackers to exploit this vulnerability is high. It mainly takes time and many repeat attempts 

IMMEDIATE ACTION 

  • Update OpenSSH software immediately by patching today. (versions 4.4/4.4p1 and earlier & 8.5p1 up to but not including 9.8/9.8p1 are at risk if unpatched)
  • Review your vendors immediately for OpenSSH usage for Cisco products, please apply the available Cisco Patches and ensure that continuous updates are being utilized as they become available. NAS devices and anything else that relies on remote access services are also a prime target for this attack.
  • Restrict SSH-agent forwarding to only trusted hosts and necessary scenarios and restrict direct network/internet access to SSH using network-based controls to restrict access via SSH to only allow trusted client hosts. 

CVE-2024-2973

Published: June 27th, 2024

Category: Juniper

critical

Description

Updated:

June 28th, 2024

Juniper Networks has released an out-of-cycle patch for an authentication bypass flaw (CVE-2024-2973) in Junos OS. This vulnerability allows unauthenticated remote attackers to bypass authentication controls and gain access to affected systems. Juniper reports that routers or conductors running in high-availability redundant configurations, where service continuity is critical, are the configurations affected.

The Juniper products, Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router are listed as being impacted by this exploit. Security updates were made available for all products and to patch immediately as no other workarounds are available for this vulnerability. Patching should be top priority as we have seen Juniper devices being targeted in cyberattacks in the past.

QUICK POINTS

    • Session Smart Router & Conductor:
      • ALL versions before 5.6.15
      • From 6.0 before 6.1.9-lts
      • From 5.2 before 6.2.5-sts
    • WAN Assurance Router:
      • 6.0 versions before 6.1.9-lts
      • 6.2 versions before 6.2.5-sts

IMMEDIATE ACTION 

Due to the severity of this vulnerability, it is critical that you notify your customers who utilize Juniper devices and apply the necessary patches: 5.6.15, 6.1.9-lts, or 6.2.5-sts

There are no “workarounds” for this vulnerability, so action is limited to updating devices to the necessary versions.

JavaScript Supply Chain Attack

Published: June 26th, 2024

Category: JavaScript

critical

Source

sansec.io

Description

 A JavaScript supply chain attack has targeted tens of millions of websites via the Polyfill.io service that was recently purchased by Chinese threat actors. This has turned numerous websites into threatening and risky links. 

What this means for you: 

Websites using Polyfill.io might be compromised by malicious code.  This could lead to unauthorized access or other security issues on your website.  Also, legitimate websites that use this script could also be a dangerous click. We’ve seen impacts on websites such as Hulu, Intuit, Nintendo, JSTOR and even the World Economic Forum. 

CVE-2024-37080

Published: June 18th, 2024

Category: vCenter

critical

Source

VMware

Description

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

CVE-2024-38507

Published: June 18th, 2024

Category: JetBrains

low

Source

Mitre

Description

In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible

Microsoft Email Spoofing Vulnerability

Published: June 18th, 2024

Category: Outlook

medium

Source

Techcrunch

Description

There's a significant vulnerability allowing attackers to spoof emails from Microsoft employees that can be leveraged for a sophisticated phishing attack.  This bug can deceive recipients into believing they are receiving legitimate communications from Microsoft and affects all Outlook accounts.  

A cybersecurity researcher with the alias Slonser advised he has discovered an exploit allowing him to impersonate any of the 400 million Outlook accounts, including Microsoft employee email addresses.  While technical details have not been provided on how this vulnerability was performed, it has been confirmed by sources to be successful. 

Slonser has reported this exploit multiple times to Microsoft but so far this attack vector has not been patched as Microsoft states they are unable to replicate the issue. Such an attack underscores the importance of your organization taking proper spoofing precautions via DMARC, DKIM, and SPF settings, however until Microsoft addresses this ongoing vulnerability, we advise considering all emails from Microsoft to Outlook accounts as potentially suspicious, since email authentication policies likely will not effectively protect against this emerging threat. 

This vulnerability not only poses a significant risk of phishing attacks but also serves as a sophisticated vector for supply chain attacks. We strongly recommend reviewing and tightening your security protocols, ensuring all supply chain partners are also taking necessary precautions, and staying vigilant against any unusual email activity or Microsoft-related communications. 

Quick Points: 

  • Vulnerability: Email spoofing attacks appearing as Microsoft employees 
  • Affected Service: Microsoft Outlook Accounts 
  • Microsoft has been notified but no fix has been released

Immediate Action: 

  • Implement DMARC, DKIM, and SPF configurations to enhance email security.
  • Monitor email logs for unusual activities.
  • Confirm users are properly trained on best practices around common phishing techniques.

Look for These Report Findings: 

  • DMARC Record Does Not Exist
  • DKIM Selectors Do Not Exist
  • SPF Record Does Not Exist 

CVE-2024-4032

Published: June 17th, 2024

medium

Source

Mitre

Description

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

Cylance Confirms Data Breach

Published: June 10th, 2024

Category: Cylance

medium

Description

Cylance, a major supplier of antivirus software, confirmed a data breach on June 11th, 2024. 

The compromised data includes the following 

  • 34 million Cylance customer and employee emails 
  • Personally identifiable information of customers, employees and partners 
  • Marketing data. 

This means you should be on the lookout for more targeted phishing emails in the coming months, especially once that seem to come from trusted vendors. 

The breach at Cylance was linked to a third-party platform known as Snowflake. Attackers got into Snowflake, and from there compromised their customers, which may number as high as 165 major organizations. The compromise at Snowflake has been linked to potential (and confirmed) breaches at Ticketmaster, Santander Bank, Anheuser-Busch, Allstate, Advanced Auto Parts, Neiman Marcus, Progressive and State Farm.  

CVE-2024-4577

Published: June 9th, 2024

Category: PHP

critical

Source

NVD

Description

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CVE-2024-29972, CVE-2024-29973, CVE-2024-29974

Published: June 3rd, 2024

Category: Zyxel

critical

Source

zyxel

Description

Updated:

June 5th, 2024

Zyxel has issued an emergency patch for a set of critical vulnerabilities affecting end-of-life NAS devices. This is extremely dangerous to those organizations with legacy Zyxel devices because this flaw allows attackers to gain access to your data and your network, the perfect entry for ransomware threats. 

The vulnerabilities identified in Zyxel NAS devices allow attackers to inject and execute code into a target system remotely, as well as escalate account privilege. Once the exploit is performed, threat actors have direct access to data and can move laterally throughout your network. The flaws impact NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older. 

Although these devices are end-of-life, the threat they pose due to their continued use in some environments can be catastrophic.  This flaw is already being leveraged by hacker groups in botnet attacks and the proof-of-concept (POC) of the attack is publicly available making this even more likely to be exploited.   

QUICK POINTS 

  • Vulnerability IDs:  CVE-2024-29972CVE-2024-29973CVE-2024-29974 (CVSS score: 9.8) 
  • Severity: Critical 
  • Patch Status: Zyxel has released patches (see below) as well as further remediation steps you can take. 

IMMEDIATE ACTION 

  • Identify all Zyxel NAS326 and NAS542 devices within your managed environments. 
  • Apply the emergency patch as per Zyxel's instructions. 
  • Replace affected devices as soon as possible to an option being actively updated and supported. 
  • Continue to scan your environment for end-of-life devices and remove them accordingly. 

CVE-2024-3661

Published: May 6th, 2024

Category: VPN

high

Description

Updated:

July 1st, 2024

A new, critical vulnerability affecting virtually all VPN systems, is identified as the TunnelVision technique. This vulnerability can potentially expose traffic even under VPN protection, which is crucial for MSPs managing secure client data and communications. Using this vulnerability, hackers can easily steal data, set up man-in-the-middle attacks, or even enable expensive ransomware attacks once network access is established. 

The TunnelVision technique exploits CVE-2024-3661, a DHCP design flaw, where messages using static route (option 121) are not authenticated and expose them to being changed or manipulated. This type of leakage has been demonstrated across various systems, highlighting a fundamental flaw in VPN security architecture that could lead to sensitive data exposure.

QUICK POINTS: 

  • This vulnerability is not dependent on VPN provider or implementation and most VPN systems based on IP routing are affected. 
  • All major operating systems seem to be impacted including Windows, macOS, Android, iOS, and Linux. 
  • Threat actors can leverage an attack simply by being on the same network as the victim.  

WHAT THIS MEANS FOR YOU: 
With the how widespread and available this TunnelVision attack vector is, all organizations utilizing VPNs need to have security settings checked around these connections.  
 

IMMEDIATE ACTION: 

  1. Review and audit your VPN settings and configurations to ensure robust leak protection measures are in place. Confirm that all VPN software is up to date and patched.
  2. Consider VPN solutions that offer advanced leak prevention, particularly for IPv6 and WebRTC.   
  3. Keep your network management teams informed and updated on best practices for VPN security. 

Sign up for vulnerability alerts to your inbox