Recent bundles
Cleo Product Security Update - CVE-2024-55956 and CVE-2024-50623
2024-12-15T10:09:25 by Alexandre DulaunoyCleo Product Security Update - CVE-2024-55956
Patch Version 5.8.0.24 Made Available to Address Previously Reported Critical Vulnerability (CVE-2024-55956) Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24) to address this vulnerability.
The vulnerability affects only the following products:
- Cleo Harmony® (prior to version 5.8.0.24)
- Cleo VLTrader® (prior to version 5.8.0.24)
- Cleo LexiCom® (prior to version 5.8.0.24)
This security patch (version 5.8.0.24) addresses the previously identified critical vulnerability (CVE-2024-55956)) in Cleo Harmony, VLTrader, and LexiCom that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
Please visit Unauthenticated Malicious Hosts Vulnerability to take immediate action..
Cleo Product Security Advisory - CVE-2024-50623
Cleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution.
The vulnerability affects the following products:
- Cleo Harmony® (prior to version 5.8.0.21)
- Cleo VLTrader® (prior to version 5.8.0.21)
- Cleo LexiCom® (prior to version 5.8.0.21)
Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.21) to address additional discovered potential attack vectors of the vulnerability.
Please visit Unrestricted File Upload and Download Vulnerability Mitigation to take immediate action.
Unfortunately some of the links are restricted to customers having a support contact.
CVE-2024-12632 is now rejected and a duplicate of CVE-2024-55956.
Related vulnerabilities: CVE-2024-55956CVE-2024-12632CVE-2024-50623
China’s global ambitions continue to grow, and its military strength, technology research and economic powers are giving it an opportunity to challenge the global order of power — particularly the standing of the U.S. China is expected to soon have the military capabilities to take Taiwan by force. In April 2024, Adm. John Aquilino of the U.S. Indo-Pacific Command cautioned China will be capable of invading Taiwan by 2027. Its building of bases and airstrips on contested reefs in the Spratly Islands near the Philippines continues to cause military tensions. On the technology research side, China has invested an estimated US $15 billion — more than three times that of any other country — in quantum computing and is expected to invest as much as US $1.4 trillion in artificial intelligence (AI) in the next six years. And throughout the world, China uses its economic might — via loans and trade initiatives — to increase its influence in places such as Africa and Pacific Island nations. Fig1
A map of the contested Spratly Islands, a clutch of reefs, shoals and islands in the South China Sea claimed by Brunei, China, Malaysia, Philippines, Taiwan and Vietnam.
Cyber capabilities play a key role in achieving China’s strategic goals, including ensuring partners stay aligned with China and shaping public narratives. This has raised alarms from other governments, which have called for increased vigilance and tightened security. The country’s offensive cyber capabilities have been used for espionage, intellectual property theft and prepositioning of footholds within the critical infrastructure of its adversaries. U.S. intelligence assesses these stealthy malware infections are intended to accomplish disruptive or destructive attacks in the event of a conflict. These campaigns have targeted government and civilian infrastructure at scale. U.S. FBI Director Christopher Wray said China “has a bigger hacking program than every other major nation combined. In fact, if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1.”
Espionage traditionally has been shrouded in secrecy, but this is changing. In the past 18 months, governments have disclosed suspected Chinese state-sponsored cyber activities to build public security awareness. The transparency drive correspondingly has driven a change in the advanced persistent threat (APT) landscape. As a result, Chinese state-sponsored cyber threat actors have adapted to global geopolitical developments in 2024 by updating their tactics, techniques and procedures (TTPs) and tool sets to avoid their campaigns being linked to Beijing. Threat actors with a China nexus are emphasizing stealth now more than ever by weaponizing network edge devices, using living off-the-land (LOTL) techniques and setting up operational relay box (ORB) networks.
This post is derived from Intel 471’s Cyber Geopolitical Intelligence, a service that offers insights and analysis of political activity and significant regional events, including China, Iran and Russia, and how those events impact the cyber threat landscape. This post will discuss some of the state sponsored campaigns linked to China and what techniques will likely continue to trend. For more information, please contact Intel 471.
Zero-Day Exploits
Chinese APT groups will move away from traditional initial access methods such as social engineering to exploit zero-day vulnerabilities against network edge devices for mass exploitation. Edge devices and services such as firewalls and virtual private network (VPN) gateways increasingly have become popular targets. These devices are internet facing and provide critical services to remote users, but they also are not easily monitored by network administrators due to the lack of endpoint detection and response (EDR) solutions installed. This provides a “rapid route to privileged local or network credentials on a server with broad access to the internal network” of a target organization, according to research from WithSecure.
Edge-related common vulnerabilities and exposures (CVEs) added to the Known Exploited Vulnerabilities catalog of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) increased from two per month in 2022 to 4.75 in 2024. Conversely, non-edge entries dropped from 5.36 in 2023 to three in 2024. Additionally, an estimated 85% of known zero-days exploited by Chinese nation-state groups since 2021 were against public-facing appliances, which supports a growing trend that attackers are singling out edge devices for mass exploitation.
The Chinese threat group Volt Typhoon aka Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, Insidious Taurus discovered in mid-2021 often relies on exploiting zero-day vulnerabilities. The group targets critical infrastructure, such as communications, energy, transport and utilities, including water and wastewater facilities. The group’s “choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence-gathering activities,” according to a U.S. advisory. Volt Typhoon targets public-facing appliances — routers, VPNs and firewalls — in campaigns the U.S. assesses with high confidence are intended to preposition themselves on devices to disrupt them if needed. The U.S. government announced in January 2024 it had disrupted a botnet assembled by Volt Typhoon and used to attack critical infrastructure. The botnet was assembled using the KV malware, which infected hundreds of small office-home office routers (SOHO) — most of which were out of support and no longer receiving security updates.
Several of the largest cyberattacks in 2023 related to vulnerabilities in edge devices or enterprise appliances. On May 23, 2023, Barracuda disclosed CVE-2023-2868, a zero-day vulnerability in its Email Security Gateway (ESG). As early as Oct. 10, 2022, a threat actor group sent emails to potential victims with malicious files intended to exploit ESG. Mandiant identified the group as UNC4841, a cyber espionage group that acts in support of China.
In early 2021, a group known as Silk Typhoon (under Microsoft’s current threat actor naming scheme) exploited a series of zero-day vulnerabilities, including CVE-2021-26855 in the on-premises version of Microsoft’s Exchange email server. The attack could be launched remotely against an Exchange server on port 443. Tens of thousands of Exchange servers were exploited using the vulnerabilities — collectively known as the ProxyLogon flaws — in the days before Microsoft deployed patches.
How does China source these zero-day vulnerabilities? Increasingly, domestically. Chinese security researchers are talented and prolific. Chinese teams in the 2010s saw success at international Capture the Flag and hacking competitions such as DEF CON and Pwn2Own. But in 2017, Beijing started to pressure private sector security researchers to prevent them from sharing knowledge at overseas cybersecurity events. Authoritative Chinese information security experts also asserted that knowledge of undisclosed software vulnerabilities “should remain in China.” In the ensuing years, the Chinese Communist Party (CCP) incorporated the use of security flaws into its national military-civil fusion strategy that aims to acquire foreign intellectual property, key research and high-value information.
China now uses bug-bounty programs, hacking competitions, universities and private entities to collect information on zero-day vulnerabilities in popular software and products. By mandating that security researchers disclose zero-day vulnerabilities to state authorities first, Beijing provides an operational window for nation-state cyber perpetrators to exploit these vulnerabilities for cyber espionage and intelligence gathering. One example of this arrangement played out in 2022. Microsoft reported an Exchange vulnerability tracked as CVE-2021-42321 that was exploited in the wild three days after the security flaw was revealed at the Tianfu Cup, an annual hacking competition held in Chengdu, Sichuan.
Living Off the Land
Rather than develop highly sophisticated custom malware, nation-state groups increasingly will use LOTL techniques to maintain persistence and undetected access on information technology (IT) networks. LOTL techniques use legitimate tools, features and functions available in a target environment to traverse networks and hide within normal network activity, reducing the likelihood of the attacker’s presence being flagged as suspicious. In 2023, the Chinese APT groups Flax Typhoon aka RedJuliett, Ethereal Panda and Volt Typhoon leveraged legitimate tools and utilities that were built into the Windows operating system to target key sectors in the U.S., Taiwan and elsewhere. Some of the tools they used included wmic, ntdsutil, netsh and PowerShell.
In August 2023, the China-linked cyber espionage group BlackTech used LOTL techniques such as NetCat shells and modifying the victim registry to enable remote desktop protocol (RDP). In July 2024, the Chinese-speaking APT group Ghost Emperor resurfaced after an extended period of inactivity with new obfuscation techniques, including the use of living-off-the-land binaries (LOLBins) such as reg.exe and expand.exe within the batch file that initiated the infection chain on the compromised machine to achieve stealth.
Compromised Infrastructure
Chinese ORB networks will continue to develop and mature at pace, reducing APT groups’ dependency on conventional actor-controlled infrastructure. ORB networks are global infrastructures of virtual private servers (VPSs) and compromised smart devices and routers. The extensive networks of proxy devices allow their administrators to scale up and create a “constantly evolving mesh network” to conceal espionage operations. While ORB networks have existed for years, Chinese ORBs in particular have increased in popularity and sophistication in recent years. Each of China’s ORBs is maintained by either private companies or state-sponsored entities and facilitates multiple threat clusters at any given time.
The Mulberry Typhoon aka APT5, Bronze Fleetwood, Keyhole Panda, Manganese, Poisoned Flight, TABCTENG, TEMP.Bottle and Nylon Typhoon aka ke3chang, APT15, Vixen Panda, Nickel groups used the SPACEHOP network to conduct network reconnaissance scanning and exploit vulnerabilities. The Violet Typhoon aka APT31 group and several other actors with a China nexus used the FLORAHOX ORB network to proxy traffic from a source and relay it through a Tor network and numerous compromised router nodes to obfuscate the source of the traffic for cyber espionage attacks.
Assessment
Global geopolitical developments will continue to heavily influence the Chinese APT threat landscape in terms of targeting, tool sets and TTPs. The acceleration of improvements in the cybersecurity posture of numerous key targeted countries has compelled Chinese state-sponsored intelligence forces to become more innovative with their attack strategies.
The use of ORB networks and exploitation of network edge devices emphasize the scalability of their attacks, and all three techniques focus on secrecy. Adopting these techniques would have required a cumulation of upgraded skills, malware and tools that could only be achieved by continuous reconnaissance of target networks and technologies as well as meticulous testing of tools against them over extended periods. Therefore, these changes highly likely reflect a considered, fundamental and permanent shift in Chinese nation-state cyber operations.
In the next six to 12 months, governments and industry regulators worldwide will increase oversight of vital sectors such as energy, public administration, military and defense, technology, manufacturing, telecommunications and media, health care and financial services. Not only will Chinese nation-state threat actors almost certainly continue to pursue these high-value targets, it also is probable they will scale up their operations to conduct global campaigns and target as many entities in each region or sector as possible to maximize their gains at every exploitation.
Hunt Packages
Intel 471 provides threat hunting capabilities for Chinese APT activity through our threat hunting platform HUNTER471. The following is a non-exhaustive list of hunt packages we have created related to the tactics used by Chinese nation-state threat actors.
These pre-written threat hunt queries can be used to query logs stored in security information and event management (SIEM) or EDR systems to detect potential malicious activity. The queries are compatible with a variety of security tools and products, such as CarbonBlack Cloud - Investigate, CarbonBlack Response, CrowdStrike, CrowdStrike LogScale, Elastic, Microsoft Defender, Microsoft Sentinel, Palo Alto Cortex XDR, QRadar Query, SentinelOne, Splunk and Trend Micro Vision One. Register for the Community Edition of HUNTER471, which contains sample hunt packages at no cost. Fig2 A screenshot of hunt packages available in HUNTER471 related to finding behaviors associated with the threat actor group Volt Typhoon.
WMIC Windows Internal Discovery and Enumeration
This package will identify the potential malicious use of Windows Management Interface (WMI) for local enumeration and discovery of a host.
Obfuscated PowerShell Execution String - Potential Malware Execution
Many adversaries use obfuscated commands involving different techniques to implement and use Base64 strings. This package identifies popular characteristics deployed by many actors utilizing this technique.
Enabling Remote Desktop Protocol (RDP) - Possible SmokedHam Activity (Commandline Arguments)
This content is designed to detect when command-line arguments are executed to modify the registry key that enables or disables RDP capabilities (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server OR HKLM\SYSTEM\ControlSet00*\Control\Terminal Server). False positives may occur depending on the environment per company, as these registry keys can be modified by admins.
Dump Active Directory Database with NTDSUtil - Potential Credential Dumping
This content is designed to identify when NTDSutil.exe is used to create a full backup of Active Directory.
Netsh Port Forwarding Command
This use case is meant to identify the netsh port forwarding command-line parameters "interface portproxy add."
Restricted Admin Mode Login - Possible Lateral Movement
This hunt package is meant to capture the surrounding activity when a user successfully logs in (Event Code 4624) using RDP with restricted admin mode enabled.
Related vulnerabilities: CVE-2023-2868CVE-2021-26855CVE-2021-42321
- cve-2024-22116 9.9 (v3.1) Remote code execution within ping script Zabbix
- cve-2024-36466 8.8 (v3.1) Unauthenticated Zabbix frontend takeover when SSO is b… Zabbix
- cve-2024-36467 7.5 (v3.1) Authentication privilege escalation via user groups du… Zabbix
- cve-2024-42330 9.1 (v3.1) JS - Internal strings in HTTP headers Zabbix
- cve-2024-42327 9.9 (v3.1) SQL injection in user.get API Zabbix
Related vulnerabilities: CVE-2024-36466CVE-2024-42327CVE-2024-22116CVE-2024-36467CVE-2024-42330CVE-2024-42330
CVE-2024-5921
CVE-2024-5921 affects various versions of Palo Alto’s GlobalProtect App on Windows, macOS and Linux, and stems from insufficient certification validation.
It enables attackers to connect the GlobalProtect app to arbitrary servers, the company confirmed, and noted that this may result in attackers installing malicious root certificates on the endpoint and subsequently installing malicious software signed by these certificates.
“Both the Windows and macOS versions of the GlobalProtect VPN client are vulnerable to remote code execution (RCE) and privilege escalation via the automatic update mechanism. While the update process requires MSI files to be signed, attackers can exploit the PanGPS service to install a maliciously trusted root certificate, enabling RCE and privilege escalation. The updates are executed with the privilege level of the service component (SYSTEM on Windows and root on macOS),” AmberWolf researchers Richard Warren and David Cash explained.
“By default, users can specify arbitrary endpoints in the VPN client’s UI component (PanGPA). This behaviour can be exploited in social engineering attacks, where attackers trick users into connecting to rogue VPN servers. These servers can capture login credentials and compromise systems through malicious client updates.”
“This issue is fixed in GlobalProtect app 6.2.6 and all later GlobalProtect app 6.2 versions on Windows,” Palo Alto says. The company has also introduced an additional configuration parameter (FULLCHAINCERTVERIFY) that should be enabled to enforce stricter certificate validation against the system’s trusted certificate store.
There are currently no fixes for macOS or Linux versions of the app, according to PAN’s security advisory.
There is a workaround/mitigation available, though, and it consists of enabling FIPS-CC modefor the GlobalProtect app on the endpoints (and enabling FIPS-CC mode on the GlobalProtect portal/gateway).
AmberWolf researchers say that host-based firewall rules can also be implemented to prevent users connecting to malicious VPN servers.
CVE-2024-29014
CVE-2024-29014 affects SonicWall’s NetExtender VPN client for Windows versions 10.2.339 and earlier, and allows attackers to execute code with SYSTEM privileges when an End Point Control (EPC) Client update is processed. The vulnerability stems from insufficient signature validation.
There are several exploitation scenarios that could lead to this. For example, a user can be tricked into connecting their NetExtender client to a malicious VPN server and install a fake (malicious) EPC Client update.
“When the SMA Connect Agent is installed, attackers can exploit a custom URI handler to force the NetExtender client to connect to their server. Users only need to visit a malicious website and accept a browser prompt, or open a malicious document for the attack to succeed,” AmberWolf researchers explained another approach.
SonicWall has patched the vulnerability earlier this year in NetExtender Windows (32 and 64 bit) 10.2.341 and later versions, and urged users to upgrade.
“If an immediate upgrade is not feasible, consider using a client firewall to restrict access to known, legitimate VPN endpoints to prevent users from inadvertently connecting to malicious servers,” AmberWolf advised.
Related vulnerabilities: CVE-2024-5921CVE-2024-29014
Keycloak release 26.0.6 includes fixes for five vulnerabilities
2024-11-22T09:53:24 by Alexandre DulaunoyKeycloak release 26.0.6 includes fixes for five vulnerabilities
- GitHub Issue #35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
- GitHub Issue #35214 CVE-2024-10270 Potential Denial of Service
- GitHub Issue #35215 CVE-2024-10492 Keycloak path trasversal
- GitHub Issue #35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
-
GitHub Issue #35217 CVE-2024-10039 Bypassing mTLS validation
-
For more details: https://github.com/keycloak/keycloak/releases/tag/26.0.6
Related vulnerabilities: CVE-2024-9666CVE-2024-10039CVE-2024-10492CVE-2024-10270CVE-2024-10451
Apple Fixes Two Exploited Vulnerabilities on Intel-based Mac Systems
2024-11-20T05:23:51 by Alexandre DulaunoyApple Fixes Two Exploited Vulnerabilities on Intel-based Mac Systems
-
CVE-2024-44308 - The issue was addressed with improved checks. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
-
CVE-2024-44309 - A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
Vulnerabilities discovered by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group
Related vulnerabilities: CVE-2024-44308CVE-2024-44309
Based on Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 , This is a pair of bugs, described as ‘Authentication Bypass in the Management Web Interface’ and a ‘Privilege Escalation‘ respectively, strongly suggesting they are used as a chain to gain superuser access, a pattern that we’ve seen before with Palo Alto appliances. Before we’ve even dived into to code, we’ve already ascertained that we’re looking for a chain of vulnerabilities to achieve that coveted pre-authenticated Remote Code Execution..
The following CVEs were assigned:
-
CVE-2024-9474 - A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
-
CVE-2024-0012 - An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Related vulnerabilities: CVE-2024-0012CVE-2024-9474
FG-IR-24-115 Arbitrary file read in administrative interface CVE-2024-32117
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22]...
FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ...
Published: Nov 12, 2024
Published: Nov 12, 2024
GUI
GUI
Medium Severity
FG-IR-24-032 FortiOS - Improper authentication in fgfmd CVE-2024-26011
An improper authentication vulnerability [CWE-287] in FortiManager, FortiOS, FortiPAM, FortiPortal,...
FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.4, 7.2.3 ... FortiOS 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.7 ... FortiPAM 1.2.0, 1.1.2, 1.1.1, 1.1.0, 1.0.3 ... FortiPortal 6.0.14, 6.0.13, 6.0.12, 6.0.11, 6.0.10 ... FortiProxy 7.4.2, 7.4.1, 7.4.0, 7.2.9, 7.2.8 ... FortiSwitchManager 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.3 ...
Published: Nov 12, 2024
Published: Nov 12, 2024
Medium Severity
FG-IR-23-475 FortiOS - SSLVPN session hijacking using SAML authentication CVE-2023-50176
A session fixation vulnerability [CWE-384] in FortiOS may allow an unauthenticated attacker to hijack user...
FortiOS 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.7 ...
Published: Nov 12, 2024
Published: Nov 12, 2024
SSL-VPN
SSL-VPN
High Severity
FG-IR-24-125 Heap buffer overflow in httpd CVE-2024-33505
A heap-based buffer overflow vulnerability [CWE-122] in FortiManager and FortiAnalyzer httpd daemon may...
FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiAnalyzer Cloud 7.4.2, 7.4.1, 7.2.6, 7.2.5, 7.2.4 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiManager Cloud 7.4.2, 7.4.1, 7.2.6, 7.2.5, 7.2.4 ...
Published: Nov 12, 2024
Published: Nov 12, 2024
GUI
GUI
Medium Severity
FG-IR-23-267 Lack of capacity to filter logs by administrator access CVE-2023-44255
An Exposure of personal information to an unauthorized actor [CWE-359] in FortiManager, FortiAnalyzer &...
FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ... FortiAnalyzer-BigData 7.4.0, 7.2.8, 7.2.7, 7.2.6, 7.2.5 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ...
Published: Nov 12, 2024
Published: Nov 12, 2024
GUI
GUI
Low Severity
FG-IR-24-116 OS command injection in CLI command CVE-2024-32118
An improper neutralization of special elements used in an OS command ('OS Command Injection')...
FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ...
Published: Nov 12, 2024
Published: Nov 12, 2024
CLI
CLI
Medium Severity
FG-IR-24-099 Path traversal vulnerability in CLI commands CVE-2024-32116
Multiple relative path traversal vulnerabilities [CWE-23] in FortiManager, FortiAnalyzer &...
FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ...
Published: Nov 12, 2024
Published: Nov 12, 2024
CLI
CLI
Medium Severity
FG-IR-24-179 Path traversal vulnerability leading to file creation CVE-2024-35274
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22]...
FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ... FortiAnalyzer-BigData 7.4.0, 7.2.8, 7.2.7, 7.2.6, 7.2.5 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ...
Published: Nov 12, 2024
Published: Nov 12, 2024
CLI
CLI
Low Severity
FG-IR-23-396 Readonly users could run some sensitive operations CVE-2024-23666
A client-side enforcement of server-side security vulnerability [CWE-602] in FortiAnalyzer may allow an...
FortiAnalyzer 7.4.1, 7.4.0, 7.2.4, 7.2.3, 7.2.2 ... FortiAnalyzer-BigData 7.4.0, 7.2.6, 7.2.5, 7.2.4, 7.2.3 ... FortiManager 7.4.1, 7.4.0, 7.2.4, 7.2.3, 7.2.2 ...
Published: Nov 12, 2024
Published: Nov 12, 2024
High Severity
FG-IR-24-033 SSLVPN WEB UI Text injection CVE-2024-33510
An improper neutralization of special elements in output used by a downstream component ('Injection')...
FortiOS 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.8 ... FortiProxy 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.9 ...
Published: Nov 12, 2024
Published: Nov 12, 2024
GUI
GUI
Low Severity
FG-IR-24-098 Stack buffer overflow in CLI command CVE-2024-31496
A stack-based buffer overflow vulnerability [CWE-121] in FortiManager, FortiAnalyzer and...
FortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ...
Published: Nov 12, 2024
Published: Nov 12, 2024
Related vulnerabilities: CVE-2024-35274CVE-2024-23666CVE-2024-33510CVE-2024-32118CVE-2024-33505CVE-2024-32117CVE-2024-32116CVE-2024-31496CVE-2023-44255CVE-2024-26011CVE-2023-50176
Ivanti Security Advisory EPM November 2024 for EPM 2024 and EPM 2022 SU6
2024-11-13T09:12:33 by Alexandre DulaunoyIvanti has released updates for Ivanti Endpoint Manager which addresses high and critical severity vulnerabilities.
Ivanti is not aware of any customers being exploited by these vulnerabilities at the time of disclosure.
Security Advisory EPM November 2024 for EPM 2024 and EPM 2022 SU6
Primary Product
Endpoint Manager
Created Date
12 Nov 2024 15:00:14
Last Modified Date
12 Nov 2024 21:33:24
Summary
Ivanti has released updates for Ivanti Endpoint Manager which addresses high and critical severity vulnerabilities.
We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.
Vulnerability Details:
CVE Number
Description
CVSS Score (Severity)
CVSS Vector
CWE
CVE-2024-34787
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
7.8 (High)
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-22
CVE-2024-50322
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
7.8 (High)
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-22
CVE-2024-32839
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-32841
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-32844
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-32847
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-34780
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-37376
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-34781
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-34782
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-34784
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-50323
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
7.8 (High)
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-50324
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-22
CVE-2024-50326
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-50327
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-50328
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
7.2 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-89
CVE-2024-50329
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
8.8 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-22
CVE-2024-50330
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.
9.8 (Critical)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-89
Affected Versions
Product Name
Affected Version(s)
Resolved Version(s)
Patch Availability
Ivanti Endpoint Manager (EPM)
2024 September security update and prior,
2022 SU6 September security update and prior
2024 November Security Update, 2022 SU6 November Security Update
Related vulnerabilities: CVE-2024-50323CVE-2024-34787CVE-2024-32844CVE-2024-50324CVE-2024-34780CVE-2024-50326CVE-2024-50328CVE-2024-32847CVE-2024-50329CVE-2024-50330CVE-2024-34781CVE-2024-34784CVE-2024-34782CVE-2024-32839CVE-2024-50327CVE-2024-32841CVE-2024-50322CVE-2024-37376
- Exploit Attempts Recorded Against New MOVEit Transfer Vulnerability - Patch ASAP! - June 2024 - CVE-2024-5806 and CVE-2024-5805
- Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack - Jun 16, 2023 - CVE-2023-35708
- Amazon confirms employee data breach after vendor hack - November 11, 2024 - Most probably CVE-2023-35708
Related vulnerabilities: CVE-2024-5805CVE-2024-5806CVE-2023-35708