Cybersafe Solutions Security Advisory Bulletin March 15, 2024

In this week's Security Advisory:

• Fortinet Releases Security Patches for Critical Vulnerabilities
• Cisco Issues Patch for Vulnerabilities Detected in Secure Client
• Microsoft Patch Tuesday Addresses Several Vulnerabilities
• QNAP Patches Critical Flaws Impacting NAS Devices
• AnyCubic Releases Security Patch for Zero-Day Vulnerability in Kobra 2
• Security Updates Released for Adobe Products and Google Chrome Desktop Browser

Fortinet Releases Security Patches for Critical Vulnerabilities

Fortinet has issued several security patches to address vulnerabilities detected in its products.  Currently, there are five (5) vulnerabilities being tracked with two (2) as 'critical' and three (3) as 'high' in terms of severity.

CVE-2023-42789 (CVSS score: 9.8) is a critical out-of-bounds write flaw, while CVE-2023-42790 (CVSS score: 8.1) represents a buffer overflow vulnerability. When combined, these vulnerabilities can enable an attacker to execute arbitrary commands via specially crafted HTTP requests within the FortiOS and FortiProxy environments.

CVE-2023-48788 (CVSS score: 9.8) exposes a critical vulnerability within FortiClientEMS. This flaw can allow remote attackers to execute commands on an administrative host due to inadequate input validation.  Consequently, threat actors can manipulate SQL queries to carry out unauthorized actions, such as generating unwanted log entries.

The following versions are affected:

•     FortiClientEMS 7.2.0 through 7.2.2
•     FortiClientEMS 7.0.0 through 7.0.10
•     FortiClientEMS 6.4 all versions
•     FortiClientEMS 6.2 all versions
•     FortiClientEMS 6.0 all versions
•     FortiOS version 7.4.0 through 7.4.1
•     FortiOS version 7.2.0 through 7.2.6
•     FortiOS version 7.0.0 through 7.0.13
•     FortiOS version 6.4.0 through 6.4.14
•     FortiOS version 6.2.0 through 6.2.15
•     FortiProxy version 7.4.0 through 7.4.2
•     FortiProxy version 7.2.0 through 7.2.8
•     FortiProxy version 7.0.0 through 7.0.14
•     FortiProxy version 2.0.0 through 2.0.13
•     FortiManager version 7.4.0
•     FortiManager version 7.2.0 through 7.2.3
•     FortiManager version 7.0.0 through 7.0.10
•     FortiManager version 6.4.0 through 6.4.13
•     FortiManager 6.2 all versions

More Reading/Information

• https://www.crn.com/news/security/2024/fortinet-discloses-two-critical-vulnerabilities-three-high-severity-flaws?itc=refresh
• https://www.cisa.gov/news-events/alerts/2024/03/12/fortinet-releases-security-updates-multiple-products
• https://www.fortiguard.com/psirt/FG-IR-23-390
• https://www.fortiguard.com/psirt/FG-IR-23-328
• https://www.fortiguard.com/psirt/FG-IR-24-013
• https://www.fortiguard.com/psirt/FG-IR-23-103
• https://www.fortiguard.com/psirt/FG-IR-24-007

Cisco Issues Patch for Vulnerabilities Detected in Secure Client

Cisco has released a patch addressing two (2) high-severity vulnerabilities discovered in the Secure Client VPN application. CVE-2024-20337, rated with a CVSS score of 8.2 out of 10, involves a flaw in the SAML authentication process. This flaw enables remote threat actors to execute arbitrary script code within the browser by exploiting inadequate validation of user input. Additionally, adversaries can exploit this vulnerability to pilfer the SAML token, subsequently establishing a remote access VPN session with the privileges of the targeted user. CVE-2024-20338, rated with a CVSS score of 7.3 out of 10, is a vulnerability within Secure Client for Linux. This flaw enables a threat actor with local access to the host to execute arbitrary code with root privileges. The exploit involves placing a malicious library script file within a system directory in the file system and initiating a process restart by an administrator.

Affected Versions:

• 4.10.04065 and later
• 5.0
• 5.1
• Secure Client for Linux Prior to 5.1.2.42

More Reading/Information

• https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-in-vpn-product/
• https://www.helpnetsecurity.com/2024/03/08/cve-2024-20337/
• https://www.techradar.com/pro/security/cisco-tells-secure-client-users-to-patch-immediately-or-risk-vpn-security-flaw
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7

Microsoft Patch Tuesday Addresses Several Vulnerabilities

In the March 2024 patch Tuesday release, Microsoft tackled a total of sixty (60) vulnerabilities, two (2) of which were classified as 'critical.' Notably, both critical vulnerabilities are related to Windows HyperV. One of them, CVE-2024-21407 (CVSS score 8.1), poses a risk of remote code execution, enabling authenticated threat actors on a virtual machine to execute malicious code by sending a specifically crafted file.  The other, CVE-2024-21408 (CVSS score 5.5), involves an issue within the virtual machine that could potentially result in denial of service attacks.

More Reading/Information

• https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2024-patch-tuesday-fixes-60-flaws-18-rce-bugs/
• https://www.securityweek.com/patch-tuesday-microsoft-flags-major-bugs-in-hyperv-exchange-server/
• https://www.helpnetsecurity.com/2024/03/12/march-2024-patch-tuesday/

QNAP Patches Critical Flaws Impacting NAS Devices

QNAP released updates to fix three (3) critical vulnerabilities affecting several QNAP operating system versions and applications on its NAS devices, including QTS, QuTS hero, QuTScloud, and myQNAPcloud.

The most severe of these is CVE-2024-21899, which has a CVSS score of 9.8 out of 10, enabling a threat actor to remotely compromise system security without authentication.

The other vulnerabilities, CVE-2024-21900 and CVE-2024-21901, possess lower CVSS scores of 4.3 and 4.7 respectively, as they require an authenticated user for exploitation. CVE-2024-21900 permits an authenticated attacker to inject arbitrary commands into a system via a network, while CVE-2024-21901 is a SQL injection vulnerability allowing a threat actor to deploy malicious code and compromising database integrity.

Affected versions:

• QTS 5.1.x
• QTS 4.5.x
• QuTS hero h5.1.x
• QuTS hero h4.5.x
• QuTScloud c5.x
• myQNAPcloud 1.0.x

More Reading/Information

• https://www.bleepingcomputer.com/news/security/qnap-warns-of-critical-auth-bypass-flaw-in-its-nas-devices/
• https://www.securityweek.com/critical-vulnerability-allows-access-to-qnap-nas-devices/
• https://duo.com/decipher/qnap-fixes-critical-flaws-impacting-nas-devices
• https://www.scmagazine.com/news/qnap-fixes-three-bugs-on-nas-devices-one-critical-authentication-flaw

AnyCubic Releases Security Patch for Zero-Day Vulnerability in Kobra 2

AnyCubic has issued an update to the Kobra 2 firmware addressing a recently discovered zero-day vulnerability impacting 3D printers. Security researchers demonstrated a proof of concept revealing the potential for threat actors to gain control over the printer via the cloud's MQTT server using any valid credential.  Although an official CVSS score for the vulnerability is pending, AnyCubic has implemented several measures to mitigate the issue, including strengthening security verifications for file downloads and enhancing security protocols for MQTT server connections.

More Reading/Information

• https://thehackernews.com/2024/03/cisco-issues-patch-for-high-severity.html
• https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-in-vpn-product/
• https://www.bleepingcomputer.com/news/security/anycubic-3d-printers-hacked-worldwide-to-expose-security-flaw/

Security Updates Released for Adobe Products and Google Chrome Desktop Browser

There were security updates released by Adobe and Google Chrome Desktop Browser to address several vulnerabilities in each product.

Adobe had over fifty-eight (58) vulnerabilities, with eight (8) vulnerabilities given a severity rating of 'critical'.  These vulnerabilities affect Adobe Experience Manager, Premiere Pro, ColdFusion, Bridge, Lightroom, and Animate.

Google released a security update to fix three (3) vulnerabilities in its Chrome Desktop Browser for Windows, Mac, and Linux.  CVE-2024-2400 is being tracked as a high-severity flaw that allows a threat actor to create a custom made HTML page and cause the browser to crash through heap corruption.  This can be accomplished by freeing the memory allocation of a program but not clearing the pointer to the memory resulting in an error.

More Reading/Information

• https://helpx.adobe.com/security/security-bulletin.html
• https://chromereleases.googleblog.com/
• https://cybersecuritynews.com/chrome-use-after-free-flaw-crash/
• https://krebsonsecurity.com/2024/03/patch-tuesday-march-2024-edition/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.