In this week's Security Advisory
- Critical Rust Vulnerability can Lead to Command Injection Attacks
- Security Patch Released for Four Vulnerabilities in Ivanti's Connect Secure (CS) and Policy Secure (PS) Products
- Microsoft Patch Tuesday Addresses Several Vulnerabilities
- Critical Zero-Day Vulnerability in D-Link NAS devices can Lead to Code Injection
- Security Updates Released for Adobe Products
Critical Rust Vulnerability can Lead to Command Injection Attacks
Recent threat intelligence has uncovered a critical vulnerability within the Rust standard library. This flaw, tracked as CVE-2024-24576 with a CVSS score of 10 out of 10, poses a significant risk by enabling the execution of unintended malicious shell commands. The exploitability of this high-severity vulnerability hinges on an attacker's ability to manipulate the command arguments within a batch file.
The main issue of this flaw comes from the inadequate handling of argument escaping when the Command API within the Rust standard library is used to execute batch files with the bat and cmd extensions on Windows. Currently, all Rust Versions Prior to 1.77.2 are affected.
Affected Versions:
- All Versions Prior to 1.77.2 on Windows
More Reading/Information
- https://www.bleepingcomputer.com/news/security/critical-rust-flaw-enables-windows-command-injection-attacks/
- https://www.theregister.com/2024/04/10/rust_critical_vulnerability_windows/
- https://gbhackers.com/rust-flaw-let-attackers-inject-commands/
Security Patch Released for Four Vulnerabilities in Ivanti's Connect Secure (CS) and Policy Secure (PS) Products
Ivanti has recently become aware of four newly identified vulnerabilities affecting its Connect Secure (CS - previously known as Pulse Secure) and Policy Secure (PS) products. These vulnerabilities, designated as CVE-2024-21894 and CVE-2024-22053, both carry a CVSS score of 8.2 out of 10, and they enable threat actors to send tailored packets to disrupt services, leading to potential Denial of Service (DoS) attacks. During service disruptions, threat actors may exploit these vulnerabilities to execute additional malicious commands or gain unauthorized access to memory contents.
The third vulnerability, CVE-2024-22052, with a CVSS score of 7.5 out of 10, is attributed to a flaw in which a null pointer is dereferenced, resulting in runtime errors or crashes when attempting to access nonexistent data. This vulnerability can allow adversaries to execute another form of DoS attack as the null runtime errors will cause services to be stopped.
Lastly, the vulnerability tracked as CVE-2024-22023, with a CVSS score of 5.3 out of 10, occurs when an attacker continually sends XML requests, inundating the system and depleting computer resources to the point where traffic comes to a standstill.
**Of Note, the four newly identified vulnerabilities are not related to previously disclosed vulnerabilities in Ivanti's PulseSecure devices.
Impacts All Affected Versions:
- 9.x
- 22.x
More Reading/Information
- https://cert.europa.eu/publications/security-advisories/2024-033/
- https://www.bleepingcomputer.com/news/security/new-ivanti-rce-flaw-may-impact-16-000-exposed-vpn-gateways/
- https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-policy-secure
- https://gbhackers.com/ivanti-connect-secure-remote-code-execution-flaws/
Microsoft Patch Tuesday Addresses Several Vulnerabilities
In the April 2024 patch Tuesday release, Microsoft fixed a total of one-hundred-forty-nine (149) vulnerabilities, three (3) of which were classified as 'critical.' These critical issues affect 'Microsoft Defender for IoT,' a security solution designed to identify and mitigate potential threats to IoT devices within the environment.
Among the critical vulnerabilities, CVE-2024-29053 and CVE-2024-21323 both received a CVSS score of 8.8 out of 10. CVE-2024-29053 enables threat actors to exploit the file upload feature, allowing them to upload malicious files to designated directories within a server. CVE-2024-21323 can be exploited by attackers uploading a tar file, allowing subsequent update packages from the attacker to remain unsigned. Additionally, this vulnerability allows overwriting of existing files with those provided by the attacker.
**Of note, there are currently two vulnerabilities exploited in the wild.
CVE-2024-29988 has a CVSS rating of 8.8 out of 10, enabling attackers to circumvent safeguards of the Microsoft SmartScreen UI prompt designed to caution users about files sourced from the internet. This is also known as a Mark-of-the-web bypass.
CVE-2024-26234 holds a CVSS rating of 6.7 out of 10 and involves a malicious Microsoft driver that contains legitimate signatures. This can allow an attacker to masquerade a malicious application as a legitimate windows binary.
More Reading/Information
- https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2024-patch-tuesday-fixes-150-security-flaws-67-rces/
- https://msrc.microsoft.com/update-guide/releaseNote/2024-Apr
- https://krebsonsecurity.com/2024/04/aprils-patch-tuesday-brings-record-number-of-fixes/
- https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/overview
- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-two-windows-zero-days-exploited-in-malware-attacks/#google_vignette
Critical Zero-Day Vulnerability in D-Link NAS devices can Lead to Code Injection
D-Link US has issued a critical advisory regarding vulnerabilities in their EoL (End of Life) NAS (Network Attached Storage) devices. The zero-day vulnerability, identified as CVE-2024-3273 and rated 7.3 out of 10 on the CVSS scale, enables attackers to exploit an internal HTTP request handler function to execute malicious commands on the system. This vulnerability also contains a backdoor accessible via a preconfigured account credential, granting entry without requiring any password. Recent threat intelligence suggests that this vulnerability is actively being exploited in the wild. At this time, D-Link has announced that all affected devices from this vulnerability are End of Life and therefore security patches will not be provided.
Affected Devices:
- DNS-320L
- DNS-325
- DNS-327L
- DNS-340L
More Reading/Information
- https://nvd.nist.gov/vuln/detail/CVE-2024-3273
- https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
- https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-92-000-d-link-nas-devices-now-exploited-in-attacks/
- https://www.helpnetsecurity.com/2024/04/08/cve-2024-3273/
Security Updates Released for Adobe Products
Security updates were released for several Adobe products in their monthly security bulletin. Adobe had over twenty-four (24) vulnerabilities, with five (5) vulnerabilities given a severity rating of "critical". These vulnerabilities affect Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator and Animate.
More Reading/Information
- https://helpx.adobe.com/security/security-bulletin.html
- https://krebsonsecurity.com/2024/04/aprils-patch-tuesday-brings-record-number-of-fixes/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
