In this week's Security Advisory:
- Critical PuTTY Client Vulnerability can Expose Private SSH Keys
- Fortinet Releases Patches for Vulnerabilities Detected in FortiOS, FortiProxy, FortiClientMac and FortiClientLinux
- Multiple Vulnerabilities Discovered in Ivanti Avalanche
- Security Patch Released in Google Chrome Desktop Browser and Mozilla Products
Critical PuTTY Client Vulnerability can Expose Private SSH Keys
PuTTY has issued a critical advisory concerning a vulnerability in the client responsible for generating ECDSA private keys used in SSH authentication. Tracked as CVE-2024-31497, this flaw has not yet received a CVSS rating. CVE-2024-31497 may allow an attacker to recover a user's private SSH key, thereby allowing access across any server the key is able to authenticate to. Of note, the only affected key type is ECDSA NIST-P521.
Affected Versions:
- PuTTY - 0.68 through 0.80
- FileZilla - 3.24.1 through 3.66.5
- WinSCP - 5.9.5 through 6.3.2
- TortoiseGit - 2.4.0.2 through 2.15.0
- TortoiseSVN - 1.10.0 through 1.14.6
More Reading/Information
- https://cybersecuritynews.com/putty-client-vulnerability/
- https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/
- https://www.helpnetsecurity.com/2024/04/16/cve-2024-31497/
- https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
Fortinet Releases Patches for Vulnerabilities Detected in FortiOS, FortiProxy, FortiClientMac and FortiClientLinux
Fortinet has issued security updates for FortiOS, FortiProxy, FortiClientMac, and FortiClientLinux to address several vulnerabilities. The most critical issue, identified as CVE-2023-45590 with a CVSS score of 9.6, is vulnerable to code injection and can allow an unauthenticated attacker to execute malicious commands within FortiClientLinux. Other vulnerabilities that are rated 'high', include CVE-2023-41677 (CVSS 7.5), impacting FortiOS and FortiProxy, which could lead to administrator cookies being stolen upon visiting a malicious site. Additionally, CVE-2023-45588 and CVE-2024-31492 (both CVSS 7.8) affect the FortiClientMac installer, enabling attackers to execute malicious commands within a configuration file during installation.
More Reading/Information
- https://www.scmagazine.com/news/fortinet-patches-forticlientlinux-critical-rce-vulnerability
- https://www.securityweek.com/fortinet-patches-critical-rce-vulnerability-in-forticlientlinux/
- https://www.crn.com/news/security/2024/fortinet-discloses-vulnerabilities-in-fortios-fortiproxy-forticlient-linux-and-mac
- https://www.fortiguard.com/psirt/FG-IR-23-087
- https://www.fortiguard.com/psirt/FG-IR-23-493
- https://www.fortiguard.com/psirt/FG-IR-23-345
Multiple Vulnerabilities Discovered in Ivanti Avalanche
Ivanti has released an advisory detailing twenty-seven (27) vulnerabilities within Ivanti Avalanche, an enterprise mobile device management solution. Of the vulnerabilities found, two (2) received a severity rating of "Critical." These vulnerabilities are present in the WLAvalancheService and WLInfoRailService components. CVE-2024-24996 and CVE-2024-29204 are critical flaws that have been given a CVSS rating of 9.8 out of a possible 10 and can allow an unauthenticated attacker to execute arbitrary commands. These vulnerabilities impact Ivanti Avalanche on-premise products.
Affected Versions:
- Ivanti Avalanche (on-premise) version prior to 6.4.3
More Reading/Information
- https://www.scmagazine.com/brief/over-two-dozen-ivanti-avalanche-vulnerabilities-addressed
- https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US
- https://www.techradar.com/pro/security/another-ivanti-service-has-been-forced-to-patch-multiple-security-flaws
- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-flaws-in-its-avalanche-mdm-solution/
Security Patch Released in Google Chrome Desktop Browser and Mozilla Products
Security updates were released by Google and Mozilla to address several vulnerabilities in each product.
Google released a security update to fix twenty-three (23) vulnerabilities in its Chrome Desktop Browser in Windows, Mac, and Linux with three (3) receiving a severity rating of "high".
Mozilla released security updates to address vulnerabilities in several of its products that could lead to arbitrary code execution. There was a total of twenty-four (24) vulnerabilities affecting Firefox, and Firefox ESR with thirteen (13) receiving a severity rating of 'high'. These affect Firefox versions prior to 125, and Firefox ESR versions prior to 115.10.
More Reading/Information
- https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html
- https://www.mozilla.org/en-US/security/advisories/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
