Cybersafe Solutions Security Advisory Bulletin April 26, 2024

In this week's Security Advisory:

• Vulnerabilities (CVE-2024-20295 & CVE-2024-20356) in Cisco Integrated Management Controller Could Lead to Command Injection
• CrushFTP Patches Critical Zero-Day Flaw Actively Exploited in the Wild
• Critical Vulnerabilities in WordPress Plugin 'Forminator' Could Lead to Malicious Code Execution
• Security Updates Released for Google Chrome Desktop Browser and Oracle Products

Vulnerabilities (CVE-2024-20295 & CVE-2024-20356) in Cisco Integrated Management Controller Could Lead to Command Injection

Cisco has issued an advisory to address two significant vulnerabilities in its Integrated Management Controller (IMC) that could result in arbitrary code execution with root user privileges. CVE-2024-20295 (CVSS score: 8.8 out of 10) and CVE-2024-20356 (CVSS score: 8.7 out of 10) can allow an authenticated, local attacker to exploit improper input validations through command injections within the controller's command-line interface, enabling them to execute customized commands and elevate their privileges to root access. Of note, proof-of-concepts (POC) for these vulnerabilities have been publicly disclosed and exploitation have been observed in the wild.

More Reading/Information

• https://www.bleepingcomputer.com/news/security/cisco-discloses-root-escalation-flaw-with-public-exploit-code/
• https://sec.cloudapps.cisco.com/security/center/publicationListing.x
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-mUx4c5AJ
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-bLuPcb
• https://cybersecuritynews.com/poc-exploit-cisco-imc/

CrushFTP Patches Critical Zero-Day Flaw Actively Exploited in the Wild

A zero-day vulnerability was discovered in CrushFTP that could allow an unauthenticated attacker to obtain sensitive system data outside of the virtual file system sandbox. While this vulnerability requires a CrushFTP host to be publicly exposed to the internet, the flaw allows an attacker to bypass authentication and remotely execute malicious code that can exfiltrate client data. The vulnerability is being tracked as CVE-2024-4040 with a critical CVSS rating of 9.8 out of a possible 10.

Of note, exploitation of this flaw has been observed in the wild.

Affected Versions:

• V10 - All versions prior to 10.7.1
• V11 - All versions prior to 11.1.0

More Reading/Information

• https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/#google_vignette
• https://www.helpnetsecurity.com/2024/04/23/cve-2024-4040/
• https://www.scmagazine.com/brief/intrusions-exploiting-critical-crushftp-zero-day-underway
• https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
• https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update

Critical Vulnerabilities in WordPress Plugin 'Forminator' Could Lead to Malicious Code Execution

There were three (3) vulnerabilities discovered in the WordPress plugin, Forminator, which could result in a threat actor executing arbitrary commands and gaining access to unauthorized information. Forminator is a popular form builder tool used by developers to create widgets, polls, surveys and payment forms on their websites. Among the identified issues, CVE-2024-28890 (CVSS score: 9.8 out of 10) is a flaw that can allow an attacker to upload malicious files and execute code to acquire sensitive data.

CVE-2024-31077 (CVSS score: 7.1 out of 10) allows arbitrary commands to execute due to improper input validation in SQL queries. CVE-2024-31857 (CVSS score: 6.1 out of 10) is a cross-site script vulnerability that can allow an attacker to alter site contents of a user's webpage.

Affected Versions:

• CVE-2024-28890
  • Versions Prior to 1.29.0
• CVE-2024-31077
  • Versions Prior to 1.29.3
• CVE-2024-31857
  • Versions Prior to 1.15.4

More Reading/Information

• https://www.bleepingcomputer.com/news/security/critical-forminator-plugin-flaw-impacts-over-300k-wordpress-sites/
• https://wordpress.org/plugins/forminator/
• https://www.techradar.com/pro/security/a-critical-security-flaw-could-affect-thousands-of-wordpress-sites
• https://cybersecuritynews.com/forminator-wordpress-plugin/

Security Updates Released for Google Chrome Desktop Browser and Oracle Products

Google Chrome released a security update to fix four (4) vulnerabilities, with one (1) vulnerability given a severity rating of "Critical". These vulnerabilities affect Windows, Mac and Linux.

Oracle released 441 patches in their quarterly update, which fixed vulnerabilities in several of their products. The most severe can lead to remote code execution, which can allow a threat actor to install programs, view, change, or delete information, and potentially gain control of an affected system. It is recommended to update all affected products to their latest version. The full list of affected Oracle products can be found here: https://www.oracle.com/security-alerts/cpuapr2024.html 

More Reading/Information

• https://www.oracle.com/security-alerts/cpuapr2024.html
• https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html
• https://www.securityweek.com/google-patches-critical-chrome-vulnerability/
• https://www.oodaloop.com/cyber/2024/04/24/google-patches-critical-chrome-vulnerability/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.