Exposures, Exposed! Weekly Round-up June 17-23

Feeling tangled in a web of digital darkness? Illuminate your journey with "Exposures, Exposed!" - your one-stop guide to dispelling the shadows! Our weekly intel, straight from our security experts, sheds light on the latest online threats and equips you with the know-how to stay secure.

Here’s what we’ve got for you this week:

VMware Patches Critical vCenter Server Flaws

VMware released patches for severe vCenter Server vulnerabilities that could allow remote code execution. Two critical vulnerabilities (CVE-2024-37079 & CVE-2024-37080) impact the DCERPC protocol. Attackers with network access could exploit them to execute malicious code.

A separate vulnerability (CVE-2024-37081) concerns Sudo misconfiguration, potentially allowing local privilege escalation.

The Takeaway: VMware is not aware of active exploits but recommends patching vCenter Server versions 7.0 and 8.0 immediately. Patches are available in versions 8.0 U2d, 8.0 U1e, and 7.0 U3r. Look for advisories on the Broadcom Support Portal.

Atlassian Releases Security Updates for Confluence, Crucible, Jira

Atlassian released software updates to address critical security vulnerabilities in Confluence, Crucible, and Jira products.

Confluence Data Center and Server updates fix six security flaws, including a broken access control issue (CVE-2024-22257) that could allow attackers to see unauthorized data. Additionally, three related server-side request forgery vulnerabilities (CVE-2024-22243, CVE-2024-22262, CVE-2024-22259) and two out-of-bounds write bugs (CVE-2024-22278, CVE-2024-22279) were patched. These vulnerabilities could allow attackers to potentially steal data or crash affected systems.

Crucible Data Center and Server versions 4.8.15 and higher address a deserialization vulnerability (CVE-2024-22276) that could be exploited for denial-of-service attacks.

Atlassian also patched an information disclosure vulnerability (CVE-2024-21685) in Jira Data Center and Server and Jira Service Management Data Center and Server products.

The Takeaway: While there are no reports of these vulnerabilities being actively exploited, Atlassian recommends updating Confluence, Crucible, and Jira to the latest versions.

Mailcow Vulnerabilities Expose Servers to Attacks

Two security vulnerabilities in Mailcow, an open-source mail server software, could allow attackers to take control of vulnerable servers. The more severe flaw (CVE-2024-31204) is a scripting vulnerability that could be exploited to inject malicious code into the Mailcow admin panel. This could allow attackers to steal data or compromise user accounts.

The other vulnerability (CVE-2024-30270) allows attackers to overwrite files on the server, potentially granting them full control of the system. 

However, both vulnerabilities require a Mailcow administrator to view a malicious email while logged into the admin panel. Simply receiving the email is not enough.

The Takeaway: Mailcow administrators should update their software immediately to version 2024-04 or later to protect their servers from these vulnerabilities.

Rockwell Automation Patches Critical FactoryTalk View SE Flaws

Rockwell Automation addressed critical security vulnerabilities in its FactoryTalk View Site Edition (SE) HMI software. Three vulnerabilities, all discovered internally, were patched with the release of version 14.

Two vulnerabilities (CVE-2024-37368 & CVE-2024-37367) involve lack of proper authentication, allowing unauthorized users to potentially view HMI projects remotely. The third vulnerability (CVE-2024-37369) allows low-privilege users to escalate privileges within the system.

CISA published advisories to inform organizations about these vulnerabilities.

Rockwell Automation also addressed a separate vulnerability impacting some ControlLogix, GuardLogix, and CompactLogix controllers. This flaw allows attackers to exploit the mDNS port and potentially disable affected controllers.

The Takeaway: Update FactoryTalk View SE to version 14 and implement network segmentation to protect Rockwell Automation controllers from internet threats.

Asus Patches Critical Vulnerabilities in Routers

Asus released security updates to address critical vulnerabilities in several router models. Two high-severity flaws were patched: CVE-2024-3080 allows attackers to remotely access vulnerable routers (RT-AC68U, RT-AC86U, RT-AX57, RT-AX88U, XT8, XT8_V2), while CVE-2024-3079 grants attackers with admin access the ability to execute commands.

Taiwan's cybersecurity agency recommends applying a patch for a separate critical command execution vulnerability (CVE-2024-3912) identified in January. This flaw affects a wider range of Asus routers, including both current and end-of-life models.

The Takeaway: Update your Asus router to the latest firmware to address critical security vulnerabilities.

Intel Processors Vulnerable in UEFI Firmware Flaw

A high-severity vulnerability (CVE-2024-0762) has been discovered in Phoenix Technologies' SecureCore UEFI firmware, impacting hundreds of PC and server models with Intel processors.

The flaw, dubbed "UEFIcanhazbufferoverflow," allows local attackers to escalate privileges and execute malicious code within the UEFI firmware. This could grant attackers complete control over the device.

The vulnerability affects SecureCore UEFI firmware used on various Intel processor families, including Alder Lake, Coffee Lake, and Tiger Lake. Manufacturers like Lenovo, Acer, Dell, and HP use these processors in their devices.

Phoenix Technologies patched the vulnerability in May, and device manufacturers have begun deploying fixes. Lenovo has started releasing patches, but some fixes may not be available until later summer.

The Takeaway: Check with your device manufacturer for updates to address the critical UEFI firmware vulnerability in Intel processors.

ZKTeco Biometric System Vulnerable to Multiple Attacks

Kaspersky identified critical vulnerabilities in ZKTeco's biometric access system that could allow attackers to bypass authentication, steal data, and even deploy backdoors.

Attackers could exploit these flaws to gain unauthorized access, steal biometric data like fingerprints, and manipulate devices remotely.

The vulnerabilities include SQL injection (allowing unauthorized access), command injection (executing malicious code), and buffer overflows (crashing the system).

Kaspersky warns that stolen biometric data could be used for social engineering attacks and stolen credentials could grant access to restricted areas.

The specific firmware version (ZAM170-NF-1.8.25-7354-Ver1.0.0) is vulnerable, and a patch is not yet confirmed.

The Takeaway: Isolate biometric readers, use strong passwords, minimize QR code usage, and update ZKTeco biometric systems to mitigate these vulnerabilities.

That’s all for this week – have any exposures to add to our list? Let us know!