Exposures, Exposed! Weekly Round-up March 10 – March 16

In realms unseen, secrets sleep,

A chilling wind, of exploits deep.

Welcome then, to "Exposures, Exposed!"

No solace here for blissful ignorance,

But truths unveiled in morbid elegance.

Our ravens fly weekly across the web,

To bring to light and make shadows ebb.

Here's what we’ve got for you this week:

Patch Now: Critical Hyper-V Flaws, Exchange Server Update

Microsoft's March Patch Tuesday fixes addressed vulnerabilities in Hyper-V, Exchange Server, and Open Management Infrastructure (OMI). While no zero-days were disclosed, critical flaws in Hyper-V and an important update for Exchange Server demand prompt attention.

• Hyper-V faces remote code execution and denial-of-service threats - The two critical vulnerabilities patched this month target Microsoft's Hyper-V hypervisor. One allows potential remote code execution by authenticated attackers on guest VMs (CVE-2024-21407). The other is a denial-of-service vulnerability (CVE-2024-21408) requiring only basic privileges. While Microsoft considers exploitation unlikely for both, patching is crucial. 

• Exchange Server update mitigates remote code execution risk - An important update (CVE-2024-26198) addresses a remote code execution vulnerability in Exchange Server. Attackers can exploit this by tricking users into opening a malicious file. Due to Exchange Server's continued popularity with attackers, patching is essential.

• Open Management Infrastructure flaws require attention - OMI, used for Linux and Unix management, has two vulnerabilities addressed this month. A remote code execution flaw (CVE-2024-21334) carries the highest CVSS rating (9.8) and affects System Center Operations Manager. An elevation-of-privilege vulnerability (CVE-2024-21330) also requires patching.

• Staged rollout to address secure boot vulnerability - Admins should be aware of a multi-stage rollout to address a Secure Boot security feature bypass vulnerability (CVE-2023-24932). This April, updates will add boot manager mitigations, and by October, enforcement will begin, potentially causing issues with bootable media. Careful planning and log monitoring are necessary.

The Takeaway: Patch Hyper-V, Exchange Server, and OMI vulnerabilities immediately. Prepare for the upcoming Secure Boot mitigation rollout to avoid future problems.

Fortinet Warns of Critical Flaws in Network Security Products

Fortinet disclosed five security weaknesses in its firewalls and management software, prompting a warning from CISA. These critical and high-severity vulnerabilities affect Fortinet's FortiClient EMS, FortiManager, FortiOS, and FortiProxy. Attackers could exploit these weaknesses to seize control of vulnerable systems, potentially stealing data or disrupting operations.

While Fortinet is unsure if these vulnerabilities have been exploited yet, the severity is high. Two critical flaws (CVE-2023-48788 and CVE-2023-42789/CVE-2023-42790) target FortiClientEMS and FortiOS/Proxy, respectively. These could allow remote attackers or those with captive portal access to execute malicious code. 

FortiManager, FortiClientEMS, and FortiOS/Proxy SSLVPN also have high-severity vulnerabilities (CVE-2023-47534, CVE-2023-36554, CVE-2024-23112). Details are limited, but a "high" rating signifies significant risk.

The Takeaway: System administrators should patch all affected Fortinet products (FortiClient EMS, FortiManager, FortiOS, and FortiProxy) immediately to address these critical security vulnerabilities.

TeamCity Flaw Actively Exploited, Patch Now

JetBrains urgently warns users to patch critical vulnerabilities (CVE-2024-27198 & CVE-2024-27199) in TeamCity, a build management server. Exploits are circulating, allowing attackers to bypass authentication and potentially steal code or disrupt operations.

These flaws impact all TeamCity On-Premises versions before 2023.11.4. Patch 2023.11.4, released March 4th, fixes the issues. Attackers can exploit these vulnerabilities (CVSS scores: 9.8 & 7.3) to gain administrative control or perform limited admin actions.

Reports indicate active exploitation, potentially triggered by a technical write-up with exploit code released shortly before the patch. Attackers may be creating fake accounts to maintain access even after patching.

The Takeaway: Immediately patch TeamCity servers (On-Premises versions before 2023.11.4) or disconnect them from the internet. If patching is delayed and the server was internet-facing before March 4th, assume compromise and investigate further.

Patch SAP Now: Critical Flaws in Business Products

SAP addressed critical security vulnerabilities in essential business products during their March Patch Day. These flaws, including a code injection vulnerability (CVE-2024-22127) in NetWeaver AS Java, demand immediate patching to prevent potential data breaches or disruptions.

The most severe vulnerability impacts the Chromium browser used within SAP Business Client. Unpatched systems are exposed to 29 security defects, including critical and high-severity issues. 

Another critical flaw exists in the lodash library used by SAP Build Apps. Attackers can exploit this to execute unauthorized commands on vulnerable systems. Updating Build Apps to version 4.9.145 or later mitigates this risk.

A third critical flaw (CVE-2024-22127) affects NetWeaver AS Java. An incomplete list of allowed file types exposed the system to code injection attacks. 

The Takeaway: Immediately update SAP Business Client, Build Apps (version 4.9.145 or later), and the Administrator Log Viewer plugin in NetWeaver AS Java. Patch other vulnerabilities based on severity and risk tolerance.

Cisco Patches Critical Flaws in Network Routers

Cisco released critical security patches for vulnerabilities in its IOS RX software, used in various network routers. These flaws could allow attackers to take control of devices or disrupt network operations.

The most critical issue (CVE-2024-20320) impacts the SSH function and could grant attackers full access to routers. Other vulnerabilities can cause denial-of-service (DoS) attacks on network cards or PPPoE connections.

The Takeaway: Immediately patch Cisco IOS RX software on 8000 series routers, NCS 540/5700 series routers, and ASR 9000 series routers with BNG functionality. Update other IOS RX devices based on the severity of the vulnerabilities.

ChatGPT Plugins Exposed User Accounts (Fixed)

Security flaws in ChatGPT plugins left user accounts vulnerable to takeover by attackers. These vulnerabilities have now been addressed.

Researchers discovered three main issues: malicious plugin installations, compromised developer framework authentication, and open authorization manipulation within plugins. These flaws could have allowed attackers to steal user credentials or gain unauthorized access to accounts.

The Takeaway: Users should no longer be at risk from these vulnerabilities, but maintaining good security practices is important. Be cautious when installing plugins and avoid clicking on suspicious links.

That’s all for this week – have any exposures to add to our list? Let us know!