Exposures, Exposed! Weekly Round-up November 25 – December 1
Welcome to the post-Thanksgiving edition of “Exposures, Exposed”! As we gather to reflect on what we’re thankful for, let’s not forget to stay vigilant against the latest cyber breaches, vulnerabilities, and exposures. This week, our experts have uncovered critical threats that could spoil your cybersecurity feast. Dig in to get the inside scoop on what’s putting your defenses at risk!
MITRE Updates Top 25 Dangerous Software Vulnerabilities List
MITRE has released an updated version of its Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list, reflecting current trends in cyber threats.
The list identifies the most common and impactful weaknesses that threat actors exploit to take control of systems, steal data, and cause disruptions. Cross-site scripting (XSS) vulnerabilities now hold the top spot, surpassing out-of-bounds write flaws, which dropped to second place.
SQL injection issues remain in third place, while cross-site request forgery (CSRF), path traversal, and out-of-bounds read flaws moved up in the rankings. Missing authorization, previously in eleventh place, is now in the top 10. Unrestricted file uploads stayed in tenth position.
New entries on the list include exposure of sensitive information and uncontrolled resource consumption, which have climbed significantly in rank.
The Takeaway: CISA encourages organizations to prioritize these vulnerabilities in their development and procurement strategies. Learn more here.
Critical Flaws in Advantech Access Points Threaten Infrastructure
Researchers have identified 20 vulnerabilities in Advantech's EKI-6333AC-2G industrial wireless access points, which could enable unauthenticated remote code execution with root privileges. These flaws could allow attackers to compromise confidentiality, integrity, and availability, disrupting critical infrastructure processes like manufacturing and logistics.
Two attack vectors were outlined: one involving LAN/WAN exploitation through malicious requests and another leveraging physical proximity to attack via the wireless spectrum. Successful exploitation could lead to persistent backdoor access, denial of service, or lateral movement within affected networks.
Advantech has released firmware updates, including version 1.6.5 for EKI-6333AC-2G and related devices, to address these vulnerabilities. Nozomi Networks urges immediate implementation of these patches to protect against unauthorized access and ensure operational security.
The Takeaway: Update Advantech devices to the latest firmware to prevent exploitation. Learn more here.
Palo Alto Firewalls Exploited Despite Declining Internet Exposure
The number of internet-exposed Palo Alto Networks firewalls has declined significantly, but Shadowserver Foundation reports approximately 2,000 devices have already been compromised. Two vulnerabilities, CVE-2024-0012 and CVE-2024-9474, were exploited in the attacks. The critical CVE-2024-0012 flaw allows attackers to bypass authentication and gain administrator privileges, while CVE-2024-9474 enables root access.
Palo Alto Networks released patches for affected PAN-OS versions on November 18. Impacted devices include PA, VM, CN series firewalls, and Panorama products. Restricting access to management interfaces from trusted internal IPs is a recommended mitigation.
Despite updates, threat actors have been seen transferring tools and exfiltrating data from compromised systems. WatchTowr has published technical details and proof-of-concept code, increasing the likelihood of further exploitation. Palo Alto Networks is assisting affected customers but disputes Shadowserver’s reported number of compromised devices.
The Takeaway: Apply PAN-OS patches immediately and secure firewall management interfaces. Learn more here.
Critical Array Networks Flaw Added to CISA Catalog
A critical vulnerability in Array Networks AG and vxAG secure access gateways, tracked as CVE-2023-28461, has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog. Federal agencies are required to remediate the issue by December 16.
The flaw allows threat actors to execute arbitrary code or compromise the file system using a vulnerable URL, according to Array Networks. Trend Micro reported that the vulnerability has been exploited by the Chinese cyberespionage group Earth Kasha, also known as MirrorFace, alongside flaws in Fortinet FortiOS/FortiProxy and Proself. VulnCheck noted that Chinese hacking operations accounted for 25% of intrusions leveraging the 15 most exploited security flaws in the past year, impacting over 440,000 devices globally.
The Takeaway: Federal agencies and organizations should prioritize patching CVE-2023-28461 before the December 16 deadline. Learn more here.
Recommended by LinkedIn
Critical Vulnerability Found in 7-Zip File Utility
A high-severity vulnerability in 7-Zip, tracked as CVE-2024-11477, allows remote attackers to execute malicious code using specially crafted archives. The flaw, with a CVSS score of 7.8, stems from improper validation in the Zstandard decompression implementation, leading to an integer underflow and memory write issues.
Attackers can exploit this vulnerability by convincing users to open malicious archives, potentially distributed via email or shared files. Successful exploitation grants attackers the same access rights as logged-in users, with the possibility of full system compromise.
7-Zip addressed the issue in version 24.07, released on November 20, 2024. Since 7-Zip lacks an automatic update feature, users must manually download the latest version. Experts warn that the vulnerability is easy to exploit, emphasizing the importance of immediate patching.
The Takeaway: Update to 7-Zip version 24.07 to mitigate this vulnerability. Learn more here.
VMware Releases Patches for Five High-Severity Vulnerabilities
VMware has issued security patches for five vulnerabilities in its Aria Operations product, warning that attackers could exploit these flaws for privilege escalation or cross-site scripting (XSS) attacks. The vulnerabilities, affecting VMware Aria Operations 8.x and VMware Cloud Foundation 4.x and 5.x, include two local privilege escalation flaws (CVE-2024-38830 and CVE-2024-38831) and three stored XSS vulnerabilities (CVE-2024-38832, CVE-2024-38833, and CVE-2024-38834).
The privilege escalation issues, each with a CVSS score of 7.8, enable attackers to gain root access through administrative privileges or malicious commands. The XSS flaws, with CVSS scores ranging from 6.5 to 7.1, allow script injection through features such as views, email templates, and cloud provider editing.
VMware recommends that users apply the updates immediately, as no workarounds are available. The company’s products remain a frequent target for advanced hacking groups.
The Takeaway: Update VMware Aria Operations and related products to address these vulnerabilities. Learn more here.
Critical Vulnerabilities Found in mySCADA myPRO HMI Systems
Several critical vulnerabilities in mySCADA’s myPRO HMI/SCADA product could allow remote, unauthenticated attackers to take full control of affected systems. The issues include OS command injection, path traversal, and improper or missing authentication. These flaws impact myPRO Manager and Runtime components, which are used to visualize and control industrial processes on Windows, macOS, Linux, and embedded devices.
Four vulnerabilities are classified as critical, and one is rated as high severity. Successful exploitation could enable attackers to execute arbitrary OS commands, access files, and gain administrative control. mySCADA addressed these issues with updates to myPRO Manager 1.3 and myPRO Runtime 9.2.1.
While no active exploitation has been reported, CISA recommends applying patches immediately, as the vulnerable service listens on all network interfaces by default.
The Takeaway: Update myPRO to the latest patched versions to secure systems. Learn more here.
That’s all for this week – have any exposures to add to our list? Let us know!
Download our latest eBook"The First 90 Days as CISO":