Exposures, Exposed! Weekly Round-up October 14 – October 20
Welcome back to Exposures, Exposed!, XM Cyber’s weekly round-up of exposure news you can use. We scour the cyber universe to bring you the past week’s most impactful exposures from around the globe. Cyber threats never rest… and neither do our researchers. Here are our top picks for this week:
Here’s what we’ve got for you this week:
CISA Adds Critical SolarWinds Flaw to Vulnerability Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has included a significant vulnerability affecting SolarWinds Web Help Desk (WHD) software in its Known Exploited Vulnerabilities (KEV) catalog as of October 15. This flaw, identified as CVE-2024-28987 with a CVSS score of 9.1, allows remote unauthenticated users to access internal network functionality and modify sensitive data.
Federal agencies have been mandated to address this vulnerability by November 5, although experts suggest that commercial enterprises should also prioritize remediation. Cybersecurity professionals emphasize that help desk systems contain critical information, making them attractive targets for attackers. They highlight the flaw’s ease of exploitation and the potential for data manipulation once inside a network.
Experts warn that hardcoded credentials pose serious risks, with significant implications for both federal and private sectors.
The Takeaway: Organizations should prioritize fixing the SolarWinds vulnerability to protect sensitive information and maintain trust. Learn more here.
Microsoft Addresses Critical Vulnerabilities in Power Platform
Microsoft has announced patches for serious information disclosure and privilege escalation vulnerabilities affecting Power Platform, Dataverse, and the Imagine Cup website. Each vulnerability has been assigned a critical severity rating, with corresponding high CVSS scores indicating significant risks.
In Power Platform, Microsoft fixed CVE-2024-38190, a missing authorization vulnerability that could allow unauthorized access to sensitive information. In Dataverse, the company addressed CVE-2024-38139, an improper authentication issue that could enable authenticated attackers to elevate their privileges. Additionally, CVE-2024-38204 was patched on the Imagine Cup website, resolving an improper access control vulnerability.
Microsoft stated that the vulnerabilities have been fully mitigated server-side, meaning users of the affected services do not need to take further action. The company has not found evidence of these issues being exploited before the patches were applied.
The Takeaway: Users should remain informed about security updates and vulnerabilities but do not need to take immediate action regarding these recent patches. Learn more here.
Grafana Discovers Critical Vulnerability Leading to Remote Code Execution
Grafana, an open-source data analytics and visualization platform, has identified a critical vulnerability that could allow for remote code execution. The flaw, tracked as CVE-2024-9264, carries a CVSS v4 score of 9.4 and was introduced in version 11, released in May 2024.
This vulnerability arises from an experimental feature known as SQL Expressions, which fails to properly sanitize SQL queries directed to the DuckDB command line interface. As a result, users with "viewer" permission or higher could exploit this flaw for command injection and local file inclusion.
While SQL Expressions is enabled by default, exploitation is possible only if the DuckDB binary is installed in the Grafana process's environment. Grafana has released six new versions to address the vulnerability, urging users to patch their systems promptly. Users can also mitigate the risk by removing the DuckDB binary.
The Takeaway: Grafana users should install the latest security patch or remove the DuckDB binary to protect their systems. Learn more here.
Jetpack Plugin Releases Security Update for Critical Vulnerability
The maintainers of the Jetpack WordPress plugin have issued a security update to address a critical vulnerability that may allow users to access submitted forms from other users’ sites. This flaw, discovered during an internal security audit, has existed since version 3.9.9, released in 2016 (!).
Recommended by LinkedIn
The vulnerability is associated with the Contact Form feature and can potentially be exploited by any user with "viewer" permission or higher. Jetpack, which is used on approximately 27 million WordPress sites, has collaborated with the WordPress.org Security Team to automatically update installed plugins to secure versions.
While there is no evidence of exploitation, the potential risk remains due to the public disclosure of the flaw. Jetpack has previously addressed similar critical vulnerabilities in June 2023.
The Takeaway: Users should ensure their Jetpack plugin is updated to the latest version to mitigate potential security risks. Learn more here.
Critical Vulnerability Discovered in Kubernetes Image Builder
A critical security flaw has been identified in the Kubernetes Image Builder that could allow attackers to gain root access under certain conditions. The vulnerability, tracked as CVE-2024-9486 with a CVSS score of 9.8, has been addressed in version 0.1.38. The issue involves default credentials being enabled during the image build process. Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, leaving nodes vulnerable.
Affected users are advised to disable the builder account on impacted virtual machines and to rebuild images using the fixed version of Image Builder. The latest update also resolves a related issue, CVE-2024-9594, with a lower severity score of 6.3.
The Takeaway: Users should upgrade to Kubernetes Image Builder version 0.1.38 and implement recommended mitigations to secure their systems. Learn more here.
Critical Vulnerabilities Found in Popular Netgear WiFi Extenders
Security researchers have identified critical vulnerabilities in several Netgear WiFi extender models, potentially allowing attackers to execute malicious commands. The flaws, tracked as CVE-2024-35518 and CVE-2024-35519, affect the Netgear EX6120, EX6100, and EX3700 extenders running outdated firmware.
The most severe issue, CVE-2024-35518, impacts the EX6120 AC1200 Dual Band WiFi Range Extender, enabling remote command injection via specific parameters. A related flaw, CVE-2024-35519, also allows command injection on multiple extender models. Both vulnerabilities have been assigned a CVSS score of 8.4, indicating high severity.
Netgear has released firmware updates to address these vulnerabilities, urging users to upgrade immediately to the latest versions. Users can find updates on the Netgear support website or through their device management interface.
The Takeaway: Users should update their Netgear extenders to the latest firmware versions to protect against identified vulnerabilities. Learn more here.
That’s all for this week – have any exposures to add to our list? Let us know!
Read our latest blog "How Digital Twins are Revolutionizing Threat Management":
hishool at hishool
1mo@