The Cyber Insider: Week 1/29 – 2/4

Vinayak Agrawal
February 1, 2024
The Cyber Insider: Week 1/29 – 2/4

Ivanti Zero-Day: CVE-2024-21888 and CVE-2024-21893

Ivanti has issued urgent fixes for two high-severity vulnerabilities detected in its Connect Secure and Policy Secure products.

CVE-2024-21888 (CVSS score: 8.8) allows unauthorized users to escalate their privileges to that of an administrator through a flaw in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x). While no evidence of customer impact has been found yet, Ivanti is urging proactive measures to mitigate potential risks.

On the other hand, CVE-2024-21893 (CVSS score: 8.2) exposes a server-side request forgery vulnerability in the SAML component of the same products, along with Ivanti Neurons for ZTA, enabling attackers to access restricted resources without proper authentication. Ivanti has confirmed targeted exploitation of this vulnerability and has identified a limited number of impacted customers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a fresh advisory highlighting the exploitation of these vulnerabilities to capture credentials and deploy web shells, emphasizing the critical importance of applying the provided patches and implementing necessary security measures promptly.

Mitigation

  • Customers are advised to factory reset their appliances before applying the patches.
  • Temporarily, users are recommended to import the "mitigation.release.20240126.5.xml" file.
  • Fixes released for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1.3.

References
https://thehackernews.com/2024/01/alert-ivanti-discloses-2-new-zero-day.html
https://www.cisa.gov/news-events/alerts/2024/01/30/new-mitigations-defend-against-exploitation-ivanti-connect-secure-and-policy-secure-gateways
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Critical Vulnerability in GNU C Library Grants Root Access on Linux Systems

A newly disclosed security flaw in the GNU C library (glibc), tracked as CVE-2023-6246, poses a severe risk to Linux systems, allowing malicious local attackers to obtain full root access. 

The vulnerability, a heap-based buffer overflow in the __vsyslog_internal() function used for system logging, was inadvertently introduced in glibc 2.37 released in August 2022.

Saeed Abbasi, product manager of the Threat Research Unit at Qualys, emphasized that CVE-2023-6246 impacts major Linux distributions like Debian, Ubuntu, and Fedora. Exploiting this flaw enables unprivileged users to escalate their privileges, posing a significant threat to system security.

Cybersecurity experts caution that while the vulnerability requires specific conditions to exploit, such as unusually long inputs to logging functions, its impact is substantial due to the widespread use of glibc

Further analysis by Qualys revealed two additional flaws, CVE-2023-6779 and CVE-2023-6780, in the __vsyslog_internal() function, along with a memory corruption bug in the qsort() function affecting all glibc versions since 1992.

References
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
https://thehackernews.com/2024/01/new-glibc-flaw-grants-attackers-root.html
https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qualys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog

GitLab Releases Fixes for Critical File Write Vulnerability in Community and Enterprise Editions

GitLab has issued urgent fixes to address a critical security flaw, tracked as CVE-2024-0402 (CVSS 9.9), affecting both its Community Edition (CE) and Enterprise Edition (EE), enables authenticated users to write files to arbitrary locations on the GitLab server while creating a workspace.

According to GitLab's advisory released on January 25, 2024, the issue impacts all versions from 16.0 to 16.5.8, 16.6 to 16.6.6, 16.7 to 16.7.4, and 16.8 to 16.8.1. Patches for CVE-2024-0402 have been backported to these versions to ensure comprehensive protection.

This latest update follows recent fixes aimed at resolving two critical shortcomings, including one vulnerability (CVE-2023-7028) that could be exploited to take over accounts without any user interaction, emphasizing the continuous commitment to enhancing security measures.

Additionally, GitLab has addressed four medium-severity flaws, including vulnerabilities leading to regular expression denial-of-service (ReDoS), HTML injection, and disclosure of a user's public email address via the tags RSS feed.

Mitigation

  • Users are strongly advised to upgrade their installations to the patched versions at the earliest opportunity.

References
https://thehackernews.com/2024/01/urgent-upgrade-gitlab-critical.html
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/

Juniper Networks Releases Urgent Updates to Address High-Severity Vulnerabilities in SRX and EX Series

Juniper Networks has issued out-of-band updates to mitigate high-severity vulnerabilities affecting SRX Series and EX Series, which could potentially allow threat actors to take control of vulnerable systems. 

Tracked as CVE-2024-21619 and CVE-2024-21620, these vulnerabilities are found within the J-Web component and impact all versions of Junos OS.

The vulnerabilities are categorized as follows:

  • CVE-2024-21619 (CVSS score: 5.3): A missing authentication vulnerability leading to potential exposure of sensitive configuration information.
  • CVE-2024-21620 (CVSS score: 8.8): A cross-site scripting (XSS) vulnerability enabling the execution of arbitrary commands with the target's permissions via a specially crafted request.

Mitigation

  • Temporarily, Juniper Networks recommends disabling J-Web or restricting access to trusted hosts.
  • CVE-2024-21619 is addressed in version 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1, and all subsequent releases
  • CVE-2024-21620 is addressed in version 20.4R3-S10, 21.2R3-S8, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3-S1, 23.2R2, 23.4R2, and all subsequent releases

References
https://thehackernews.com/2024/01/juniper-networks-releases-urgent-junos.html
https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-have-been-addressed?language=en_US
https://labs.watchtowr.com/the-second-wednesday-of-the-first-month-of-every-quarter-juniper-0day-revisited/

Jenkins Resolves Critical Remote Code Execution Vulnerability: Urgent Update Required

Tracked as CVE-2024-23897, is capable of leading to remote code execution (RCE). This flaw, characterized as an arbitrary file read vulnerability through the built-in CLI, could allow threat actors to access sensitive files on the Jenkins controller file system.

Jenkins utilizes the args4j library for parsing command arguments, enabling a feature that replaces @ followed by a file path with the file's contents (expandAtFiles). Exploiting this feature, attackers could read arbitrary files, potentially leading to various attacks, including RCE via different vectors such as Resource Root URLs, "Remember me" cookie, and stored XSS attacks.

SonarSource security researcher Yaniv Nizry discovered and reported the flaw, prompting Jenkins to release fixes in versions 2.442 and LTS 2.426.3 by disabling the vulnerable feature.

Provided the binary secrets can be extracted, Jenkins says it could open the door to various attacks -

  • Remote code execution via Resource Root URLs
  • Remote code execution via "Remember me" cookie
  • Remote code execution via stored cross-site scripting (XSS) attacks through build logs
  • Remote code execution via CSRF protection bypass
  • Decrypt secrets stored in Jenkins
  • Delete any item in Jenkins
  • Download a Java heap dump

The proof-of-concept exploits are already available on GitHub thus, users must update their installations promptly to mitigate potential risks.

Mitigation

  • Until the patch can be applied, users are advised to disable CLI access as a short-term workaround.

References
https://github.com/h4x0r-dz/CVE-2024-23897https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html

Vinayak Agrawal
Vinayak Agrawal
Security Analyst Intern, ArmorCode Inc.
February 1, 2024
Vinayak Agrawal
February 1, 2024
Subscribe for Updates
RSS Feed Logo
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.