VulnRecap 2/26/24 – VMWare, Apple, ScreenConnect Face Risks

We Keep you Connected

VulnRecap 2/26/24 – VMWare, Apple, ScreenConnect Face Risks

Maine Basan
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Critical vulnerabilities have been discovered across multiple systems, including Microsoft Exchange Servers, the Bricks Builder Theme for WordPress, VMware, ScreenConnect, Joomla, and Apple Shortcuts. Urgent patching and prompt updates can protect systems from unauthorized access, data breaches, and potential exploitation by threat actors.
Organizations must prioritize implementing effective security measures and conducting frequent audits. To secure sensitive data, cybersecurity specialists, software vendors, and end users should encourage collaborative efforts against malicious activities. Recurring exploits have targeted similar companies, so monitor the recent vulnerability news to remain up to date on the latest threats.
Type of vulnerability: Critical severity privilege escalation vulnerability.
The problem: CVE-2024-21410 allows remote attackers to carry out NTLM relay attacks on Microsoft Exchange Servers, providing them with privileged access. Exploitation provides illegal access to sensitive material, such as email communications, which may jeopardize company confidentiality. Up to 97,000 servers are exposed, potentially allowing unwanted access to sensitive data and exploitation for subsequent network intrusions.
The fix: System administrators are encouraged to install the Exchange Server 2019 Cumulative Update 14 (CU14), which was issued in February 2024 and enabled NTLM credentials Relay Protection. The Cybersecurity and Infrastructure Security Agency (CISA) identified CVE-2024-21410 as a “Known Exploited Vulnerability” and set a March 7, 2024 deadline for implementing patches or mitigations.
Read our guide on privilege escalation attacks next to learn about the detection and prevention strategies for your privileged accounts and data.
Type of vulnerability: Critical remote code execution (RCE) flaw.
The problem: CVE-2024-25600 lets hackers execute malicious PHP code on affected websites running the Bricks Builder Theme. Attackers were seen attempting to disable security plug-ins. With over 25,000 active installations, the issue poses a significant threat to website integrity and user data. Exploitation could result in illegal access or data theft, and potentially jeopardize the entire website’s security.
The fix: On February 13, the Bricks team released version 1.9.6.1, which addresses the issue. Users are strongly recommended to quickly upgrade their Bricks Builder Theme installations to this current version to reduce the risk of exploitation. Furthermore, to improve website security and resilience against future vulnerabilities, implement security plug-ins and keep the themes and plug-ins updated on a regular basis.
Type of vulnerability: Security vulnerabilities affecting the deprecated VMware EAP.
The problem: CVE-2024-22245 and CVE-2024-22250 put Windows domains vulnerable to authentication relay and session hijack attacks. Attackers can use these issues to transmit Kerberos service tickets and obtain control of privileged enhanced authentication plug-in (EAP) connections, possibly granting unauthorized access to sensitive systems and data. Despite VMware’s three-year-old deprecation statement, unprotected systems remain at risk.
The fix: System administrators must remove both the in-browser plug-in/client (VMware Enhanced Authentication Plug-in 6.7.0) and the Windows service (VMware Plug-in Service). They can do so by using the provided PowerShell commands to uninstall or disable the service.
Administrators may also want to employ alternative authentication methods recommended by VMware. This includes using Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, or Microsoft Entra ID (formerly Azure AD) to reduce the risk posed by the deprecated EAP.
Type of vulnerability: Mail address escaping, XSS, and remote code execution.
The problem: Joomla vulnerabilities include inadequate session termination (CVE-2024-21722), open redirect (CVE-2024-21723), XSS in media selection (CVE-2024-21724), mail address escaping (CVE-2024-21725), and remote code execution via XSS (CVE-2024-21726). Attackers use these issues to execute arbitrary code, modify sessions, and launch XSS attacks. These pose serious threats to site integrity and user data.
CVE-2024-21725 is most likely to be exploited. CVE-2024-21726, while moderate, allows remote code execution via XSS, which requires user input and may lead to broader attacks if administrators open fraudulent links.
The fix: Joomla has provided updates for versions 5.0.3 and 4.4.3, which address the highlighted vulnerabilities. Users need to promptly upgrade their Joomla installations to reduce the risk of exploitation. While precise technical information has not been revealed to prevent broad attacks, immediate action is required to protect websites from prospective threats.
Type of vulnerability: Authentication bypass and path traversal flaws.
The problem: ConnectWise ScreenConnect’s authentication bypass (CVE-2024-1709) and path traversal (CVE-2024-1708) issues pose severe security risks, allowing a full system compromise. Attackers use these flaws to circumvent login procedures, obtaining unauthorized access and potentially compromising sensitive data. The path traversal bug allows attackers to travel outside directory boundaries and gain access to key system files.
Exploitation causes data breaches, system instability, and service disruptions, affecting organizational security and continuity. Furthermore, threat actors use the authentication bypass issue to spread LockBit ransomware on infiltrated networks, specifically targeting vulnerable ScreenConnect servers. Despite law enforcement efforts, LockBit attacks continue to target important infrastructure such as municipal governments and healthcare providers.
The fix: To prevent risks, urgently update on-premise servers to version 23.9.8. ConnectWise ensures that cloud instances are secure. Implement detection guidelines to monitor for unauthorized access. Federal authorities recommend safeguarding computers by February 29.
Looking for a guide on patching vulnerabilities? Check out patch management best practices and steps.
Type of vulnerability: Security vulnerability in Apple’s Shortcuts.
The problem: CVE-2024-23204 enables attackers to create malicious Shortcuts files that can evade Apple’s Transparency, Consent, and Control (TCC) security system. It allows illegal access to sensitive data on macOS and iOS devices without user approval.
Attackers can covertly extract personal information and system data, jeopardizing user privacy and perhaps leading to identity theft or other criminal activity. Bitdefender’s investigation shows that data can be exfiltrated using encrypted image files, highlighting the severity of potential misuse and the need for mitigation.
The fix: Apple has rolled out security updates for macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3. Users should upgrade the Shortcuts software as soon as possible. The increasing incidence of Apple security vulnerabilities emphasizes the importance of frequent upgrades and exercising vigilance when using shortcuts from untrustworthy sources.
Type of vulnerability: System vulnerabilities in initial access, privilege escalation, and credential access.
The problem: LockBit ransomware, formerly known as “ABCD” ransomware, has gained traction in recent months as a separate threat in the extortion tool market. LockBit is a malicious application that encrypts computers and demands a ransom payment for access.
Authorities shut down LockBit’s infrastructure on February 20, but the gang restarted operations within days, citing failure to update PHP servers as the entrance point for law enforcement. The hack revealed vital data, including decryption keys and affiliate information, jeopardizing victims’ security and potentially revealing sensitive data.
The fix: Organizations may take a variety of preventive measures to reduce cybersecurity risks, such as increasing password complexity, segmenting networks, frequently updating software, enabling multifactor authentication, and raising awareness about phishing threats. CISA released a list of mitigations against LockBit’s activity. Enhanced law enforcement efforts continue against LockBit ransomware operators, including offering incentives for any lead information.
Read next:
Cloud Risk Complete
Learn More
Intruder
Learn More
ESET PROTECT Complete
Learn More
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.
Previous article
Next article
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

See full list
Subscribe to Cybersecurity Insider for top news, trends & analysis
eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.
Advertisers
Advertise with TechnologyAdvice on eSecurity Planet and our other IT-focused platforms.
Menu
Our Brands
Property of TechnologyAdvice.
© 2024 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

source

TNC

LET US MANAGE YOUR SYSTEM
SO YOU CAN RUN YOUR BUSINESS

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE