VulnRecap 2/5/24 – Azure, Apple, Ivanti, & Mastodon at Risk
We Keep you Connected
VulnRecap 2/5/24 – Azure, Apple, Ivanti, & Mastodon at Risk
Critical multi-platform vulnerabilities impacting diverse systems dominated the past week’s cybersecurity headlines. Juniper Networks released updates for the high-severity flaws in SRX and EX Series. A coding vulnerability in Microsoft’s Azure Pipelines affected 70,000 open-source projects. Linux distros faced a heap-based buffer overflow issue. Jenkins CLI exposedflaws in build systems, and Mastodon encountered a critical origin validation error.
With the recent surge in critical vulnerabilities, organizations should regularly update and patch software, and perform routine vulnerability assessments and penetration testing. Vendor risk management and collaboration within the industry further enhance your system’s resiliency. Keep reading for further details on this week’s vulnerabilities. Type of vulnerability: Missing authentication flaw and cross-site scripting (XSS) vulnerability. The problem: Juniper Networks’ SRX and EX Series include high-severity weaknesses, particularly CVE-2024-21619 (CVSS score: 5.3), a missing authentication vulnerability that exposes sensitive information, and CVE-2024-21620 (CVSS score: 8.8), a cross-site scripting bug that allows arbitrary command execution. Both affect J-Web and all Junos OS versions. Exploiting these issues could provide a threat actor control over systems.
The Known ExploitedVulnerabilities list also added the previously disclosed issues CVE-2023-36846 and CVE-2023-36851, emphasizing the importance of immediate fix. The fix: Juniper Networks has published out-of-cycle fixes for CVE-2024-21619 and CVE-2024-21620 — apply fixes to the identified versions. As a temporary remedy, disable J-Web or limit access to trusted hosts. Type of vulnerability: Code vulnerability in Microsoft’s Azure Pipelines. The problem: Legit Security researchers discovered a vulnerability in Azure Pipelines that affects approximately 70,000 open-source projects. Exploiting this issue enables hackers to introduce malicious code during testing, potentially exposing sensitive data. It’s triggered by contributions to build system projects and tricks the system into running test code in a live environment. This gets a severity score of 7.3 out of 10. The fix:Microsoft already issued a fix in October 2023 to address this vulnerability. It protects the customers who have received the most recent updates or have them installed automatically. The issue primarily affects the on-premise version of Azure Pipelines, requiring manual updates for security. Additionally, Azure DevOps now streamlines organization-level policy control for creating pull requests from forked GitHub projects.
Neil Carpenter, principal technical evangelist at Orca Security, issued an advisement regarding Azure Pipelines and Jenkins CLI vulnerabilities: “This [Azure Pipelines] disclosure and the Jenkins arbitrary file read vulnerability disclosed last week highlight that organizations need to focus not just on the security of their applications themselves but, also, the security of the infrastructure used to build and test the applications. Organizations should be sure they have solid plans for the security of CI/CD pipelines and updating and monitoring DevOps infrastructure, and that they have clear response plans if a potential incident is found.” Type of vulnerability: Kernel flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS. The problem:CVE-2022-48618 (CVSS score: 7.8) allows attackers with arbitrary read and write privileges to potentially overcome Pointer Authentication, which affects several Apple operating systems. Exploitation poses the possibility of unauthorized access and control over affected devices. Despite Apple’s December 2022 patch, the flaw’s public disclosure a year later exposes possible vulnerabilities in devices running versions prior to iOS 15.7.1, requiring immediate action. The fix: Apply the issued patches starting December 13, 2022, by updating to iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2. Given the reported vulnerability, federal civilian executive branch agencies should implement solutions by February 21, 2024. Additionally, Apple expanded fixes for a WebKit bug (CVE-2024-23222) to include the Apple Vision Pro headset in visionOS 1.0.2. Type of vulnerability: Heap-based buffer overflow vulnerability in the GNU C library. The problem: A recently discovered vulnerability (CVE-2023-6246) in glibc’s __vsyslog_internal() function poses a serious threat to Linuxsystems, allowing local attackers to gain complete root access. This heap-based buffer overflow was accidentally introduced in glibc 2.37 in August 2022, and it affects major Linux distributions such as Debian, Ubuntu, and Fedora.
Qualys, a cybersecurity firm, also uncovered more issues (CVE-2023-6779 and CVE-2023-6780) in __vsyslog_internal(), as well as a qsort() bug that causes memory corruption and has affected all glibc versions since 1992. The fix: Mitigate CVE-2023-6246 by updating glibc to a version released after the bug was introduced in glibc 2.37. Because of the greater impact, timely updates are critical. Address other vulnerabilities (CVE-2023-6779 and CVE-2023-6780) by regularly checking for glibc upgrades. Type of vulnerability: Arbitrary file read vulnerability that can allow RCE. The problem:CVE-2024-23897 reveals a significant vulnerability in the Jenkins CLI, allowing attackers to access files on the controller file system. This security issue stems from an apparently harmless CLI feature that grants unauthorized access to sensitive data and cryptographic keys. With a CVSS score of 9.8, the vulnerability allows remote code execution and other attacks. The fix: Following the vulnerabilitypatcheslast week, there’s a newly updated Proof-of-Concept (PoC)exploit for CVE-2024-23897 published on GitHub. Users are strongly advised to update their installations to the latest version promptly to mitigate potential risks. Type of vulnerability: Privilege escalation and server-side request forgery. The problem: Ivanti warns of two high-severity flaws in Connect Secure and Policy Secure, one of which has been targeted for exploitation. CVE-2024-21888 (CVSS score: 8.8) enables privilege escalation, whereas CVE-2024-21893 (CVSS score: 8.2) discloses a server-side request forgery in SAML. There is no indication of CVE-2024-21888 impact so far, although CVE-2024-21893 exploitation is targeted and affects a small number of consumers. Ivanti predicts increased exploitation once the details become public. CISA published an advisory outlining updated mitigations to prevent threat actors from exploiting vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways on Ivanti devices. The fix: Ivanti has released patches for high-risk issues in Connect Secure and Policy Secure. Apply patches to 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.6R1.3. To avoid threat actor persistence, they recommend doing a factory reset before patching. Import “mitigation.release.20240126.5.xml” as a temporary solution, but remain alert as exploitation may increase upon public publication. Type of vulnerability: Critical origin validation error. The problem: Mastodon, an open-source platform used to build self-hosted social networking services, identified a significant securityflaw (CVE-2024-23832, CVSS score: 9.4). It allows attackers to mimic and take control of any account on the decentralized social network due to inadequate origin validation. Vulnerable versions include pre-3.5.17, 4.0.x (pre-4.0.13), 4.1.x (pre-4.1.13), and 4.2.x (pre-4.2.5).
This disclosure comes seven months after Mastodon patched two other severe problems (CVE-2023-36460 and CVE-2023-36459) that might be used by attackers to launch denial-of-service (DoS) or remote code execution. The fix: To address CVE-2024-23832, Mastodon recommends upgrading to versions 3.5.17, 4.0.13, 4.1.13, or 4.2.5. Admins must apply changes by February 15, 2024; however, Mastodon is withholding technical details to reduce the danger of exploitation. Individual administrators must ensure that their instances receive security updates on time due to the federated structure of the decentralized network. Read next: Learn More Learn More Learn More
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
Enhanced Expertise: Co-Managed services bring in specialized expertise to complement your IT team, helping them tackle complex issues and projects more effectively.
Resource Augmentation: It's not about replacing your IT department but augmenting their resources. This allows your IT team to focus on strategic initiatives while routine tasks are handled externally.
Scalability: Co-Managed services are scalable, so you can adjust the level of support as per your needs, ensuring efficient resource allocation.
Cybersecurity Boost: Co-Managed services often provide advanced cybersecurity solutions, which help protect your organization from cyber threats and vulnerabilities.
Cost-Efficiency: By outsourcing routine tasks and maintenance, your IT department can allocate resources more efficiently, potentially reducing overall IT costs.
Improved Compliance: Co-Managed services can assist with compliance management, ensuring your organization adheres to industry regulations and standards.
Risk Mitigation: Shared responsibility for IT operations means shared risk. Co-Managed services providers work alongside your IT team to minimize potential risks.
Strategic Partnerships: Partnering with experienced Co-Managed service providers can enhance your organization's reputation by showcasing a commitment to innovation and efficiency.
Faster Issue Resolution: Co-Managed services often have access to advanced tools and resources, enabling quicker problem-solving and issue resolution.
Customized Solutions: Tailored solutions mean that your IT department has more control over the services provided and can align them with your organization's specific needs.
Flexibility: Your IT team retains control and can collaborate closely with Co-Managed service providers, ensuring a seamless partnership.
Catering to All IT Issues So You Can Stay Connected Securely
The Network Company has been based in South Orange County, CA, for over 27 years and provides “Managed IT Services.” We support your company’s network, computers, software, and users; and make sure your system is always running smoothly. Our topmost priority is to ensure that your users and customers get the most from your IT investment.
GET YOUR FREE, NO-OBLIGATION NETWORK HEALTH CHECK! We know you’re so busy running your business that sometimes you may forget to think about the security and health of your computer network. In fact, many business owners do NOT perform regular IT and Security maintenance, leaving the door wide open for spyware, viruses and other malicious threats that can infect their networks. This can lead to the loss of irreplaceable business data and hours of downtime. This is where we can help with Professional IT services, no matter what industry your business is in.
We don’t want this to happen to you! We’re offering you a FREE, no-strings-attached Network Health Check, which includes an inventory of your current environment, along with recommended improvements to keep your network healthy.
What’s the catch? You must be wondering why we are willing to give this away for free. We are simply offering this Network Health Check as a risk-free way to “get to know us” while helping you identify areas of vulnerability.
How does it work? To get your free Network Health Check, simply click here to complete the online request form. After we receive your request, we will contact you to schedule a specialist to perform the assessment.
Following the assessment, you will receive a complimentary recommended action plan and estimate for correcting any existing issues.