Week of Critical Exploits

August 23, 2024
Executive Summary
Trending / Critical Vulnerabilities
Vulnerabilities Abused by Malware
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
Vulnerabilities abused by Botnet
Pre NVD
External References
Subscribe to our Reports

Executive Summary

This week saw a significant increase in critical vulnerabilities, with Five new entries added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Among these, the Dahua IP Camera authentication bypass vulnerabilities (CVE-2021-33044 and CVE-2021-33045) stand out as significant security threats, allowing attackers to bypass authentication and potentially gain unauthorized access to and control over affected devices. 

Critical vulnerabilities have also been discovered in widely used software such as Jenkins, WPS Office, and LiteSpeed Cache, posing serious risks to organizations by potentially allowing attackers to gain complete control over affected systems. In response, Google has released patches for CVE-2024-7971, a critical zero-day vulnerability in its Chrome browser. This marks the ninth actively exploited Chrome vulnerability addressed by Google in 2024, highlighting the persistent threats to browser security. 

Cybercriminal groups, including IntelBroker and RansomEXX, have targeted Jenkins, while the Lazarus APT group has exploited a previously patched vulnerability in Microsoft Windows. 

Meanwhile, the notorious Mirai botnet continues its destructive activities by exploiting vulnerabilities in networking devices. This week, it was observed targeting vulnerabilities in LB-LINK BL devices, TP-Link Archer AX21 routers, and the miniigd SOAP service in Realtek SDK, further expanding its reach. 

Despite being a few years old, vulnerabilities like CVE-2022-0185 and CVE-2021-31196 remain actively exploited, underscoring the ongoing need to prioritize regular security updates.

Trending / Critical Vulnerabilities

CVE-2024-23897

A serious path traversal bug, CVE-2024-23897 affects Jenkins 2.441 and earlier and LTS 2.426.2 and earlier versions, where one of the CLI command parser features allows unauthenticated attackers to read files. This method only allows read access to the first few lines of the file, but once authenticated, users can access complete files. 

A very high CVSS of 9.8 and an equally high EPSS score of 0.97084 signifies the severity of this flaw. It comes as no surprise that this is heavily being exploited in the wild, which led CISA to add this CVE to their Known Vulnerability Exploit catalog[1].

CVE-2024-7262

The popular Office suite WPS by Kingsoft suffered a path traversal bug due to improper validation in one of the executables shipped with their Windows version. This validation failure allowed attackers to load any Windows library and this resulted in attackers developing single-click exploits disguised as malicious spreadsheets, resulting in possible remote code execution. 

The exploit is already being used by attackers actively in the wild[2] and the severity of the bug can be seen from a high CVSS score of 9.3, although the EPSS score is a low 0.00055.

CVE-2022-0185

Affecting the Linux Kernel, CVE-2022-0185 is a heap-based buffer overflow with a high CVSS score of 8.5. Occurring to the way a certain supplied parameter length is handled by the filesystem functionality, specifically the “legacy_parse_param” function, the overflow exploit can allow an unprivileged user to escalate their privileges in the system.

The flaw has a low EPSS score of 0.0006 but due to recent evidence of this bug being exploited in the wild, CISA added the exploit to their KEV catalog[3].

CVE-2021-33044 and CVE-2021-33045

Dahua IP camera had an authentication bypass vulnerability, allowing attackers to use crafted packets and log in without authentication. While CVE-2021-33044 affects Dahua IP cameras and VTH/VTO (video intercom) devices, CVE-2021-33045 was assigned for NVR, DVR, and other families of devices suffering from the same flaws of authentication bypass.

 CVE-2021-33044 has a severe CVSS score of 9.8 and an EPSS score of 0.06877, while CVE-2021-33045 has the same CVSS score of 9.8 but a higher EPSS score of 0.25281. Both of these flaws were recently seen being exploited in the wild and consequently, CISA added both the CVEs to their KEV catalog[3].

CVE-2021-31196

Recently included in the CISA’s KEV catalog, ​​CVE-2021-31196 was a remote code execution vulnerability discovered in Microsoft Exchange Server in 2021. 

Although code execution bugs are severe, Microsoft reports that this flaw has “Exploitation Less Likely” as the exploitation assessment, which might explain the relatively lower CVSS score of 7.2 and an EPSS score of 0.01258, compared to other remote code execution bugs[3]

 CVE-2024-7971

A vulnerability has been discovered in Google Chrome, involving a type confusion bug that results in possible heap corruption. This CVE impacts the V8 JavaScript engine and can be exploited through a specially crafted HTML page. 

CVE-2024-7971 is among several V8-related bugs recently addressed by Google, carrying a CVS score of 8.6 and an EPSS score of 0.00159. Further, this vulnerability has also been included in CISA’s KEV catalog[4].

CVE-2024-28000

With multiple public exploits available, a privilege escalation bug was recently discovered in the LightSpeed Cache software. A hash used for user simulation is reportedly weak and can be brute-forced by attackers to gain administrative privileges, typically on a WordPress site leading to complete compromise.

The vulnerability affects over 5,000,000 sites and exploits in the wild have already been reported[5].

Vulnerabilities Abused by Malware

CVE-2024-38193

Previously reported privilege escalation vulnerability affecting Microsoft Windows Ancillary Function Driver for WinSock was seen being exploited by Lazarus, a North Korea-based APT[7].

A zero-day exploit, if an attacker was able to enter a vulnerable server the flaw would have allowed them to elevate their permissions to SYSTEM privileges. The flaw was patched by Microsoft during one of their August Patch Tuesday.

CVE-2024-23897

The critical vulnerability affecting Jenkins, as discussed in the first section, is being heavily exploited by multiple threat actors. RansomEXX ransomware group targeted India’s banking infrastructure, where the initial access was gained through stealing sensitive files using CVE-2024-23897[8].

IntelBroker threat actor was seen compromising GitHub repositories by stealing credentials from Jenkins files and subsequently, stealing secrets stored in GitHub[9]. They then used these stolen secrets to further perform exploits.

CVE-2024-4577

Targeting Taiwan through the popular, recently discovered command injection flaw in the PHP-CGI OS. Emerging backdoor, known as Backdoor.Msupedge, was seen abusing CVE-2024-4577 as the initial intrusion tactic, as command injection allows arbitrary code execution, resulting in compromise. The backdoor was reportedly seen using DNS to communicate with its command and control center.

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

CVE-2024-24919

Affecting the ‘CloudGuard Network Security' appliance, Check Point’s SSLVPN offering, CVE-2024-24919 is a flaw that exposes sensitive information to unauthenticated attackers. As per research, the bug was due to an underlying path traversal exploit affecting a certain endpoint[6].

As per CheckPoint’s advisory, they have seen this being exploited in the wild and heavily scanned by threat actors. It is advised to immediately patch the affected systems, as updated versions are available.

Cytellite sensors also experienced significant exploit activity and mass scanning toward multiple router devices, including Wavelink, Tenda, LB-Link, and TP-Link. GeoServer command injection (CVE-2022-24847) and Apache Hadoop RCE (CVE-2022-25168) are still being exploited in the wild. For further details, please refer to our previous reports.

Vulnerabilities Product Severity Title Exploited – in the-wild CISA KEV
CVE-2024-4577 PHP-CGI on Windows High Critical argument injection vulnerability in PHP on Windows servers True True
CVE-2024-24919 Check Point Remote Access VPN products High Information Disclosure vulnerability in Check Point Remote Access VPN products True True
CVE-2023-26801 LB-LINK Critical Command injection vulnerability in LB-LINK devices. True False
CVE-2023-1389 TP-Link Archer AX-21 High Command Injection Vulnerability in TP-Link Archer AX-21. True True
CVE-2022-34045 Wavlink Devices Critical Hardcoded encryption/decryption key vulnerability in Wavlink False False
CVE-2022-30489 Wavlink Devices Medium Cross-site scripting vulnerability in Wavlink Devices False False
CVE-2022-30023 Tenda Devices High Command injection vulnerability via the Ping function in Tenda Products False False
CVE-2022-25168 Apache Hadoop Critical Command injection vulnerability in org.apache.hadoop.fs.FileUtil.unTarUsingTar in Apache Hadoop False False
CVE-2022-24847 GeoServer High Improper input validation vulnerability in GeoServer leads to arbitrary code execution False False
CVE-2022-22947 Spring Cloud Gateway Critical Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True True

Vulnerabilities abused by Botnet

Mirai botnet’s exploitation of LB-LINK BL Devices through common injection flaws continues this week. Remote code execution in HUwaei routers and MVPower CCTV/DVR devices by emerging botnets still persists. For further details, please refer to our previous reports.

Vulnerability Product Title Exploit Abused by Botnet
CVE-2023-26801 LB-LINK BL Devices Command injection vulnerability in LB-LINK BL-AC1900_2.0 1.0.1, BL-WR9000 2.4.9, BL-X26 1.2.5 and BL-LTE300 1.0.8 True Mirai
CVE-2017-17215 Huawei HG532 Remote code execution vulnerability in Huawei HG532 router True Sysrvbotnet
CVE-2016-20016 MVPower CCTV DVR models Remote code execution vulnerability in MVPower CCTV DVR models True IoT-Repear

Pre NVD

The LOVI platform monitors multiple feeds and social media, tracking over 100 alerts to aggregate and distribute details related to vulnerabilities that have a high chance of being exploited by threat actors before these vulnerabilities are added to the National Vulnerability Database. To learn more, get in touch with our security researchers.

CVE-ID Type of vulnerability Product Reference
CVE-2024-7233 Local Privilege Escalation Avast Free Antivirus Resource
CVE-2024-7232 Local Privilege Escalation Avast Free Antivirus Resource
CVE-2023-41144 Memory Corruption Autodesk FeatureCAM Resource
CVE-2024-6816 Heap-based Buffer Overflow IrfanView Resource
CVE-2024-6815 Out-Of-Bounds Write IrfanView Resource

External References

  1. CISA adds Jenkins Command Line Interface (CLI) Path Traversal Vulnerability to catalog
  2. WPS Office Vulnerabilities Expose 200 Million Users: CVE-2024-7262 Exploited in the Wild
  3. CISA adds Dahua IP Camera Authentication Bypass Vulnerability, Dahua IP Camera Authentication Bypass Vulnerability, Linux Kernel Heap-Based Buffer Overflow and Microsoft Exchange Server Information Disclosure Vulnerability to catalog
  4. Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild
  5. Over 5,000,000 Site Owners Affected by Critical Privilege Escalation Vulnerability Patched in LiteSpeed Cache Plugin
  6. Safeguarding Digital Freedom: How a Gen Discovery Helped to Protect Windows Users Everywhere
  7. Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure
  8. Exposing the Exploitation: How CVE-2024-23897 Led to the Compromise of Github Repos via Jenkins LFI Vulnerability
  9. New Backdoor Targeting Taiwan Employs Stealthy Communications 

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Latest Reports