Executive Summary
This week saw a significant increase in critical vulnerabilities, with Five new entries added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Among these, the Dahua IP Camera authentication bypass vulnerabilities (CVE-2021-33044 and CVE-2021-33045) stand out as significant security threats, allowing attackers to bypass authentication and potentially gain unauthorized access to and control over affected devices.
Critical vulnerabilities have also been discovered in widely used software such as Jenkins, WPS Office, and LiteSpeed Cache, posing serious risks to organizations by potentially allowing attackers to gain complete control over affected systems. In response, Google has released patches for CVE-2024-7971, a critical zero-day vulnerability in its Chrome browser. This marks the ninth actively exploited Chrome vulnerability addressed by Google in 2024, highlighting the persistent threats to browser security.
Cybercriminal groups, including IntelBroker and RansomEXX, have targeted Jenkins, while the Lazarus APT group has exploited a previously patched vulnerability in Microsoft Windows.
Meanwhile, the notorious Mirai botnet continues its destructive activities by exploiting vulnerabilities in networking devices. This week, it was observed targeting vulnerabilities in LB-LINK BL devices, TP-Link Archer AX21 routers, and the miniigd SOAP service in Realtek SDK, further expanding its reach.
Despite being a few years old, vulnerabilities like CVE-2022-0185 and CVE-2021-31196 remain actively exploited, underscoring the ongoing need to prioritize regular security updates.
Trending / Critical Vulnerabilities
CVE-2024-23897
A serious path traversal bug, CVE-2024-23897 affects Jenkins 2.441 and earlier and LTS 2.426.2 and earlier versions, where one of the CLI command parser features allows unauthenticated attackers to read files. This method only allows read access to the first few lines of the file, but once authenticated, users can access complete files.
A very high CVSS of 9.8 and an equally high EPSS score of 0.97084 signifies the severity of this flaw. It comes as no surprise that this is heavily being exploited in the wild, which led CISA to add this CVE to their Known Vulnerability Exploit catalog[1].
CVE-2024-7262
The popular Office suite WPS by Kingsoft suffered a path traversal bug due to improper validation in one of the executables shipped with their Windows version. This validation failure allowed attackers to load any Windows library and this resulted in attackers developing single-click exploits disguised as malicious spreadsheets, resulting in possible remote code execution.
The exploit is already being used by attackers actively in the wild[2] and the severity of the bug can be seen from a high CVSS score of 9.3, although the EPSS score is a low 0.00055.
CVE-2022-0185
Affecting the Linux Kernel, CVE-2022-0185 is a heap-based buffer overflow with a high CVSS score of 8.5. Occurring to the way a certain supplied parameter length is handled by the filesystem functionality, specifically the “legacy_parse_param” function, the overflow exploit can allow an unprivileged user to escalate their privileges in the system.
The flaw has a low EPSS score of 0.0006 but due to recent evidence of this bug being exploited in the wild, CISA added the exploit to their KEV catalog[3].
CVE-2021-33044 and CVE-2021-33045
Dahua IP camera had an authentication bypass vulnerability, allowing attackers to use crafted packets and log in without authentication. While CVE-2021-33044 affects Dahua IP cameras and VTH/VTO (video intercom) devices, CVE-2021-33045 was assigned for NVR, DVR, and other families of devices suffering from the same flaws of authentication bypass.
CVE-2021-33044 has a severe CVSS score of 9.8 and an EPSS score of 0.06877, while CVE-2021-33045 has the same CVSS score of 9.8 but a higher EPSS score of 0.25281. Both of these flaws were recently seen being exploited in the wild and consequently, CISA added both the CVEs to their KEV catalog[3].
CVE-2021-31196
Recently included in the CISA’s KEV catalog, CVE-2021-31196 was a remote code execution vulnerability discovered in Microsoft Exchange Server in 2021.
Although code execution bugs are severe, Microsoft reports that this flaw has “Exploitation Less Likely” as the exploitation assessment, which might explain the relatively lower CVSS score of 7.2 and an EPSS score of 0.01258, compared to other remote code execution bugs[3].
CVE-2024-7971
A vulnerability has been discovered in Google Chrome, involving a type confusion bug that results in possible heap corruption. This CVE impacts the V8 JavaScript engine and can be exploited through a specially crafted HTML page.
CVE-2024-7971 is among several V8-related bugs recently addressed by Google, carrying a CVS score of 8.6 and an EPSS score of 0.00159. Further, this vulnerability has also been included in CISA’s KEV catalog[4].
CVE-2024-28000
With multiple public exploits available, a privilege escalation bug was recently discovered in the LightSpeed Cache software. A hash used for user simulation is reportedly weak and can be brute-forced by attackers to gain administrative privileges, typically on a WordPress site leading to complete compromise.
The vulnerability affects over 5,000,000 sites and exploits in the wild have already been reported[5].
Vulnerabilities Abused by Malware
CVE-2024-38193
Previously reported privilege escalation vulnerability affecting Microsoft Windows Ancillary Function Driver for WinSock was seen being exploited by Lazarus, a North Korea-based APT[7].
A zero-day exploit, if an attacker was able to enter a vulnerable server the flaw would have allowed them to elevate their permissions to SYSTEM privileges. The flaw was patched by Microsoft during one of their August Patch Tuesday.
CVE-2024-23897
The critical vulnerability affecting Jenkins, as discussed in the first section, is being heavily exploited by multiple threat actors. RansomEXX ransomware group targeted India’s banking infrastructure, where the initial access was gained through stealing sensitive files using CVE-2024-23897[8].
IntelBroker threat actor was seen compromising GitHub repositories by stealing credentials from Jenkins files and subsequently, stealing secrets stored in GitHub[9]. They then used these stolen secrets to further perform exploits.
CVE-2024-4577
Targeting Taiwan through the popular, recently discovered command injection flaw in the PHP-CGI OS. Emerging backdoor, known as Backdoor.Msupedge, was seen abusing CVE-2024-4577 as the initial intrusion tactic, as command injection allows arbitrary code execution, resulting in compromise. The backdoor was reportedly seen using DNS to communicate with its command and control center.
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
CVE-2024-24919
Affecting the ‘CloudGuard Network Security' appliance, Check Point’s SSLVPN offering, CVE-2024-24919 is a flaw that exposes sensitive information to unauthenticated attackers. As per research, the bug was due to an underlying path traversal exploit affecting a certain endpoint[6].
As per CheckPoint’s advisory, they have seen this being exploited in the wild and heavily scanned by threat actors. It is advised to immediately patch the affected systems, as updated versions are available.
Cytellite sensors also experienced significant exploit activity and mass scanning toward multiple router devices, including Wavelink, Tenda, LB-Link, and TP-Link. GeoServer command injection (CVE-2022-24847) and Apache Hadoop RCE (CVE-2022-25168) are still being exploited in the wild. For further details, please refer to our previous reports.
Vulnerabilities abused by Botnet
Mirai botnet’s exploitation of LB-LINK BL Devices through common injection flaws continues this week. Remote code execution in HUwaei routers and MVPower CCTV/DVR devices by emerging botnets still persists. For further details, please refer to our previous reports.
Pre NVD
The LOVI platform monitors multiple feeds and social media, tracking over 100 alerts to aggregate and distribute details related to vulnerabilities that have a high chance of being exploited by threat actors before these vulnerabilities are added to the National Vulnerability Database. To learn more, get in touch with our security researchers.
External References
- CISA adds Jenkins Command Line Interface (CLI) Path Traversal Vulnerability to catalog
- WPS Office Vulnerabilities Expose 200 Million Users: CVE-2024-7262 Exploited in the Wild
- CISA adds Dahua IP Camera Authentication Bypass Vulnerability, Dahua IP Camera Authentication Bypass Vulnerability, Linux Kernel Heap-Based Buffer Overflow and Microsoft Exchange Server Information Disclosure Vulnerability to catalog
- Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild
- Over 5,000,000 Site Owners Affected by Critical Privilege Escalation Vulnerability Patched in LiteSpeed Cache Plugin
- Safeguarding Digital Freedom: How a Gen Discovery Helped to Protect Windows Users Everywhere
- Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure
- Exposing the Exploitation: How CVE-2024-23897 Led to the Compromise of Github Repos via Jenkins LFI Vulnerability
- New Backdoor Targeting Taiwan Employs Stealthy Communications