Executive Summary
This week's spotlight was dominated by Microsoft's August Patch Tuesday, highlighted by the disclosure of six zero-day vulnerabilities. These vulnerabilities affect a broad spectrum of Microsoft components, including Office Project, Microsoft Edge, Windows Drivers, and even the Windows Kernel. The updates address critical issues like privilege escalation and remote code execution.
Scanning and exploitation of Spring Cloud Gateway RCE has picked up this week, including scanning for other code execution exploits, mainly in Python-based open-source geospatial sharing platform GeoServer and TBK DVR devices.
Botnet exploitation of routers and IoT devices continues. Mirai, mainly its variants, was also seen targeting Apache components suffering from remote code executions. Older vulnerabilities persist.
Keep an eye out in future for possible remote code execution, privilege escalation and other critical vulnerabilities in popular platforms like Node.js and Apache, among others.
Trending / Critical Vulnerabilities
CVE-2024-28986
A remote code execution flaw was disclosed in SolarWinds Web Help Desk solution, which arises due to improper deserialization of Java objects. This allows attackers to inject malicious input and consequently, execute code on the host machine. After rigorous testing, SolarWinds mentioned that this cannot exploit pre-authentication but it is recommended to apply the patches nonetheless. A high 9.8 CVSS score was given due to the criticality and a low EPSS score of 0.00071. CISA recently added the flaw to their KEV catalog after reports of exploitation by attackers[1].
Six 0-days of Microsoft: August Patch Tuesday
With a fix issue to a colossal 90 vulnerabilities in its August version of Patch Tuesday, Microsoft also released advisories and patches for ten zero-day issues. Out of these, six were reportedly exploited heavily in the wild. Consisting of three privilege escalation bugs and two possible remote code execution, these were some critical issues which might have been part of multiple attacks.
All six of these 0-days were added to the CISA’s Known Exploited Vulnerability Catalog[2].
CVE-2024-38106
Affecting Windows Kernel, CVE-2024-38106 is a privilege escalation vulnerability that allows attackers to elevate their privileges to SYSTEM level in vulnerable systems. Although Microsoft mentioned that the flaw is high in complexity to achieve successful exploitation due to presence of a race condition, which might deter some attackers. This resulted in a high CVSS score of 7.0 and EPSS score of 0.00144.
CVE-2024-38193
Another privilege escalation bug, this time affecting the Windows Ancillary Function Driver for WinSock, again providing SYSTEM level privileges to attackers. The flaw is of user-after-free nature, indicating malicious usage of memory allocation. This CVE was given a CVSS score of 7.8, presumably because it is less complex to exploit than the previous one, and an EPSS score of 0.00144.
CVE-2024-38107
Third and the last privilege escalation flaw as part of six zero days, this one exists in the Windows Power Dependency Coordinator, with similar consequences to the previous bugs. As the name suggests, Windows Power Dependency Coordinator manages the power usage of a system. This one also arises to user-after-free issues, and has the same CVSS score of 7.8 and EPSS score of 0.00144.
CVE-2024-38213
Moving away from privilege escalation, CVE-2024-38213 allows attackers to bypass the Windows SmartScreen warnings. Due to this flaw, the warning saying that “the executed file is downloaded from the internet and can be malicious” can be bypassed.
With a CVSS score of 6.5, this is the lowest severity zero day. Although it has a high EPSS score of 0.01221 among them, mainly due to reports of this being used as part of exploit chains.
CVE-2024-38189
First of the two remote code executions, this flaw exists in Microsoft Project where malicious Project files can be used to execute code. Mainly occurring due to VBA Macros, successful exploit of this bug required protection against Macros to be disabled. Macros attacks towards Microsoft Office are notorious for payload delivery but if these conditions are met, it is trivial for attackers to execute code. This is the CVE with the highest CVSS score of 8.8 and an EPSS score of 0.00806.
CVE-2024-38178
Targeting the Internet Explorer sandbox mode of Microsoft Edge browser, this flaw is a memory corruption issue in Windows Scripting Engine which can lead to code execution. Microsoft Edge provides an “Internet Explorer Mode” which might prove useful to access websites not compatible with modern day browsers. Though not enabled by default, some organizations might have it enabled and it may lead them to be a victim of CVE-2024-38178. CVSS score for this CVE is 7.5 and the EPSS score is 0.01008.
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
CVE-2024-3721
We usually hear about RCEs in CCTV/IP camera firmware (e.g the quite recent AVtech exploits), but CVE-2024-3721 affects the TBK DVR-4104 and DVR-4216. Critical exploit existing up till 20240412, manipulation of certain GET query parameters of HTTP request towards the “/device.rsp” file can result in command injection and consequent execution of those commands.
No authentication is required and the attacks can be performed remotely. Even though public exploits exist, exploitation in the wild has yet to be seen.
CVE-2022-24847
A critical vulnerability has been discovered in the open-source geospatial sharing and editing platform GeoServer, affecting versions earlier than 2.23.6, 2.24.4, and 2.25.2.
The flaw, which allows unauthenticated remote code execution, arises from specific parameters being misinterpreted as Xpath expressions. This issue impacts all GeoServer instances, with multiple exploitable parameters identified. Again, public exploit is available but exploit activity is not that major.
CVE-2022-22947
The infamous remote code execution flaw in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ is still being heavily scanned and being exploited in the wild. With a whopping 10.0 CVSS score, a rare sight, unsecured Gateway Actuator endpoint allowed applications running to Spring Cloud Gateway to become potential victims of code execution.
Initially discovered in 2022, the flaw was heavily exploited by attackers. Multiple ransomware, botnet (mainly Sysrv) and malware campaigns were associated with CVE-2022-22947[3]. Two years later, this exploit is still being exploited in the wild and has multiple POCs available publicly.
Cytellite sensors also experienced significant exploit activity and mass scanning towards multiple router devices, including Wavelink, Tenda, LB-Link and TP-Link. Microsoft Exchange Server (SSRF (CVE-2022-41040 ) and Apache Hadoop RCE (CVE-2022-25168) are still being exploited in the wild. For further details, please refer to our previous report.
Pre NVD
The LOVI platform monitors multiple feeds and social media, tracking over 100 alerts to aggregate and distribute details related to vulnerabilities that have a high chance of being exploited by threat actors before these vulnerabilities are added to the National Vulnerability Database. To learn more, get in touch with our security researchers.
Vulnerabilities abused by Botnet
Mirai botnet’s exploitation of LB-LINK BL Devices through common injection flaw continues this week. So does the botnet attacks towards the RCE in Realtek SDK, which includes botnets like Bashlite, Gitpaste-12 and Mirai among others. For further details, please refer to our previous report.
Vulnerabilities Abused by Malware
Mirai and its variants are continuously targeting the recently discovered Path Traversal exploit in Apache OFBiz (with potential code execution) and command injection exploits towards AVTech Securit’s IP Camera firmware. For further details, please refer to our previous report.
References
- https://www.cisa.gov/news-events/alerts/2024/08/15/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.cisa.gov/news-events/alerts/2024/08/13/cisa-adds-six-known-exploited-vulnerabilities-catalog
- https://www.malwarebytes.com/blog/botnets/2022/05/sysrv-botnet-is-out-to-mine-monero-on-your-windows-and-linux-servers