Japan Airlines hit by a cyberattack, Brazilian hacker extorted over $3.2m, Adobe patches and Windows 11 security update failures...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Palo Alto Releases Patch for PAN-OS DoS Flaw — Update Immediately
Palo Alto Networks has disclosed a high-severity vulnerability impacting PAN-OS software that could cause a denial-of-service (DoS) condition on susceptible devices. The flaw, tracked as CVE-2024-3393 (CVSS score: 8.7), impacts PAN-OS versions 10.X and 11.X, as well as Prisma Access running PAN-OS versions. It has been addressed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions. “A denial-of-service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall,” the company said in a Friday advisory. “Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode”. Palo Alto Networks said it discovered the flaw in production use, and that it’s aware of customers “experiencing this denial-of-service (DoS) when their firewall blocks malicious DNS packets that trigger this issue”. The extent of the activity is presently unknown. The Hacker News has reached out to Palo Alto Networks for further comment, and we will update the story if we hear back. It’s worth pointing out that firewalls that have the DNS Security logging enabled are affected by CVE-2024-3393. The severity of the flaw also drops to a CVSS score of 7.1 when access is only provided to authenticated end users via Prisma Access.
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization
The Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result in remote code execution under specific conditions. Tracked as CVE-2024-52046, the vulnerability carries a CVSS score of 10.0. It affects versions 2.0.X, 2.1.X, and 2.2.X. “The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses,” the project maintainers said in an advisory released on December 25, 2024. “This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks”. However, it bears noting that the vulnerability is exploitable only if the “IoBuffer#getObject()” method is invoked in combination with certain classes such as ProtocolCodecFilter and ObjectSerializationCodecFactory. “Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods,” Apache said.
Cyber Attacks
Japan Airlines Was Hit by a Cyberattack, Delaying Flights During the Year-End Holiday Season
Japan Airlines said it was hit by a cyberattack Thursday, causing delays to more than 20 domestic flights but the carrier said it was able to stop the onslaught and restore its systems hours later. There was no impact on flight safety, it said. JAL said the problem started Thursday morning when the company’s network connecting internal and external systems began malfunctioning. The airline said it was able to identify the cause as an attack intended to overwhelm the network system with massive transmissions of data. Such attacks flood a system or network with traffic until the target cannot respond or crashes. The attack did not involve a virus or cause any customer data leaks, JAL said. It said that as of late morning, the cyberattack had delayed 24 domestic flights for more than 30 minutes. Experts have repeatedly raised concerns about the vulnerability of Japan’s cybersecurity, especially as the country steps up its defense capabilities and works more closely with the United States and other partners with much tighter cyber defenses. Japan has taken steps, but experts say more work is needed. JAL’s ticket sales for both domestic and international flights scheduled for departure on Thursday were suspended temporarily but resumed several hours later.
Brazilian Hacker Charged for Extorting $3.2M in Bitcoin After Breaching 300,000 Accounts
A Brazilian citizen has been charged in the United States for allegedly threatening to release data stolen by hacking into a company’s network in March 2020. Junior Barros De Oliveira, 29, of Curitiba, Brazil has been charged with four counts of extortionate threats involving information obtained from protected computers and four counts of threatening communications, the U.S. Department of Justice (DoJ) said in an unsealed indictment earlier this week. The said victim, a Brazilian subsidiary of a New Jersey-based company, had its computers breached by the defendant, who then exploited the access to steal confidential customer information from about 300,000 customers on at least three occasions. De Oliveira is alleged to have subsequently sent the chief executive officer (CEO) of the company an email message in September 2020 using an alias, demanding a payment of 300 bitcoin (valued at about $3.2 million at the time) in return for not selling the data. A month later, the defendant forwarded the message to both the CEO and an executive working in the Brazilian subsidiary. In one of the follow-up messages sent to a representative of the company, De Oliveira said he was “very interested in helping you guys solve this security flaw” but said it will incur a consulting fee of 75 bitcoin (about $800,000 at the time). The defendant also provided instructions on how to make the payment to a Bitcoin wallet.
In Other News...
Adobe Patches ColdFusion Flaw at High Risk of Exploitation
Adobe on Monday warned that proof-of-concept (PoC) code exists for a fresh ColdFusion vulnerability. Tracked as CVE-2024-53961 (CVSS score of 7.4), the security defect is described as a path traversal issue leading to arbitrary file system read if the ‘pmtagent’ package is installed on the ColdFusion server. “An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data,” a NIST advisory reads. Although the flaw has a ‘high severity’ rating based on its CVSS score, Adobe considers it critical, marking it as ‘Priority 1’ and warning that it has a high risk of being targeted in attacks. “Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” the company warns. The vulnerability affects ColdFusion 2023 update 11 and earlier and ColdFusion 2021 update 17 and earlier and was resolved with the release of ColdFusion 2023 update 12 and ColdFusion 2021 update 18. ColdFusion installations should be updated as soon as possible, and Adobe also recommends reviewing its lockdown guides for the affected versions and ensuring that the Performance Monitoring Toolset (PMT) server is up and running during the update, if PMT is in use.
Windows 11 installation media bug causes security update failures
Microsoft is warning of an issue when using a media support to install Windows 11, version 24H2, that causes the operating system to not accept further security updates. The problem occurs when using CD and USB flash drives to install Windows 11 version with security updates released between October 8 and November 12. “When using media to install Windows 11, version 24H2, the device might remain in a state where it cannot accept further Windows security updates,” Microsoft is warning. “This occurs only when the media is created to include the October 2024, or November 2024, security updates as part of the installation,” the company explains. The bug does not impact security updates applied via Windows Update or the Microsoft Update Catalog website and does not occur when the latest December 2024 security update is used. Microsoft is currently working on a permanent fix and recommends that media-based Windows 11 24H2 installations use the December 2024 security update, released on December 10, to avoid encountering subsequent updating problems. The installation media issue is added to a long string of problems that impacts 24H2, the latest major feature update for Microsoft’s operating system, which was released earlier this year to offer enhanced security, usability, and performance.