Ethical Hacking News
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, both of which are being actively exploited by malicious actors. The latest additions come as a significant blow to the security shops involved, Fortinet and Ivanti. To stay ahead of these threats, it is essential for organizations to prioritize patching and implementing robust security measures to protect their systems.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, both of which are being actively exploited by malicious actors. A vulnerability in Fortinet products, CVE-2024-23113, affects multiple products with a critical severity rating and allows remote attackers to execute code via specially crafted packets. Ivanti's CSA product is vulnerable to an SQL injection vulnerability (CVE-2024-9379) and an OS command injection bug (CVE-2024-9380), both of which have been chained together for exploitation. Fortinet recommends applying relevant patches or implementing a workaround, while Ivanti advises reviewing administrative users, EDR alerts, and rebuilding the CSA with version 5.0.2 in case of suspected compromise.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, both of which are being actively exploited by malicious actors. The latest additions come as a significant blow to the security shops involved, Fortinet and Ivanti, which have struggled with vulnerability issues this year.
According to CISA, the vulnerability affecting multiple Fortinet products was first disclosed in February during what came to be known as a "week to forget" for the company. Despite carrying a critical (9.8) severity rating, it flew somewhat under the radar due to other critical bugs being actively exploited at the time. The format string vulnerability, tracked as CVE-2024-23113, affects the FortiOS fgfmd daemon and allows remote attackers to execute code and commands via specially crafted packets.
The affected products include FortiOS 7.0.0 through 7.0.13, FortiPAM 1.0 all versions, FortiPAM 1.1 all versions, FortiPAM 1.2 all versions, FortiProxy 7.0.0 through 7.0.15, FortiProxy 7.2.0 through 7.2.8, FortiProxy 7.4.0 through 7.4.2, FortiWeb 7.4.0 through 7.4.2, and other variants. Applying the relevant patches is recommended, but if for whatever reason that cannot be done right away, Fortinet said a workaround can be implemented as a temporary measure.
This requires admins to remove the fgfm access for every vulnerable interface. While this will prevent FortiManager from discovering FortiGate devices, connections will still be possible from FortiGate. The advisory notes that a local-in policy that only allows fgfm connections from a specific IP will reduce the attack surface but won't prevent the vulnerability from being exploited from that IP.
On the other hand, Ivanti's start to the year was equally if not more tumultuous than Fortinet's. A patching mishap related to multiple Connect Secure vulnerabilities led to its secure-by-design overhaul commitment in April. The new vulnerabilities added to CISA's KEV list are new, however, rather than relating to the earlier issues, and affect Ivanti Cloud Services Application (CSA), which facilitates secure remote connections to resources.
The first vulnerability, tracked as CVE-2024-9379, is an SQL injection vulnerability in the CSA admin web console carrying a 6.5 (medium) severity rating. It allows attackers with admin privileges to run SQL statements or execute code and affects CSA versions before 5.0.2, which of course includes version 4.6 – an end-of-life release that received its last update in September.
The second vulnerability, tracked as CVE-2024-9380, is an OS command injection bug with a slightly higher 7.2 (high) severity rating and can also lead to code execution. Ivanti patches have been applied for this vulnerability, but it appears that the chained attacks involving these two vulnerabilities are being used by malicious actors.
Ivanti said it was made aware that some customers running the EOL version 4.6 were being attacked with these two vulnerabilities chained with CVE-2024-8963 – a 9.4 (critical) path traversal bug leading to restricted functionality being accessed. However, this vulnerability affects CSA 5.0, and no exploits have been observed in appliances running this version.
Ivanti recommends reviewing the CSA for modified or newly added administrative users. They also recommend reviewing EDR alerts, if installed on the CSA, and rebuilding the CSA with version 5.0.2 in case of suspected compromise.
The addition of these two vulnerabilities to CISA's KEV list serves as a reminder that vulnerability patches are essential for ensuring the security of critical infrastructure. As the threat landscape continues to evolve, it is crucial that organizations stay vigilant and proactive in addressing potential vulnerabilities.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/10/10/cisa_ivanti_fortinet_vulns/
https://www.msn.com/en-us/news/technology/cisa-adds-fresh-ivanti-vuln-critical-fortinet-bug-to-hall-of-shame/ar-AA1s1Sjt
https://securityaffairs.com/169619/security/u-s-cisa-adds-ivanti-csa-and-fortinet-bugs-to-its-known-exploited-vulnerabilities-catalog.html
https://nvd.nist.gov/vuln/detail/CVE-2024-23113
https://www.cvedetails.com/cve/CVE-2024-23113/
https://nvd.nist.gov/vuln/detail/CVE-2024-9379
https://www.cvedetails.com/cve/CVE-2024-9379/
https://nvd.nist.gov/vuln/detail/CVE-2024-9380
https://www.cvedetails.com/cve/CVE-2024-9380/
https://nvd.nist.gov/vuln/detail/CVE-2024-8963
https://www.cvedetails.com/cve/CVE-2024-8963/
Published: Thu Oct 10 11:15:35 2024 by llama3.2 3B Q4_K_M
