VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws
VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws that could lead to code execution.
Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs in the XHCI USB controller. They carry a CVSS score of 9.3 for Workstation and Fusion, and 8.4 for ESXi systems.
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company said in a new advisory.
“On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”
Multiple security researchers associated with the Ant Group Light-Year Security Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Security researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.
Source: The hacker news / Bleeping computer / Securityweek / VMWare security advisory
Link: https://thehackernews.com/2024/03/vmware-issues-security-patches-for-esxi.html
Link: https://www.securityweek.com/vmware-patches-critical-esxi-sandbox-escape-flaws/
Link: https://www.vmware.com/security/advisories/VMSA-2024-0006.html
Cisco Issues Patch for High-Severity VPN Hijacking Bug in Secure Client
Cisco has released patches to address a high-severity security flaw impacting its Secure Client software that could be exploited by a threat actor to open a VPN session with that of a targeted user.
The networking equipment company described the vulnerability, tracked as CVE-2024-20337 (CVSS score: 8.2), as allowing an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.
Arising as a result of insufficient validation of user-supplied input, a threat actor could leverage the flaw to trick a user into clicking on a specially crafted link while establishing a VPN session.
“A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token,” the company said in an advisory.
“The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.”
Source: The hacker news / Dark reading
Link: https://thehackernews.com/2024/03/cisco-issues-patch-for-high-severity.html
Link: https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-in-vpn-product/
Urgent: Apple Issues Critical Updates for Actively Exploited Zero-Day Flaws
Apple has released security updates to address several security flaws, including two vulnerabilities that it said have been actively exploited in the wild.
The shortcomings are listed below –
- CVE-2024-23225 – A memory corruption issue in Kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections
- CVE-2024-23296 – A memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections
It’s currently not clear how the flaws are being weaponized in the wild. Apple said both the vulnerabilities were addressed with improved validation in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.
Source: The hacker news / Bleeping computer / Dark reading / SANS internet storm center
Link: https://thehackernews.com/2024/03/urgent-apple-issues-critical-updates.html
Link: https://www.securityweek.com/apple-blunts-zero-day-attacks-with-ios-17-4-update
Critical Fortinet flaw may impact 150,000 exposed devices
Scans on the public web show that approximately 150,000 Fortinet FortiOS and FortiProxy secure web gateway systems are vulnerable to CVE-2024-21762, a critical security issue that allows executing code without authentication.
America’s Cyber Defense Agency CISA confirmed last month that attackers are actively exploiting the flaw by adding it to its Known Exploited Vulnerabilities (KEV) catalog.
Almost a month after Fortinet addressed CVE-2024-21762, The Shadowserver Foundation announced on Thursday that it found nearly 150,000 vulnerable devices.
Shadowserver’s Piotr Kijewski told BleepingComputer that their scans check for vulnerable versions, so the number of affected devices may be lower if admins applied mitigations instead of upgrading. A remote attacker could exploit CVE-2024-21762 (9.8 severity score as per NIST) by sending specially crafted HTTP requests to vulnerable machines. According to Shadowserver data, most vulnerable devices, more than 24,000, are in the United States, followed by India, Brazil, and Canada.
Source: Bleeping computer
The Week in Ransomware – March 8th 2024 – Waiting for the BlackCat rebrand
We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government.
What makes this strange is that this seems to be a common routine for the DarkSide, I mean BlackCat/ALPHV, ransomware operation which tends to hit critical infrastructure, and then realize it was a big mistake.
As it was, they were already being targeted by an international law enforcement operation, allowing the FBI to hack the gang’s servers for months while collecting data, decryptors, and ultimately, seizing the domain of the data leak site. While the Tor onion domain seizure was a game of tug of war between the FBI and BlackCat, instead of shutting down, the ransomware gang decided to continue operating and vowed to target US critical infrastructure in revenge.
Approximately two months later, one of their affiliates attacked UnitedHealth Group’s Change Healthcare, a technology solutions company used by many pharmacies, doctor’s offices, and hospitals for billing claims for healthcare and prescriptions.
This attack led to severe disruption in the US healthcare system, preventing pharmacies from accepting insurance and discount cards and, in some cases, causing patients to pay full price for medicine.
Source: Bleeping computer