Threat Newsletter Week 5 | SpecOps Solution

CISA Warns of Active Exploitation Apple iOS and macOS Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, tracked as CVE-2022-48618 (CVSS score: 7.8), concerns a bug in the kernel component.

“An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication,” Apple said in an advisory, adding the issue “may have been exploited against versions of iOS released before iOS 15.7.1.” The iPhone maker said the problem was addressed with improved checks. It’s currently not known how the vulnerability is being weaponized in real-world attacks.

Source: The hacker news / Bleeping computer

Link: https://thehackernews.com/2024/02/cisa-warns-of-active-exploitation-of.html

Link: https://www.bleepingcomputer.com/news/security/cisa-warns-of-patched-iphone-kernel-bug-now-exploited-in-attacks/

Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation

Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild.

The list of vulnerabilities is as follows –

CVE-2024-21888 (CVSS score: 8.8) – A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator
CVE-2024-21893 (CVSS score: 8.2) – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication

The Utah-based software company said it found no evidence of customers being impacted by CVE-2024-21888 so far, but acknowledged “the exploitation of CVE-2024-21893 appears to be targeted” and that it’s “aware of a limited number of customers impacted” by the issue.

Source: The hacker news / Bleeping computer / Dark reading / Securityweek / Infosecurity magazine / CISA gov emergency directive / Ivanti forum

Link: https://thehackernews.com/2024/01/alert-ivanti-discloses-2-new-zero-day.html

Link: https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-connect-secure-zero-day-exploited-in-attacks/

Link: https://www.darkreading.com/vulnerabilities-threats/cisa-orders-disconnecting-ivanti-vpn-appliances-what-to-do

Link: https://www.darkreading.com/endpoint-security/more-ivanti-vpn-zero-day-bugs-attack-frenzy-patches-rolling

Link: https://www.securityweek.com/cisa-sets-48-hour-deadline-for-removal-of-insecure-ivanti-products/

Link: https://www.infosecurity-magazine.com/news/ivanti-zeroday-patches-two-new-bugs/

Link: https://www.cisa.gov/news-events/directives/supplemental-direction-v1-ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure

Link: https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

URGENT: Upgrade GitLab – Critical Workspace Creation Flaw Allows File Overwrite

GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating a workspace.

Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10.

“An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace,” GitLab said in an advisory released on January 25, 2024.

Source: The hacker news

Link: https://thehackernews.com/2024/01/urgent-upgrade-gitlab-critical.html

Juniper Networks Releases Urgent Junos OS Updates for High-Severity Flaws

Juniper Networks has released out-of-band updates to address high-severity flaws in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems.

The vulnerabilities, tracked as CVE-2024-21619 and CVE-2024-21620, are rooted in the J-Web component and impact all versions of Junos OS. Two other shortcomings, CVE-2023-36846 and CVE-2023-36851, were previously disclosed by the company in August 2023.

CVE-2024-21619 (CVSS score: 5.3) – A missing authentication vulnerability that could lead to exposure of sensitive configuration information
CVE-2024-21620 (CVSS score: 8.8) – A cross-site scripting (XSS) vulnerability that could lead to the execution of arbitrary commands with the target’s permissions by means of a specially crafted request

Cybersecurity firm watchTowr Labs has been credited with discovering and reporting the issues. The two vulnerabilities have been addressed in the following versions –

CVE-2024-21619 – 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1, and all subsequent releases
CVE-2024-21620 – 20.4R3-S10, 21.2R3-S8, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3-S1, 23.2R2, 23.4R2, and all subsequent releases

As temporary mitigations until the fixes are deployed, the company is recommending that users disable J-Web or restrict access to only trusted hosts.

Source: The hacker news / Securityweek / Juniper supportportal / The register

Link: https://thehackernews.com/2024/01/juniper-networks-releases-urgent-junos.html

Link: https://www.securityweek.com/juniper-networks-patches-vulnerabilities-in-switches-firewalls/

Link: https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-have-been-addressed?language=en_US

Link: https://www.theregister.com/2024/01/30/juniper_networks_vulnerabilities/