IONIX THREAT CENTER

A critical Authentication Bypass vulnerability has been identified in FortiOS and FortiProxy, allowing remote attackers to gain super-admin privileges via crafted requests to the Node.js WebSocket module. Affected versions include FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Reports indicate that this vulnerability is being actively exploited in the wild.
Indicators of compromise include the creation of suspicious new admin users with six-character random strings (e.g., Gujhmk, Ypda8a). Additionally, attackers have been observed using the following IPs: 45.55.158.47, 87.249.138.47, 155.133.4.175, 37.19.196.65, and 149.22.94.37.
The IONIX research team is actively monitoring the situation and will provide updates if a public exploit becomes available. Meanwhile, the list of potentially impacted assets can be found in this post. For detailed guidance, refer to Fortinet’s Upgrade Tool and follow the provided workaround instructions.

• CVE-2024-55591 at Nist
• Fortiguard Advisory
• Fortinet's Upgrade Tool

A critical vulnerability, CVE-2024-50603, has been identified in Aviatrix Controller versions prior to 7.1.4191 and 7.2.x versions prior to 7.2.4996. This vulnerability stems from the improper neutralization of special elements used in OS commands, allowing an unauthenticated attacker to execute arbitrary code. Exploitation is possible by sending shell metacharacters to the /v1/api endpoint in the cloud_type parameter for list_flightpath_destination_instances or the src_cloud_type parameter for flightpath_connection_test. The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. The findings are detailed in this post

• Vendor release notices
• NIST NVD Entry

In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.

• Vendor advisory
• NIST NVD Entry

The Mitel Collab Arbitrary File Read Vulnerability, combining CVE-2024-41713 and another yet-to-be-assigned issue, allows unauthenticated attackers to remotely and easily exploit the system to read arbitrary files from the underlying file system of a Mitel Collab server. By sending specially crafted requests, attackers can bypass access controls and retrieve sensitive files due to improper input validation and directory traversal flaws. To mitigate this vulnerability, follow the vendor advisory for CVE-2024-41713, ensuring the application properly validates and sanitizes user input to prevent directory traversal attacks.

• Mitel MiCollab zero-day flaw gets proof-of-concept exploit
• Mitel MiCollab zero-day and PoC exploit unveiled
• Mitel Product Security Advisory for CVE-2024-41713

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities. The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines (see references) This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

• CVE-2024-0012 at NIST
• Vendor advisory
• Vendor best practice
• CVE-2024-0012 at CISA

The Really Simple Security (Free, Pro, and Pro Multisite) plugin for WordPress is vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1 when the “Two-Factor Authentication” setting is enabled.
This is due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator.

• CVE-2024-10924 at NIST
• Security plugin flaw in millions of WordPress sites gives admin access

Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

The vulnerability is extremely easy to exploit and is marked by CISA as exploitable.

• Vendor advisory
• CISA: Ivanti Releases Admin Bypass Security Update for Cloud Services Appliance

CyberPanel is a free and open-source control panel for Linux servers, designed to simplify web hosting and server management tasks.
A recent vulnerability was discovered in CyberPanel, allowing an easy remote code execution on the affected machines.

The vulnerability is known to be exploited in the wild and an exploit is publicly available.

We recommend to upgrade to the latest version available and follow the referenced vendor’s advisory (Github patch is referenced).

• Details and fix of recent security issue and patch of CyberPanel
• What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE
• Github patch

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.

Cisa marked this vulnerability as exploited.

• Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)
• CISA Adds One Known Exploited Vulnerability to Catalog

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.

CISA marked this vulnerability as known exploited.

As of now, IONIX marked assets as potentially affected, if they are known to be running FortiOS, or a technology that implies FortiOS with high probability.

• Vendor advisory: Format String Bug in fgfmd
• CISA Adds Three Known Exploited Vulnerabilities to Catalog
• CISA says critical Fortinet RCE flaw now exploited in attacks

CUPS (Common UNIX Printing System) is a standards-based, open-source printing system. Recent several vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) were discovered and are potentially allowing hackers to remotely run code on machines that expose the service over UDP (usually, on port 631).

It is recommended to block ports for UDP. It is a good practice to avoid open IPP services also over UDP.

As checking for affected UDP open services triggers a connection from the vulnerable machine to the attacking system, and relying on the fact that most of the detected vulnerable systems over UDP had open IPP service over TCP on the same port, IONIX marks assets as potentially affected based on services with open IPP ports (TCP). Notice, that having IPP service publicly open is also not a good practice, and we recommend to close it as well.

• Critical Linux CUPS Printing System Flaws Could Allow Remote Command Execution
• CUPS flaws enable Linux remote code execution but there’s a catch
• Critical CUPS Vulnerabilities Expose Linux and Other Systems to Remote Attacks

The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.

• Nist – CVE-2024-8752

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records.

• CVE-2024-8503 at NIST

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

• CVE-2024-40711 at NIST
• Veeam Security Bulletin September 2024

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

• CVE-2024-6670 at NIST
• WhatsUp Gold Security Bulletin August 2024

• CVE-2024-7593 at NIST
• Security Advisory for CVE-2024-7593
• Exploited: Ivanti Virtual Traffic Manager (VTM) (CVE-2024-7593)

The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.

• CVE-2024-6205 at NIST

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions.

• National Vulnerability Database: CVE-2024-36401

ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.

• National Vulnerability Database: CVE-2024-5217
• Servicenow support

• Bleeping Computer – Polyfill.io JavaScript supply chain attack impacts over 100K sites
• Sansec Threat Report on Polyfill.io
• NIST CVE-2024-3526
• CVE – 2024-38526 – Polyfill Supply Chain Attack For Malicious Code Execution

Adobe Commerce (MAGENTO) versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

• Nist – CVE-2024-34102
• Adobe Security Bulletin

CVE-2024-4577 critical remote code execution vulnerability in the PHP programming language could potentially allow unauthenticated attackers to take full control of affected PHP servers.

The vulnerability arises from an oversight in the Best-Fit feature of encoding conversion within the Windows operating system during PHP implementation. This oversight allows attackers to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers via an argument injection attack, enabling unauthorized access and control.

• PHP security release on 06 Jun 2024

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and ‘sid’ parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

• CVE-2024-3495 at NIST
• Cyber Security Agency of Singapore – Critical Vulnerabilities in WordPress Plugins

CISA has added CVE-2023-7028 vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2023-7028 GitLab Community and Enterprise Editions Improper Access Control Vulnerability

• CISA Security Update

This vulnerability in the Automatic Plugin for WordPress, allows a SQL injection (SQLi) flaw and poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.
This vulnerability is being used to perform unauthorized database queries and create new admin accounts on susceptible WordPress sites
It impacts all versions of the plugin prior to 3.92.0. The issue has been resolved in version 3.92.1 released on February 27, 2024, although the release notes make no mention of it.

• CVE-2024-27956 at NIST

An OS Command Injection vulnerability in PAN GlobalProtect is being exploited in the wild. IONIX is now running a full exploit simulation for this vulnerability to better detect vulnerability devices.

PAN versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 impacted. loud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

PAN is in the process of releasing hotfixes to update the affected versions. At this time not all versions have a hotfix available. You should check with PAN to see if a hotfix is available.

Additionally, PAN customers with a Threat Prevention subscription can protect themselves enabling Threat ID 95187.

In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation.

• CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway
• Palo Alto Networks firewalls under attack – hotfixes incoming! (CVE-2024-3400)

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Exploits are available online and attempts to exploit the vulnerability were detected.

• Critical Security Flaw Found in Popular LayerSlider WordPress Plugin
• CVE-2024-2879 at NIST

Automatic, a WordPress plugin, in versions <= 3.92.0 is vulnerable to Unauthenticated Arbitrary File Download and Server-Side Request Forgery attacks. The security issue is easy to exploit and it is reported to be exploited in the wild.

Critical authentication bypass vulnerability in JetBrains TeamCity before 2023.11.4 allows to perform admin actions.
CISA recognized this vulnerability as exploited.

• CISA Adds One Known Exploited JetBrains Vulnerability CVE-2024-27198 to Catalog
• Recent TeamCity Vulnerability Exploited in Ransomware Attacks

According to Fortinet, the Fortinet FortiOS vulnerability (affecting also Fortinet VPN) CVE-2024-21762 allows attackers to execute unauthorized code or commands via specifically crafted requests and is potentially exploited in the wild.
CISA marked the vulnerability as exploited.

While a full exploit simulation is not available, the IONIX research team used a deeper version analysis to distinguish between patched versions and older, vulnerable ones.
The analysis leverages a change that was done in the patched version that blocks “chunk-encoded” malformed requests. Our testing tool sends multiple test requests to see that the assets are live and then sends a badly formed “chunk-encoded” probe that is expected to time out only on vulnerable versions.

• Critical Fortinet FortiOS flaw exploited in the wild (CVE-2024-21762)
• Fortinet: FortiOS/FortiProxy – Out-of-bound Write in sslvpnd
• CISA: Fortinet Releases Security Advisories for FortiOS

The Ultimate Member plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.
This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

• WordPress Plugin Alert – Critical SQLi Vulnerability Threatens 200K+ Websites

The ‘HTML5 Video Player’ WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the 'get_view' function.

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an ‘@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
This leads to information leakage and potentially to remote code execution on the server.

• Jenkins Security Advisory 2024-01-24

Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

• PoC for easily exploitable Fortra GoAnywhere MFT vulnerability released (CVE-2024-0204)

An issue has been discovered in GitLab CE/EE, in which user account password reset emails could be delivered to an unverified email address resulting in Account Takeover via Password Reset without user interactions.
It is strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler.
The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

• CVE-2024-0352 in NIST