The past week and the long weekend have had plenty of vulnerabilities to keep your IT and security teams busy. Both SonicWall and Juniper Networks have seen vulnerabilities that allow remote code execution and denial-of service attacks.<\/p>\n\n\n\n
Keep an eye out for security announcements from your firewall vendors; it’s possible additional similar vulnerabilities will come to light. Continue to monitor all of your software for potential malicious behavior, but this week, monitor network appliances in particular.<\/p>\n\n\n\n
Type of vulnerability:<\/strong> Cross-site scripting flaw in Popup Builder that allows a malware injection.<\/p>\n\n\n\n The problem:<\/strong> WordPress plugin Popup Builder is vulnerable to exploitation through a flaw that allows attackers to perform administrator-level actions like installing new rogue plugins or creating new admin accounts. Researcher Marc Montpas from WPScan discovered and reported this vulnerability<\/a> to the creators of the plugin.<\/p>\n\n\n\n Security provider Sucuri has researched the malware<\/a> Balada Injector that takes advantage of this vulnerability and found that it’s compromised over 6,000 sites that have an old version of Popup Builder installed.<\/p>\n\n\n\n The fix:<\/strong> Popup Builder released version 4.2.3 with a patch for the vulnerability, but older versions are still being exploited. Update your instance of Popup Builder to 4.2.3 if you haven’t already. An existing injection can also be removed in the Custom JS or CSS section of Popup Builder; Sucuri offers instructions for doing this.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Remote code execution and denial-of-service attacks.<\/p>\n\n\n\n The problem:<\/strong> Juniper Networks released a bulletin<\/a> about a remote code execution vulnerability in its SRX firewalls and EX switches. The issue is an out-of-bounds write vulnerability, according to Juniper. When exploited, it allows an unauthenticated attacker to execute remote code and a denial-of-service attack. The attacker would also obtain root privileges on the compromised firewall appliance.<\/p>\n\n\n\n This vulnerability is tracked as CVE-2024-21591<\/a>. Affected versions include:<\/p>\n\n\n\n The fix:<\/strong> Juniper Networks has the following Junos OS versions that fix the vulnerability:<\/p>\n\n\n\n Type of attack:<\/strong> Zero-day vulnerability potentially leading to authentication bypass and command injection.<\/p>\n\n\n\n The problem:<\/strong> Ivanti announced two vulnerabilities that affect Ivanti Connect Secure VPN and Ivanti Policy Secure products. Potential results of the exploits include authentication bypass and command injection. Versions 9.x and 22.x of both products are affected.<\/p>\n\n\n\n Security researchers from Mandiant discovered<\/a> the vulnerability and identified active exploits of it, perpetrated by a threat actor that Mandiant is tracking as UNC5221. This threat actor has deployed at least five malware families using the Ivanti products.<\/p>\n\n\n\n The fix:<\/strong> Ivanti is currently developing patches for the vulnerabilities. In the meantime, they’ve offered a mitigation strategy: Users can import the file mitigation.release.20240107.1.xml<\/strong> through the download portal. Follow this page<\/a> for updates on patches.<\/p>\n\n\n\n Type of attack:<\/strong> Privilege escalation attack<\/a>.<\/p>\n\n\n\n The problem:<\/strong> The United States Cybersecurity and Infrastructure Security Agency (CISA) has announced a vulnerability<\/a> in Microsoft SharePoint that allows a threat actor to escalate their privileges on the network. Microsoft provided patches for the vulnerability last year, but it’s still being exploited, according to the CISA.<\/p>\n\n\n\n The vulnerability can be tracked as CVE-2023-29357<\/a>.<\/p>\n\n\n\n The fix:<\/strong> Look at Microsoft’s Patch Tuesday update from last June<\/a> to find patch information for the SharePoint vulnerability.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Malicious commands sent from an attacker to the thermostat, including potentially replacing firmware with rogue code.<\/p>\n\n\n\n The problem:<\/strong> Technology company Bosch has a thermostat, the BCC100, that’s vulnerable to firmware replacement<\/a> from a threat actor. Bitdefender discovered this vulnerability and first reported it to Bosch in August 2023. The report didn’t become publicly available until January 11.<\/p>\n\n\n\n The microcontroller of the thermostat is unable to distinguish between legitimate messages from the cloud server and falsified messages from TCP port 8899 on the local area network. According to Bitdefender, the thermostat does not validate the authenticity of a new firmware update.<\/p>\n\n\n\n The danger of compromised IoT devices is that threat actors could move laterally from a compromised thermostat onto a business’s computer systems if the thermostat resides in the same office as the network.<\/p>\n\n\n\n The fix:<\/strong> Bitdefender offers a smart home scanner app to locate vulnerable IoT devices. While it’s designed for home use, your business can use it to search for vulnerabilities in your office smart devices. If you have the BCC100 installed, either replace it or segment it on its own network.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Possible denial-of-service attack and remote code execution by an unauthenticated attacker.<\/p>\n\n\n\n The problem:<\/strong> SonicWall’s series 6 and 7 next-gen firewalls are susceptible to vulnerabilities that can result in denial of service attacks and remote code execution. According to researchers at Bishop Fox<\/a>, they scanned firewalls with management consoles that are exposed to the internet and learned that 76% of the firewalls were vulnerable to at least one flaw. <\/p>\n\n\n\n CVE-2022-22274<\/a> is a stack-based buffer overflow vulnerability in SonicOS, the firewall’s operating system. When exploited, it can allow a threat actor to launch a denial-of-service attack and potentially also execute remote code. CVE-2023-0656<\/a> is the same vulnerability at its root, but it was announced a year later. The code occurs in a different place and was discovered at a different time, so it’s considered a separate vulnerability.<\/p>\n\n\n\nJuniper Networks SRX & EX Series Compromised <\/h3>\n\n\n\n
\n
\n
Ivanti Zero-Days Leave the Door Open for Command Injection <\/h3>\n\n\n\n
Privilege Escalation Vulnerability Affects Microsoft SharePoint <\/h3>\n\n\n\n
January 11, 2024<\/h2>\n\n\n\n
Smart Thermostat from Bosch Puts Offices in Danger<\/h3>\n\n\n\n
January 15, 2024<\/h2>\n\n\n\n
Hundreds of Thousands of SonicWall Firewalls Could Be Exploited <\/h3>\n\n\n\n