Microsoft, as usual, led the pack in quantity for Patch Tuesday this March with fixes for nearly 59 vulnerabilities including two critical flaws. Patching teams may be busy with this anticipated work, but be sure to also address the off-schedule critical vulnerabilities that affect Fortinet, QNAP, Kubernetes, and WordPress plug-ins.<\/p>\n\n\n\n
Type of vulnerability:<\/strong> Arbitrary code execution (ACE).<\/p>\n\n\n\n The problem:<\/strong> The FortiOS SSL VPN feature vulnerability, CVE-2024-21762, disclosed February 8th<\/a>, remains exposed to attack on nearly 150,000 devices according to the ShadowServer Foundation website<\/a>.\u00a0So far research sites, such as the GreyNoise exploit tracking site<\/a>, don\u2019t yet see active exploitation trends. CISA added the vulnerability to the known exploited vulnerabilities<\/a> catalog over a month ago.\u00a0<\/p>\n\n\n\n The fix:<\/strong> Fortinet advised users to disable SSL VPN until their FortiOS and FortiProxy deployments can be upgraded<\/a>.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Improper authentication, injection vulnerability, SQL injection (SQLi).<\/p>\n\n\n\n The problem:<\/strong> QNAP disclosed three vulnerabilities<\/a> affecting several products: QTS, QuTS hero, QuTScloud, and myQNAPcloud. The critical vulnerability, CVE-2024-21899 with a CVSS score of 9.8, can allow remote and unauthorized users to compromise the network. The other two vulnerabilities, CVE-2024-21900 and CVE-2024-21901, only merit medium ratings because they require authentication.<\/p>\n\n\n\n Ransomware gangs, notably Deadbolt, Checkmate, and Qlocker, actively targeted QNAP vulnerabilities in the past. With the disclosure of this vulnerability, they likely will develop new exploits so patching teams should move quickly. Not all patch management services<\/a> and tools<\/a> extend to non-standard equipment such as QNAP network accessible storage (NAS) devices to be sure to verify patching of this vulnerability specifically.<\/p>\n\n\n\n The fix:<\/strong> QNAP issued fixed versions of all products and recommended prompt upgrade. QTS, TuTS, and QuTScloud may be updated from the control panel, but the myQNAPcloud requires administrators to log in as administrator and search for myQNAPcloud in the App Center.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Privilege escalation<\/p>\n\n\n\n The problem:<\/strong> RegistrationMagic, a WordPress plug-in that helps build custom registration forms, enable user registration, process payments, and provide user login misses a capability check that permits attackers with at least subscriber-level access to gain admin privileges. A bug bounty participant revealed the flaw<\/a> during a Wordfence Bug Bounty Program Extravaganza last month.<\/p>\n\n\n\n The fix:<\/strong> Update to version 5.3.1.0 of RegistrationMagic plug-in promptly.<\/p>\n\n\n\n Type of vulnerability:<\/strong> 24 elevation of privilege, 18 remote code execution (RCE), six information disclosure, six denial of service (DoS), three security feature bypass, and two spoofing vulnerabilities.<\/p>\n\n\n\n The problem:<\/strong> Microsoft patched 59 vulnerabilities including two critical and 57 important vulnerabilities. The release did not disclose any zero day vulnerabilities or active exploitations.<\/p>\n\n\n\n The two critical vulnerabilities affect Windows Hyper-V. CVE-2024-21407<\/a>, a remote code execution vulnerability, and CVE-2024-21408<\/a>, a denial of service vulnerability could allow an attacker to take full control or crash the Hyper-V service, respectively. Other notable patched vulnerabilities, all rated important, include:<\/p>\n\n\n\n The fix:<\/strong> Proceed with patching affected Microsoft products. Note that many admins find<\/a> that the cumulative update, KB5035849, will not properly install on Windows 10 and Windows Server Systems. Manual installation is possible, but the August 2021 servicing stack update (KB5005112) must be installed first.<\/p>\n\n\n\n Need help patching quickly? Patch management-as-a-service<\/a> can boost the patching process. <\/strong><\/p>\n\n\n\n Type of vulnerability:<\/strong> ACE, arbitrary system file read, memory leak, security feature bypass.<\/p>\n\n\n\n The problem:<\/strong> Adobe issued<\/a> critical and important patches for five products: Animate<\/a>, Bridge<\/a>, ColdFusion<\/a>, Lightroom<\/a> for macOS, and PremierePro<\/a>. It also released important and moderate updates for Adobe Experience Manager<\/a>.<\/p>\n\n\n\n Adobe did not disclose any known exploits of these various vulnerabilities. However, their security incident response team recommends prioritizing the critical-level arbitrary system file read vulnerability patch for ColdFusion.<\/p>\n\n\n\n The fix:<\/strong> Update software using patches from the relevant download center, download page, or link in the instructions for each software.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Four DoS, a feed injection, a privilege escalation, three protection bypass, and an unauthenticated REST API access vulnerability.<\/p>\n\n\n\n The problem:<\/strong> Cisco announced patches for 10 vulnerabilities<\/a> (one critical, four high, five medium) affecting its IOS XR Software, SD-WAN vMaange, and Secure Client products. The notable critical vulnerability, CVE-2023-20214<\/a>, allows an attacker to bypass authentication validation for the SD-WAN vManage REST API to gain read and limited write permissions to SD-WAN vManage.<\/p>\n\n\n\n The fix:<\/strong> None of the critical or high vulnerabilities and only two of the medium vulnerabilities have available workarounds. Cisco recommends updating to patched versions of the products.<\/p>\n\n\n\n Type of vulnerability:<\/strong> SQL injection (SQLi) and remote code execution (RCE).<\/p>\n\n\n\n The problem:<\/strong> A SQLi vulnerability in the FortiClient Enterprise Management Server\u2019s DB2 Administration Server potentially enables RCE with SYSTEM privileges through specially crafted packets. The vulnerability, CVE-2023-48788<\/a>, earns a critical CVSS score of 9.8 because low-complexity attacks will exploit unpatched servers without user interaction and allow the attacker to execute unauthorized code or commands.<\/p>\n\n\n\n The fix:<\/strong> Fortinet recommends an update of the FortiClientEMS and didn\u2019t publish any potential workarounds. Upgrade FortiClientEMS versions 7.0.1 through 7.0.10 to 7.0.11 or above and upgrade versions 7.2.0 through 7.2.2 to version 7.2.3.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Command injection attack.<\/p>\n\n\n\n The problem:<\/strong> Timer Peled, an Akamai security researcher, uncovered a high-severity vulnerability<\/a>, CVE-2023-5528<\/a>, rated CVSS 7.2 which fails to sanitize input and permits an attacker to perform command injection attacks to apply malicious YAML files onto the cluster and execute code on cluster endpoints. This vulnerability affects default Kubernetes installations in on-prem Windows and Azure Kubernetes Service that use an in-tree storage plug-in.<\/p>\n\n\n\n The fix:<\/strong> Upgrade to Kubernetes versions 1.28.4 or later to fix the flaw. For those unable to patch quickly, Akamai\u2019s blog provides an OPA rule to add to detect and block potential attacks.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Improper validation and authentication.<\/p>\n\n\n\n The problem:<\/strong> Salt Labs researchers<\/a> studying ChatGPT plug-in processes discovered three different flaws with significant validation and authentication issues. One flaw allowed a malicious attacker to intercept plug-in requests and replace valid plug-ins with malicious code.<\/p>\n\n\n\n A second vulnerability fails to perform proper user authentication and permits user impersonation that can lead to ChatGPT account takeover. The final flaw uses 0Auth redirection to steal user credentials by inserting a malicious URL between the user and ChatGPT.<\/p>\n\n\n\n The fix:<\/strong> The researchers publish workarounds, but ChatGPT also fixed the flaws, so users should update their applications to pick up the revised plug-in code.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Privilege escalation.<\/p>\n\n\n\n The problem:<\/strong> Wordfence disclosed two vulnerabilities<\/a> discovered in their bug bounty program within discontinued WordPress plug-ins for the miniOrgange Malware Scanner and Web Application Firewall. The vulnerability enables unauthenticated attackers to update the user password to grant themselves admin privileges and the plug-ins show more than 10,000 active installations.<\/p>\n\n\n\n The fix:<\/strong> Upon disclosure, miniOrange simply closed the plug-ins permanently and no patch will be released. Delete these plug-ins from WordPress sites immediately.<\/p>\n\n\n\n Read more about how websites and application vulnerability scanners<\/a> can proactively help development teams catch issues.<\/strong><\/p>\n\n\n\n Type of vulnerability:<\/strong> Cache overflow, unsafe array handling, DoS.<\/p>\n\n\n\n The problem:<\/strong> The Kubernetes security specialist KTrust discovered a trio of vulnerabilities<\/a> in ArgoCD, a top GitOps continuous delivery tool for Kubernetes. The vulnerabilities allow for attackers to brute force cache overflows to bypass security measures, crash the application or cause in-memory data loss due to unsafe array handling, and cause DoS by exploiting unsafe array modification in multithreaded environments.<\/p>\n\n\n\n The fix:<\/strong> No workaround is available for these issues; however, Argo CD released patches so update quickly and keep in mind their Upgrade Overview<\/a> to avoid issues.<\/p>\n\n\n\n Read next:<\/strong><\/p>\n\n\n\nFrequent Ransomware Target QNAP Discloses 3 Vulnerabilities<\/h3>\n\n\n\n
March 11, 2024<\/h2>\n\n\n\n
Update Patched RegistrationMagic WordPress Plug-in Now<\/h3>\n\n\n\n
March 12, 2024<\/h2>\n\n\n\n
Microsoft Patch Tuesday Fixes 59 Vulnerabilities, Including 18 RCE<\/h3>\n\n\n\n
\n
Adobe Patches Animate, Bridge, ColdFusion, Experience Manager, Lightroom, & PremierPro<\/h3>\n\n\n\n
Cisco Fixes Vulnerabilities In IOS XR, Secure Client & SD-WAN vManage<\/h3>\n\n\n\n
March 13, 2024<\/h2>\n\n\n\n
Fortinet Patches FortiClient Enterprise Management Server RCE Bug<\/h3>\n\n\n\n
Windows Kubernetes Clusters Vulnerable to Command Injection <\/h3>\n\n\n\n
Vulnerable ChatGPT Plug-ins Open Account Takeover Opportunities<\/h3>\n\n\n\n
Discontinued WordPress Plug-ins Expose Over 10,000 Sites<\/h3>\n\n\n\n
March 18, 2024<\/h2>\n\n\n\n
Critical DDoS Vulnerability Exposed in Kubernetes Delivery Tool, Argo CD <\/h3>\n\n\n\n