The problem:<\/strong> A vulnerability within Splunk’s Enterprise application allows an attacker to perform a path traversal on the \/modules\/messaging\/ endpoint in Windows installments of Splunk Enterprise. The vulnerability affects app versions below 9.2.2, 9.1.5, and 9.0.10. Splunk released the notice for the vulnerability<\/a> at the beginning of July, but it’s now getting more attention.<\/p>\n\n\n\n According to the security notice, “The vulnerability exists because the Python os.path.join function removes the drive letter from path tokens if the drive in the token matches the drive in the built path.” <\/p>\n\n\n\n The vulnerability should not affect Splunk Enterprise on non-Windows operating systems, like Linux. A proof of concept is available<\/a> on GitHub.<\/p>\n\n\n\n The fix:<\/strong> Splunk provides the following chart for fixed versions. Any version higher than 9.2.2, 9.1.5, and 9.0.10 also works.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Remote code execution.<\/p>\n\n\n\n The problem:<\/strong> GeoServer, an open-source server for sharing and processing geospatial data, has a critical vulnerability in its GeoTools library API. When exploited, the flaw allows unauthenticated users to execute code remotely. According to the vulnerability notice<\/a>:<\/p>\n\n\n\n “The GeoTools library API that GeoServer calls evaluates property\/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library, which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types\u2026 but is incorrectly being applied to simple feature types as well, which makes this vulnerability apply to ALL GeoServer instances.”<\/p>\n\n\n\n The Cybersecurity and Infrastructure Security Agency (CISA) has warned users of this vulnerability and now requires federal agencies to apply patches by August 5. It’s currently tracked as CVE-2024-36401<\/a>.<\/p>\n\n\n\n The fix:<\/strong> Update your GeoServer instance with version 2.23.6, 2.24.4, or 2.25.2, which contain a patch for the issue.<\/p>\n\n\n\n If your business needs dedicated and consistent vulnerability scanning, read our guide to the best scanners<\/a> next.<\/strong><\/p>\n\n\n\n Type of vulnerability:<\/strong> SQL injection.<\/p>\n\n\n\n The problem:<\/strong> Ivanti recently released a security advisory<\/a> for an SQL injection vulnerability within Ivanti Endpoint Manager 2024 flat. If exploited, the vulnerability allows a threat actor on the same network as Endpoint Manager to execute code arbitrarily without being properly authenticated. <\/p>\n\n\n\n The vulnerability is tracked as CVE-2024-37381 and has a severity rating of 8.4. <\/p>\n\n\n\n The fix:<\/strong> Ivanti provides instructions for downloading a hot patch for EPM 2024 flat within the security advisory<\/a>: <\/p>\n\n\n\n Type of vulnerability:<\/strong> Form of authentication bypass. <\/p>\n\n\n\n The problem:<\/strong> Cisco Smart Software Manager On-Prem (SSM On-Prem) has a critical vulnerability in its authentication mechanism. It’s a result of a faulty password change implementation procedure. If a device is affected by the vulnerability, an attacker can send specifically designed HTTP requests to that device.<\/p>\n\n\n\n When exploited successfully, the vulnerability allows the attacker to use compromised privileges to access the target user interface or API. They can then change other users’ passwords, including potential administrative credentials. Experts aren’t sure what could happen within the Cisco network once an attacker manages this, and Cisco hasn’t yet clarified this in a security bulletin.<\/p>\n\n\n\n The vulnerability is tracked as CVE-2024-20419<\/a> and has a CVSS score of 10, the highest a vulnerability can receive.<\/p>\n\n\n\n The fix:<\/strong> This vulnerability affects Cisco SSM versions 8-202206 and earlier. The first fixed release of the software is 8-202212; upgrade to this version of Cisco SSM as soon as possible. Cisco’s ongoing fixed releases within the security bulletin<\/a> for this vulnerability.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Multiple, including remote code execution. <\/p>\n\n\n\n The problem:<\/strong> SolarWinds has addressed 13 vulnerabilities<\/a> within its Access Rights Manager software, a user provisioning and access management tool for Active Directory and Azure AD. These include remote command injection, remote code execution, and traversal and information disclosure vulnerabilities. Of the 13, eight are critical and have a CVSS score of 9.6. Each has its own advisory notice from SolarWinds.\u00a0<\/p>\n\n\n\n Combined, the vulnerabilities allow attackers to use SYSTEM privileges, leak data, and read and delete files arbitrarily without authentication.<\/p>\n\n\n\n Trend Micro’s Zero Day Initiative partners with SolarWinds and helped it identify the vulnerabilities.<\/p>\n\n\n\n The fix:<\/strong> Download the fixed version of the software, Access Rights Manager 2024.3, to prevent exploitation.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Arbitrary code execution using AI training models. <\/p>\n\n\n\n The problem:<\/strong> A report by security vendor Wiz<\/a> discusses isolation issues within AI platforms, particularly SAP AI Core. AI Core facilitates integrations with other cloud services like HANA to access customer data using cloud access keys, according to Wiz. The researchers’ work revealed that they could move laterally and access private customer files and cloud account credentials using SAP’s legitimate AI training procedures.<\/p>\n\n\n\n The researchers were also able to successfully use cluster administrator privileges on the SAP AI Core Kubernetes cluster.<\/p>\n\n\n\n The fix:<\/strong> Wiz reported the vulnerabilities to SAP, which fixed them. Wiz also states that no customer data was compromised. Because training AI models naturally involves running arbitrary code, vulnerabilities are often baked into the AI training process. A long-term fix would mean setting more careful guardrails on this process and doing better sandboxing and isolation, according to Wiz.<\/p>\n\n\n\n Type of vulnerability:<\/strong> General possibility of exploit when Windows systems are down.<\/p>\n\n\n\n The problem:<\/strong> While this isn’t a specific type of vulnerability or software issue, the update failure of CrowdStrike’s Falcon Sensor last Friday did create the possibility for Windows systems to be attacked while weak. The attempted update to Falcon Sensor created an endless update cycle and the “blue screen of death,” which caused Windows systems globally to crash.<\/p>\n\n\n\n CrowdStrike stated that the issue was not a cyberattack. Its CEO, George Kurtz, initially posted on LinkedIn about the nature of the event \u2014 saying that it wasn’t a security incident \u2014 and received significant pushback for this statement. While the issue was a software error rather than an attack, it did create a security incident that could lower defenses on Windows systems.<\/p>\n\n\n\n The fix:<\/strong> CrowdStrike isolated the incident and has worked to fix it. It published a video<\/a> for remote users to self-remediate their Windows laptop if the device is still having issues with the blue screen of death. <\/p>\n\n\n\n Type of vulnerability:<\/strong> Malware payloads. <\/p>\n\n\n\n The problem:<\/strong> Managed security provider Huntress recently published a report<\/a> on SocGholish malware behavior. SocGholish is now delivering AsyncRAT and Berkeley Open Infrastructure Network Computing Client (BOINC) payloads to victims.<\/p>\n\n\n\n BOINC is an open-source platform for volunteer computing. “The intention is to use ‘donated’ computer resources to contribute to the work of various legitimate science projects,” the Huntress researchers said. Malicious installations of BOINC look like they might route to a legitimate BOINC server that’s actually a different address. Huntress reports that it hasn’t yet noticed the infected hosts executing malicious activity.<\/p>\n\n\n\n This vulnerability does not reside within BOINC; rather, it’s a type of malware that installs malicious versions of BOINC. It is less a standard software vulnerability than a method by which threat actors deliver malicious payloads using open-source software.<\/p>\n\n\n\n The fix:<\/strong> Huntress provides the following indicators of compromise and file indicators:<\/p>\n\n\n\n![\"Chart](\"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/07\/esp_20240722-vulnerability-recap-july-22-2024-figure_a.jpg\")
<\/a><\/figure>\n\n\n\nJuly 15, 2024<\/h2>\n\n\n\n
CISA Requires Patches for GeoServer RCE Vulnerability<\/h3>\n\n\n\n
July 16, 2024<\/h2>\n\n\n\n
Ivanti Fixes Another EPM Issue<\/h3>\n\n\n\n
\n
July 17, 2024<\/h2>\n\n\n\n
Full Effect of Critical Cisco Vulnerability Unknown<\/h3>\n\n\n\n
SolarWinds Fixes 13 Issues in Access Rights Manager<\/h3>\n\n\n\n
Wiz Report Reveals Weaknesses in SAP AI Core<\/h3>\n\n\n\n
July 19, 2024<\/h2>\n\n\n\n
Failed CrowdStrike Update Creates Opportunity for Hackers<\/h3>\n\n\n\n
July 22, 2024<\/h2>\n\n\n\n
Open-Source Platform BOINC Spoofed by Threat Actors<\/h3>\n\n\n\n
![\"Chart](\"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/07\/esp_20240722-vulnerability-recap-july-22-2024-figure_b.jpg\")
<\/a><\/figure>\n\n\n\n
![\"Chart](\"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/07\/esp_20240722-vulnerability-recap-july-22-2024-figure_c.jpg\")
<\/a><\/figure>\n\n\n\n