The problem:<\/strong> Apache OfBiz, a Java-based framework for developing enterprise resource planning (ERP) apps, had a path traversal vulnerability in May of this year. The update released for the flaw, which affected OFBiz versions before 18.12.13, fixed the issue. Recently, researcher Johannes Ulrich has seen increased activity<\/a> against the vulnerability. In particular, the Mirai Botnet has been attacking it.<\/p>\n\n\n\n The flaw is tracked as CVE-2024-32113<\/a>. Ulrich explained the attacker\u2019s process when exploiting the vulnerability:<\/p>\n\n\n\n \u201cThe directory traversal is easily triggered by inserting a semicolon. All an attacker has to find is a URL they can access and append a semicolon followed by a restricted URL. The exploit URL we currently see is:<\/p>\n\n\n\n “forgotPassword” does not require any authentication and is public. “ProgramExport” is interesting because it allows arbitrary code execution.\u201d<\/p>\n\n\n\n The threat actor would have to use a POST request to exploit the flaw sufficiently, Ulrich said, but they don\u2019t automatically need a request body.<\/p>\n\n\n\n The fix:<\/strong> Upgrade your instance of Apache OfBiz to \u200b\u200bversion 18.12.13.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Read permission given to malicious applications on Android devices.<\/p>\n\n\n\n The problem:<\/strong> Researchers at mobile security firm Zimperium discovered a malware campaign<\/a> against Android devices in 2022 and have continued to track the malware since then. The campaign is SMS stealing, targeted at one-time passwords sent through text, so threat actors can use them to access accounts that they aren\u2019t authorized to access.<\/p>\n\n\n\n The zLabs team has identified more than 107,000 malware samples throughout its research of over two years. They found that typically, a victim is fooled into sideloading an application onto the phone through a falsified app store or a similar tactic, and the application requests read permission for SMS messages on the device, which Android allows. Once the malware is on the Android device, it hides in wait and monitors SMS messages, looking for OTPs in particular.<\/p>\n\n\n\n The fix:<\/strong> There is currently no clear patch or redirect from the vendor. Zimperium mentions the importance of increasing enterprise mobile security measures. If you have an Android device, I recommend using an email address to receive one-time passwords instead of a phone number whenever possible.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Access to sensitive information via voice prompts.<\/p>\n\n\n\n The problem:<\/strong> The mobile security issues continue, this time with Apple. The vendor recently patched vulnerabilities in Apple Watch, iPadOS, and iOS that could allow a threat actor to take sensitive data from a locked mobile device. Four of the vulnerabilities were related to Siri, Apple\u2019s voice assistant. Malwarebytes released a security notice<\/a> emphasizing the dangers of Siri\u2019s ability to respond to voice commands from a locked device screen.<\/p>\n\n\n\n \u201cApple has restricted these options to stop an attacker with physical access from being able to access contacts from the lock screen and access other sensitive user data,\u201d Malwarebytes said.<\/p>\n\n\n\n The fix:<\/strong> Update to iOS 17.6 or iPadOS 17.6 if you haven\u2019t already.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Security bypass.<\/p>\n\n\n\n The problem:<\/strong> Security research firm Claroty found a vulnerability in Rockwell Automation ControlLogix 1756 devices that allowed an attacker to bypass Rockwell\u2019s trusted slot feature. This capability is designed to enforce security on the devices and block communications on the local chassis if they happen on untrusted paths.<\/p>\n\n\n\n Claroty wrote in its report<\/a>, \u201cThe vulnerability we found, before it was fixed, allowed an attacker to jump between local backplane slots within a 1756 chassis using CIP routing, traversing the security boundary meant to protect the CPU from untrusted cards.\u201d<\/p>\n\n\n\n The threat actor needs network access to exploit the vulnerability in the devices. If successfully exploited, the threat actor could bypass the controls and send commands to the PLC CPU, Claroty said. The vulnerability affects ControlLogix, GuardLogix, and 1756 ControlLogix I\/O modules.<\/p>\n\n\n\n Claroty disclosed the vulnerability to Rockwell, which then fixed the flaw.<\/p>\n\n\n\n The fix:<\/strong> Rockwell Automation provided the following table<\/a> with the fixed firmware versions for each affected product.<\/p>\n\n\n\n If your team needs more consistent vulnerability information in a faster timeframe, check out our picks for the best vulnerability scanners<\/a>, which can help you more quickly identify what to patch and protect.<\/strong><\/p>\n\n\n\n Type of vulnerability:<\/strong> Authentication bypass.<\/p>\n\n\n\n The problem:<\/strong> A vulnerability affecting VMware eSXI hypervisors was patched recently but has seen multiple ransomware exploits. If a threat actor has sufficient Active Directory permissions, they could get full access to the eSXI host if it had previously been configured to use Active Directory to manage users. According to NIST\u2019s National Vulnerability Database, the threat actor would recreate the eSXI Admin group on AD after it was deleted.<\/p>\n\n\n\n Microsoft researchers discovered the vulnerability and announced it in a research report<\/a> last week. They disclosed the vulnerability to VMware through a coordinated vulnerability disclosure<\/a> (CVD).\u00a0<\/p>\n\n\n\n eSXI hypervisors sometimes host virtual machines, which may support critical workloads and servers. Microsoft said, \u201cIn a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.\u201d<\/p>\n\n\n\n The vulnerability is tracked as CVE-2024-37085<\/a>. It has a CVSS score of 7.2 from NIST and a base score of 6.8 from VMware.<\/p>\n\n\n\n The fix:<\/strong> Make sure you\u2019ve patched any eSXI hypervisors, and also use two-factor authentication to make it harder for threat actors to gain unauthorized access.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Security bypass.<\/p>\n\n\n\n The problem:<\/strong> Microsoft Windows\u2019 Smart Screen and Smart App Control features have a number of security issues, which Elastic Security Labs reported<\/a> earlier today. These flaws can lead to \u201cinitial access with no security warnings and minimal user interaction,\u201d according to the researchers. No security popups or warnings will alert users that the attacker has gotten access, either, making this challenging to detect.<\/p>\n\n\n\n Smart Screen examines web pages for potential security issues and sends a warning notice to users if it finds one. Smart App Control predicts whether an application is safe to run on the computer system where it\u2019s installed and blocks it if not.<\/p>\n\n\n\n The fix:<\/strong> Elastic Security Labs recommends that teams carefully study downloads happening on their computer system and avoid relying only on OS security features.<\/p>\n\n\n\n Read next:<\/strong><\/p>\n\n\n\n\/webtools\/control\/forgotPassword;\/ProgramExport<\/pre>\n\n\n\n
Android Weakness Exploited by Malware for Over Two Years<\/h3>\n\n\n\n
Apple Fixes Multiple Vulnerabilities in Siri<\/h3>\n\n\n\n
August 1, 2024<\/h2>\n\n\n\n
Rockwell Automation Flaw Has Been Fixed<\/h3>\n\n\n\n
![\"Table](\"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/08\/esp_20240805-vulnerability-recap-august-05-2024-figure_a.jpg\")
<\/a><\/figure>\n\n\n\nVMware eSXI Vulnerability Still Being Exploited<\/h3>\n\n\n\n
August 5, 2024<\/h2>\n\n\n\n
Windows Security Features Have Multiple Flaws<\/h3>\n\n\n\n