It\u2019s been a startling week in vulnerability news, mainly due to a few older vulnerabilities coming to light. While it doesn\u2019t look like they\u2019ve been exploited yet, threat actors may make a move now that the flaws have been publicized.<\/p>\n\n\n\n
The other major news \u2014 which could affect both businesses and individuals \u2014 is a zero-day vulnerability found in most major web browsers on both Mac and Linux machines. You\u2019ll want to update your computer as soon as you learn about this \u2014 I certainly did. Look at our rundown, and make sure your security teams are apprised of any relevant vulnerabilities from this past week\u2019s news.<\/p>\n\n\n\n
Type of vulnerability:<\/strong> Remote code execution.<\/p>\n\n\n\n The problem:<\/strong> Last week<\/a>, I mentioned a path traversal vulnerability in the open-source framework Apache OfBiz that had been patched earlier in the year but was more recently being exploited. This new OfBiz flaw is a separate one. It\u2019s tracked as CVE-2024-38856<\/a> and allows a threat actor to use a specifically created request to execute code on endpoints without authorization.<\/p>\n\n\n\n The vulnerability has a CVSS severity rating of 9.8 and affects all versions of Apache OfBiz up to 18.12.14.<\/p>\n\n\n\n The fix:<\/strong> Upgrade to version 18.12.15.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Zero-day code execution.<\/p>\n\n\n\n The problem:<\/strong> Researchers from application security vendor Oligo recently discovered a web browser vulnerability 18 years in the making. The flaw allows threat actors to fingerprint and identify browser users and to use an IP address of 0.0.0.0 to execute unauthorized code. The vulnerability applies to all major browsers running on macOS and Linux systems but not on Windows.<\/p>\n\n\n\n \u201cPublic websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor\u2019s host by using the address 0.0.0.0 instead of localhost\/127.0.0.1,\u201d Oligo researcher Avi Lumelsky said<\/a>.<\/p>\n\n\n\n According to Oligo, the initial vulnerability, designed to identify browser users for legitimacy, also allows threat actors to fingerprint users by port-scanning them. By the time this was recognized as a major threat, it already existed in most browsers and would be quite challenging to solve, Lumelsky explained. <\/p>\n\n\n\n The fix:<\/strong> If you use Google Chrome, click the three vertical dots at the top of the right corner of the browser window. Select \u201cHelp\u201d and then \u201cAbout Google Chrome.\u201d From there, select the option to upgrade to a new browser. If you see \u201cRelaunch,\u201d click that, or Chrome may relaunch the browser automatically after closing the windows.<\/p>\n\n\n\n If you use Safari, click the Apple icon to open the menu and choose \u201cSystem Settings.\u201d Select \u201cGeneral\u201d and then \u201cSoftware Update.\u201d Select \u201cUpdate Now\u201d if there\u2019s a new update available, and follow any further instructions.<\/p>\n\n\n\n Microsoft Edge users should open the browser and select the three dots in the upper right-hand corner. Then, choose \u201cHelp and feedback\u201d and select \u201cAbout Microsoft Edge.\u201d If there are updates available, Edge should automatically perform them. Then, you\u2019ll need to restart Edge as prompted to apply those software updates.<\/p>\n\n\n\n If you use Mozilla Firefox, open Firefox and select the three horizontal lines at the top right of the browser. Click \u201cHelp\u201d and then \u201cAbout Firefox,\u201d where Firefox will execute any available updates automatically. After the update process, select \u201cRestart to Update Firefox.\u201d<\/p>\n\n\n\n For further details on updating your browsers, Fox News provides instructions here<\/a>.<\/p>\n\n\n\n If your security team has started to feel overwhelmed by tracking down vulnerability news, consider a scanning product that helps automate vulnerability tracking procedures. We\u2019ve selected the best vulnerability scanners for businesses<\/a> so you can pick a good option for your team.<\/strong><\/p>\n\n\n\n Type of vulnerability:<\/strong> Improper validation and potentially arbitrary code execution.<\/p>\n\n\n\n The problem:<\/strong> This week, we have not one but two 18-year-old vulnerabilities: researchers at IOActive discovered a flaw<\/a> in AMD central processing units that has existed in processors made as early as 2006. It\u2019s only just now been discovered and is known as Sinkclose. If exploited, the vulnerability would allow a threat actor to execute their own code within the processor\u2019s firmware using System Management Mode (SMM). This can happen even when SMM is locked.<\/p>\n\n\n\n To successfully complete the attack, the malicious program would need to have access to\u00a0 ring0, which is the layer of the firmware with the highest privileges and with access to the system kernel. The threat actor must get there first before they can exploit this flaw; this could be part of the reason it hasn\u2019t been heavily exploited. The vulnerability is tracked as CVE-2023-31315<\/a> and has a CVSS score of 7.5.<\/p>\n\n\n\n The fix:<\/strong> AMD will patch some of its processors but not all; check out AMD\u2019s security bulletin<\/a> for a list of hardware that will receive a patch.<\/p>\n\n\n\n Type of attack:<\/strong> OS version rollback.<\/p>\n\n\n\n The problem:<\/strong> A recently discovered flaw in Windows systems allows threat actors to roll operating systems back to older versions that have vulnerabilities in them. The researcher who discovered the flaw six months ago, Alon Leviev, presented his findings<\/a> at the Black Hat conference last week. He was able to use the Windows Updates function to create OS downgrading updates and bypass the verification steps typically required for a system update.<\/p>\n\n\n\n \u201cArmed with these capabilities, we managed to downgrade critical OS components, including DLLs, drivers, and even the NT kernel,\u201d Leviev said. \u201cAfterwards, the OS reported it’s fully updated, unable to install future updates, with recovery and scanning tools unable to detect issues.\u201d<\/p>\n\n\n\n The vulnerability also applied to Microsoft Hyper-V, the vendor\u2019s hypervisor for supporting virtual environments. Leviev was able to downgrade Hyper-V, as well as the Isolated User Mode process within Windows Credential Guard.<\/p>\n\n\n\n In this scenario, a computer that appears to be fully patched could actually be running an older operating system with multiple open vulnerabilities.<\/p>\n\n\n\n Microsoft hasn\u2019t officially spoken on the vulnerability, but it published advisories for CVE-2024-38202<\/a> and CVE-2024-21302<\/a> around the same time that Leviev presented at Black Hat.<\/p>\n\n\n\n The fix:<\/strong> The vendor currently offers no solution. If your business uses Windows, restrict administrative privileges as much as you can and require password resets as soon as possible.<\/p>\n\n\n\n Type of vulnerability:<\/strong> <\/p>\n\n\n\n The problem:<\/strong> SafeBreach researchers discovered 10 different vulnerabilities<\/a> in Google Quick Share, a wireless data transfer utility. When put together, some of them could lead to remote code execution attacks against Quick Share on Windows machines. This potential attack chain is now known as QuickShell.<\/p>\n\n\n\n The vulnerabilities included remote unauthorized file writes, remote forced Wi-Fi connection, and remote denial-of-service. According to SafeBreach, Google has fixed all the vulnerabilities and issued two CVEs: CVE-2024-38271<\/a> and CVE-2024-38272<\/a>.<\/p>\n\n\n\n According to the researchers, a significant portion of the application code resides in an open-source repository, which could make it a valuable target for threat actors.<\/p>\n\n\n\n The fix:<\/strong> Google has fixed the flaws, so update your Android, Windows, and Chrome systems to the most recent versions.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Remote code execution.<\/p>\n\n\n\n The problem:<\/strong> OpenSSH, a network utilities suite based on the Secure Shell protocol, has a signal safety flaw, according to researchers at FreeBSD. FreeBSD, an open-source operating system project, released a security bulletin about the vulnerability, which occurs in a signal handler in sshd(8). According to the researchers, the logging function that the handler calls isn\u2019t automatically async-signal-safe.<\/p>\n\n\n\n \u201cThe signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default),\u201d FreeBSD said in its notice. \u201cThis signal handler executes in the context of the sshd(8)’s privileged code, which is not sandboxed and runs with full root privileges.\u201d<\/p>\n\n\n\n If exploited, the vulnerability allows a threat actor to execute remote code as root in OpenSSH. This affects the safety of OpenSSH\u2019s encryption and transport security features.<\/p>\n\n\n\n The vulnerability is tracked as CVE-2024-7589<\/a> and has a CVSS score of 7.4.<\/p>\n\n\n\n The fix:<\/strong> FreeBSD instructs users to upgrade their system to a supported FreeBSD stable or release \/ security branch (releng) from after the date the flaw was fixed. After you\u2019ve upgraded, restart sshd. FreeBSD provides more specific upgrade details<\/a> as well.<\/p>\n\n\n\n Read next:<\/strong><\/p>\n\n\n\nAugust 7, 2024<\/h2>\n\n\n\n
18-Year-Old Browser Flaw Requires Immediate Updates<\/h3>\n\n\n\n
Sinkclose Vulnerability Affects 18 Years of Processors<\/h3>\n\n\n\n
Windows Downgrade Attack Puts Operating System in Danger<\/h3>\n\n\n\n
August 10, 2024<\/h2>\n\n\n\n
Google Quick Share Has 10 Flaws on Windows<\/h3>\n\n\n\n
August 12, 2024<\/h2>\n\n\n\n
OpenSSH Flaw Opens the Door for RCE<\/h3>\n\n\n\n